a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf

Analysis

max time kernel
149s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-09-2024 18:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
Size

2.6MB
MD5

c1fe2f5aa024333c9e16b50f567e7edd
SHA1

f0e1e898af04b82b45c24d5350c2afe7f9d2e2d3
SHA256

a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf
SHA512

554b72d82a6a329957070dadfc38253899044de67c9d6bd4f27cb9531b097fe1897b6345be2360a76c8a76a6edd780b71c3e0deccffcdec2e76f8cb6880b6f46
SSDEEP

12288:vj7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7:/cX

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe

Executes dropped EXE 58 IoCs

pid	Process
740	Logo1_.exe
2416	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
3944	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
4372	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
372	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
1692	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
2640	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
4220	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
4732	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
1584	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
3200	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
112	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
4548	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
2804	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
1556	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
4404	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
1856	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
2092	Logo1_.exe
5072	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
3636	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
1060	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
3900	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
4264	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
1876	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
1652	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
1092	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
3988	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
4340	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
1164	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
2636	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
2748	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
532	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
4956	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
5056	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
4736	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
4512	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
892	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
4808	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
3064	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
2420	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
4892	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
1584	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
1612	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
2800	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
1816	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
4008	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
4884	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
2636	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
680	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
664	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
1080	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
1856	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
4372	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
3440	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
3656	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
1008	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
2448	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
1064	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TempCom = "C:\\WINDOWS\\FONTS\\89263.com"	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\dotnet\host\fxr\6.0.27\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\bridge\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Resources\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sv-se\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Resources\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SUMIPNTG\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft.NET\ADOMD.NET\130\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\_desktop.ini	Logo1_.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\eu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sq\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ar-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\INDUST\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\_platform_specific\win_x64\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\th\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EURO\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TEXTCONV\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gu\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\d3d11\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Shared Gadgets\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\te\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\wa\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\Diagnostics\Simple\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\Updates\Apply\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-cn\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\A64CD22E-7976-4E35-AF61-1C7DBC1F5743\root\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\requests\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office 15\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Uninstall Information\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\root\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\_desktop.ini	Logo1_.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File opened for modification	C:\Windows\rundl132.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\WINDOWS\FONTS\89263.com	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Dll.dll	Logo1_.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File opened for modification	C:\WINDOWS\FONTS\89263.com	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File opened for modification	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Dll.dll	Logo1_.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\rundl132.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1028	740	WerFault.exe	83
1712	1064	WerFault.exe	267

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1100	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
1100	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
1100	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
1100	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
1100	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
1100	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
1100	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
1100	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
1100	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
1100	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
1100	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
1100	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
1100	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
1100	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
1100	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
1100	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
1100	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
1100	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
740	Logo1_.exe
740	Logo1_.exe
740	Logo1_.exe
740	Logo1_.exe
740	Logo1_.exe
740	Logo1_.exe
740	Logo1_.exe
740	Logo1_.exe
740	Logo1_.exe
740	Logo1_.exe
740	Logo1_.exe
740	Logo1_.exe
740	Logo1_.exe
740	Logo1_.exe
740	Logo1_.exe
740	Logo1_.exe
740	Logo1_.exe
740	Logo1_.exe
740	Logo1_.exe
740	Logo1_.exe
740	Logo1_.exe
740	Logo1_.exe
740	Logo1_.exe
740	Logo1_.exe
740	Logo1_.exe
740	Logo1_.exe
740	Logo1_.exe
740	Logo1_.exe
740	Logo1_.exe
740	Logo1_.exe
740	Logo1_.exe
740	Logo1_.exe
740	Logo1_.exe
740	Logo1_.exe
740	Logo1_.exe
740	Logo1_.exe
740	Logo1_.exe
740	Logo1_.exe
740	Logo1_.exe
740	Logo1_.exe
740	Logo1_.exe
740	Logo1_.exe
740	Logo1_.exe
740	Logo1_.exe
1856	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
1856	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1064	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1100 wrote to memory of 2844	1100	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe	82
PID 1100 wrote to memory of 2844	1100	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe	82
PID 1100 wrote to memory of 2844	1100	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe	82
PID 1100 wrote to memory of 740	1100	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe	83
PID 1100 wrote to memory of 740	1100	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe	83
PID 1100 wrote to memory of 740	1100	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe	83
PID 740 wrote to memory of 1368	740	Logo1_.exe	85
PID 740 wrote to memory of 1368	740	Logo1_.exe	85
PID 740 wrote to memory of 1368	740	Logo1_.exe	85
PID 1368 wrote to memory of 2768	1368	net.exe	87
PID 1368 wrote to memory of 2768	1368	net.exe	87
PID 1368 wrote to memory of 2768	1368	net.exe	87
PID 2844 wrote to memory of 2416	2844	cmd.exe	88
PID 2844 wrote to memory of 2416	2844	cmd.exe	88
PID 2844 wrote to memory of 2416	2844	cmd.exe	88
PID 2416 wrote to memory of 1520	2416	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe	89
PID 2416 wrote to memory of 1520	2416	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe	89
PID 2416 wrote to memory of 1520	2416	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe	89
PID 1520 wrote to memory of 3944	1520	cmd.exe	91
PID 1520 wrote to memory of 3944	1520	cmd.exe	91
PID 1520 wrote to memory of 3944	1520	cmd.exe	91
PID 3944 wrote to memory of 4740	3944	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe	92
PID 3944 wrote to memory of 4740	3944	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe	92
PID 3944 wrote to memory of 4740	3944	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe	92
PID 740 wrote to memory of 3368	740	Logo1_.exe	55
PID 740 wrote to memory of 3368	740	Logo1_.exe	55
PID 4740 wrote to memory of 4372	4740	cmd.exe	94
PID 4740 wrote to memory of 4372	4740	cmd.exe	94
PID 4740 wrote to memory of 4372	4740	cmd.exe	94
PID 4372 wrote to memory of 768	4372	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe	95
PID 4372 wrote to memory of 768	4372	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe	95
PID 4372 wrote to memory of 768	4372	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe	95
PID 768 wrote to memory of 372	768	cmd.exe	97
PID 768 wrote to memory of 372	768	cmd.exe	97
PID 768 wrote to memory of 372	768	cmd.exe	97
PID 372 wrote to memory of 5040	372	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe	98
PID 372 wrote to memory of 5040	372	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe	98
PID 372 wrote to memory of 5040	372	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe	98
PID 5040 wrote to memory of 1692	5040	cmd.exe	262
PID 5040 wrote to memory of 1692	5040	cmd.exe	262
PID 5040 wrote to memory of 1692	5040	cmd.exe	262
PID 1692 wrote to memory of 4080	1692	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe	103
PID 1692 wrote to memory of 4080	1692	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe	103
PID 1692 wrote to memory of 4080	1692	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe	103
PID 4080 wrote to memory of 2640	4080	cmd.exe	107
PID 4080 wrote to memory of 2640	4080	cmd.exe	107
PID 4080 wrote to memory of 2640	4080	cmd.exe	107
PID 2640 wrote to memory of 2708	2640	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe	108
PID 2640 wrote to memory of 2708	2640	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe	108
PID 2640 wrote to memory of 2708	2640	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe	108
PID 2708 wrote to memory of 4220	2708	cmd.exe	110
PID 2708 wrote to memory of 4220	2708	cmd.exe	110
PID 2708 wrote to memory of 4220	2708	cmd.exe	110
PID 4220 wrote to memory of 3648	4220	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe	111
PID 4220 wrote to memory of 3648	4220	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe	111
PID 4220 wrote to memory of 3648	4220	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe	111
PID 3648 wrote to memory of 4732	3648	cmd.exe	113
PID 3648 wrote to memory of 4732	3648	cmd.exe	113
PID 3648 wrote to memory of 4732	3648	cmd.exe	113
PID 4732 wrote to memory of 1164	4732	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe	180
PID 4732 wrote to memory of 1164	4732	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe	180
PID 4732 wrote to memory of 1164	4732	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe	180
PID 1164 wrote to memory of 1584	1164	cmd.exe	219
PID 1164 wrote to memory of 1584	1164	cmd.exe	219

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3368
- C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
  "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA170.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2844
  - - C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
      "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2416
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA24B.bat
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1520
      - C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        6⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA652.bat
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4740
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:4372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA950.bat
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        10⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aAC1E.bat
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        12⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aADF3.bat
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        14⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB110.bat
        15⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        16⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:4220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB48B.bat
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:3648
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        18⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB6AD.bat
        19⤵
        Suspicious use of WriteProcessMemory
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        20⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB8F0.bat
        21⤵
        
        PID:636
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        22⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBAB5.bat
        23⤵
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        24⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBC7A.bat
        25⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        26⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBDC2.bat
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:4008
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        28⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBF87.bat
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:3192
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        30⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC0CF.bat
        31⤵
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        32⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC246.bat
        33⤵
        System Location Discovery: System Language Discovery
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        34⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC3CD.bat
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        36⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC525.bat
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        38⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC757.bat
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        40⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC95B.bat
        41⤵
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        42⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC9A9.bat
        43⤵
        System Location Discovery: System Language Discovery
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        44⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCA07.bat
        45⤵
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        46⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCA45.bat
        47⤵
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        48⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCA93.bat
        49⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        50⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCAD2.bat
        51⤵
        System Location Discovery: System Language Discovery
        
        PID:3612
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        52⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCB10.bat
        53⤵
        
        PID:3204
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        54⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCB4F.bat
        55⤵
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        56⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCB9D.bat
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        58⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCBEB.bat
        59⤵
        System Location Discovery: System Language Discovery
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        60⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCC39.bat
        61⤵
        System Location Discovery: System Language Discovery
        
        PID:1456
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        62⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCC78.bat
        63⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        64⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCCC6.bat
        65⤵
        System Location Discovery: System Language Discovery
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        66⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCD04.bat
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        68⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCD52.bat
        69⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        70⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCD91.bat
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:2888
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        72⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        72⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCDDF.bat
        73⤵
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        74⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCE2D.bat
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        76⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCE6C.bat
        77⤵
        
        PID:4712
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        78⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCEAA.bat
        79⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        80⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCEF8.bat
        81⤵
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        82⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCF37.bat
        83⤵
        
        PID:3820
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        84⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCF75.bat
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        86⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCFB4.bat
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:800
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        88⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCFF2.bat
        89⤵
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        90⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD031.bat
        91⤵
        
        PID:2460
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        92⤵
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        92⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD07F.bat
        93⤵
        
        PID:3192
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        94⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD0BD.bat
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:2748
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        96⤵
        
        PID:636
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        96⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD10B.bat
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:4196
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        98⤵
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        98⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD15A.bat
        99⤵
        
        PID:464
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        100⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD198.bat
        101⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        102⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD1F6.bat
        103⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        104⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD234.bat
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:5016
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        106⤵
        
        PID:5072
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        106⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD273.bat
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:3360
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        108⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD2C1.bat
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        110⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD2FF.bat
        111⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        112⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD34E.bat
        113⤵
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        114⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1064
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1064 -s 184
        115⤵
        Program crash
        
        PID:1712
        
        C:\Windows\Logo1_.exe
        
        C:\Windows\Logo1_.exe
        35⤵
        Executes dropped EXE
        Enumerates connected drives
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2092
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "Kingsoft AntiVirus Service"
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:668
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:3580
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:740
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1368
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2768
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 1012
      4⤵
      Program crash
      PID:1028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 740 -ip 740
1⤵
PID:3436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1064 -ip 1064
1⤵
PID:448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$aA170.bat

Filesize
722B

MD5
0f00359bed30a2efa163471fa43fbc0d

SHA1
68789bee83c72e5a4fcc87ba4b809949911cf905

SHA256
ec7da628106e5bc6cea81f8771609c18395b9bc340961e672357b5a886479b9c

SHA512
0f3f52a5d7b12b9789452564f0374f6887e00e986f538925e1814ecbe58cc82e9c56e39b76fc087a8ea3448ca127b5a54fe39bb15a70bd880fa99261b414d8de

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aA24B.bat

Filesize
722B

MD5
fbd2f3f08bb9eaec472b928f532b5f5b

SHA1
19b00ed2f0172b148658d69e238f7129768a6efe

SHA256
a8808a815946116defdd730af5105573773482b815a2d214cfaa39e26d6c8114

SHA512
4aa01f9be5a1ac8b1bb8d2903927c0c2c1c0b6a3e5709662b255312e26b1b64d018a0a6c3dd289ae882f3d57ac7025499d80758c9d69c38ee27b042828a73950

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aA652.bat

Filesize
722B

MD5
460f1d302ab13539d85c4190dfa6174f

SHA1
97f822b2d3db939f9f08bbfeee625622bb0559b8

SHA256
aa84fdb0b0b54cb3777dd313e05c0224d169f586d909932f79a9b70011ae114c

SHA512
64739d58fb2478cdfd61d911be249080802084691c850ef52cdc25086f4a23f3485a1c789b597587762f9671193637f73e895d4b59938ca5c9e7723f54272a6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aA950.bat

Filesize
722B

MD5
5daca38e82e5875cd91ba68034a3dd8c

SHA1
a66e6d784ede2ea0dc20a981b8c4cb2ef8e401e9

SHA256
d20cd8c760925782dd48563f1c289f1f1b860ae7e61e33e2e99bcb72df2ad8ed

SHA512
a211a42cfd1e1b78c16127a6a1d48bc89d00ed19c99c8e8e67040af34ce9ac407a768926144298099496a1cad4c4c26ca656a43e1e3684642ccfd62a2b844671

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aAC1E.bat

Filesize
722B

MD5
c20b03039c1a4c1dbd6791d1420852ac

SHA1
adaf430d0abb75be7794fd9330f0bc0a5590ff85

SHA256
1ea1b6e102e66d56e7dcca9e6bc5d65a7a08d54cebe1394e7c4348ae04f2b992

SHA512
5a8cbc375276fd2d4587f17259407b7035db515bc2f78dfe8edfd953ec88e8bf9b4fe5535e3c14ea5731e12c08a3aa7c8798dd29c1589dbd49b066a884010bc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aADF3.bat

Filesize
722B

MD5
1c30316d0d22d6991f69f7805173983a

SHA1
5eac0352971c75f24d1982cadcd64b83ca01ed87

SHA256
ac084319348a5c66b62b40e512e970490c88dd4287d927aa591dd6c7f6e8b09e

SHA512
f8516ef248ed3e774034cae91e788343846efa5716a64c71cc83855555f05e95e87d3569714eee6f17d1688bcefe92eaf701ab00c17cdd96e3bba2b7257c85f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aB110.bat

Filesize
722B

MD5
a9581f4fcc24cca2e0ab3cb79a117254

SHA1
490af7b4faba3d31ec8f28c2502c98dc1e2da591

SHA256
a2b3c810c09e22ffda450c59aa5faf5e87cb390535e67c6cf5209e435c79508a

SHA512
ac96c815687cd2edc537f65c92fd49f31307914b79a5c80dd0b20afc7f54d1b6ba8e837445ec324a91b250c1f4b13494ae96fbe2821320c60a42710b6431124f

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aB48B.bat

Filesize
722B

MD5
aa4b3ab4be0bd427df41a787eb9e2e99

SHA1
177a75dcb21ba602a9c8cab950aae20c5605ba2c

SHA256
22651789383647f51015d8e848b93c880ae7cc1e13617ddae2c0d3c34e4d9c84

SHA512
b88124404c284abaed9bb2e2f3484c8a060f0a63d226e82873f7d6891a5b8e42c3b6ec5c871255346fd889b7857976f1fb4c9797e12ccf0170e9dd1956d58c7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aB6AD.bat

Filesize
722B

MD5
db9b0f34bc46ed3fc809cd2857d9ad9a

SHA1
18bbdfb966d722046f96360edb61307a6a26e4d3

SHA256
8484858cb5651cc5274fc6248297f8dac91985bbfff98ec2aa3a103ec0ce4b50

SHA512
a4dcd482fa4def285c9b6d2fafc6ed5c57d807d0e4fa01485dd7403047f177643832c9558351eb11ffa42f7e29c9361e75b3fe898b4c377fd8ba416bbcb448cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aB8F0.bat

Filesize
722B

MD5
adfcabb31e5acdbf4526d56d667306d1

SHA1
4dad33e898ce6cedbcaf91d961d3a60b7e20cd3d

SHA256
ca216ed87ffc709eed49bb6e2077017b5fedd2bd7a397121442991815feaa4c3

SHA512
bd4330d6b5c198dbc267ea0e4cfbc3f0373cf0b403d447a8a6777bda3be1e9b13b328a99f0e30e229e27440c4a269db9ae6888061e81d95f43a0d6bb41f7b738

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aBAB5.bat

Filesize
722B

MD5
d489db9a48f3be2bb3b629bdbaebd8d0

SHA1
24cd5035187719644489ce23d51e778fa03088a7

SHA256
a013b8871f4f7c7b1a8e16b27b8d7269cc26697a26c59c255c3915e30620ea44

SHA512
8867c43a2e9cefc91fcda4847e9bad01fe0eec19b24b933a0b9d0671cbc881f3f553aa8bfeec570ba4fd8d24d8af71a06c87ecdb1439c7b9ad547156f85cdd70

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aBC7A.bat

Filesize
722B

MD5
ae45a7b3f1e51c0750d454017ee84bef

SHA1
92fd6d9c31629e660613536cf8c93556b5700413

SHA256
4295eb6dd7ea42db79cf9abfa923a38a7e246b3bf9df9e626a2505a733995b1d

SHA512
15275d3855ff888569f33b8309a804783770ec029da1b5e747bf26a7224be8cd40c738031753c29edcfd52d82287651621a1fc82e0916b2fa899375c64843ae4

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aBDC2.bat

Filesize
722B

MD5
31db95c70db3ef619277f54e041d0adb

SHA1
4581396e35a9891871dd651169996d49f1dbadcf

SHA256
afcdfceebc830ea315f49108a542e5f13f4fa4d9bb3af3f8611a92e345242b4e

SHA512
7fe987344630a41e2a18a0d80101699bac39b2b6245885b7fecb501817da35dfeab54fedf520095d4ceb660a096c0afe54700c1266d3e5e6cd2568316443004c

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aBF87.bat

Filesize
722B

MD5
6dfbe4a75d0cda83348effef8a009fc5

SHA1
7157dbe3e4aab12e2b47cf8ed70df4bed239159f

SHA256
a220ca34d8bbf679866ae9c305e8f976d2de6d959edf6866e8fa4c10484abf7c

SHA512
fc4ea15ed53c4f26dea45dc71bfd17db6825705d5e361a736aab2d32ab8dcffd645173d9073a0b5c6ad4d76c5b0ac6912d3f5310d1cfcada8733f8a49a28dbfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aC0CF.bat

Filesize
722B

MD5
fb8fe5ea0eb658885e0bf45c7496b45f

SHA1
cf46f4e6fc34914de74070636c26a17a08c274d4

SHA256
bad554c79a3acc11d98e61774d7db658f03a329404cf6252fda8cf48ba0ce9fa

SHA512
af9ef9bdb9d1e200b22a3d77ad24239456d0b10f77bf4eaa23c081d3fa3b3a49225fe8e9b58d130f204206a4f8a3aa8973741b1276a114de2d6cff411eb75345

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aC246.bat

Filesize
722B

MD5
cbaa734ad3931f6e379407853ba5e435

SHA1
e39543354ac18d8bb94602821e9cf22441ea177a

SHA256
ac13b81f806121c7964c87fd8b77e3f7a21359cd183e1e6a12bb432faab5741f

SHA512
fb52521d9246faffcc14d3f51c780df173dbf6c558fe8f2e8da27886bd08060378efb786b6d955cd1ff97b00982d8e15819dce5623cdc54e0fed59f43f37840b

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aC3CD.bat

Filesize
722B

MD5
1b026f76656404f3ca2c7beccaa06680

SHA1
a25f301fb0f7f55b6ffe702376ff3782bb92f092

SHA256
e935d05b42563a4eb9e5cb89cbeba5d23c11f40b07ad2e81e5606f0d91a6b808

SHA512
8f2b1c79d9fa5939ccb58385874552fe74c88afb30cff8da2cec04ebd9ce547f04bdb4ddd6f5719075db10c6e981bf3d1d512b2f32b686485e3e1463c81b10c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aC525.bat

Filesize
722B

MD5
de685f3575ad38530c76396085136ea5

SHA1
084c878f362d3750b196c72b029be5dba45df897

SHA256
e996c2bc6c4271a650b9f8472d8836ab2798eba74ac8e7476fde6032c0c72427

SHA512
d17c6ee3671acde02ed2e2bada1773a4292458f890a5aa2591147211718d5dfbb4b8a57ce6ca1f99ecd938656591ccade5b651c2bdf7682d4c409c3c9b637f58

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aC757.bat

Filesize
722B

MD5
4cfbe8afd95f89c0bd19100de54d4169

SHA1
2009f43042872cade4fa038f63595f67c1350138

SHA256
c58fa818bf87e2941ea46daa163f0b52a45df8b99d4bc7678651dd220641a2e8

SHA512
7a982feb97e4d152149d74258302ddfe5085444c0eeffed103471d85b1e28a31f8d04efd676f33181db79f56c8ef23343c5d4b132ff603c7aa385543382f0187

Download Submit
C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe

Filesize
1.8MB

MD5
f7bd915047964c6345eee588679d3f6c

SHA1
818772db9065eda9a6ccd20eef06d5256280e17f

SHA256
41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327

SHA512
301ac44daf8b6121b70c3bdf106b6e15af2c8727c91ec81a595186614ad3f1b4cc431d254dd59564ed84abee23883c25bed5e9233b2dc20c6fcb0393e7bb6585

Download Submit
C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe.exe

Filesize
2.6MB

MD5
318d2c741656f06f7d7aa2da999a32f9

SHA1
0522ded7028b5cabcacf251fa66bbaa97658eb14

SHA256
c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b

SHA512
5f4ef057b74e27fde7970f714db3fbc9585ffe4ef3096c89297b4a892446c4790373dfe2c6b0c784c25869c0a85ba22d71627c2012b4b9011e46ac3f840c9fe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe.exe

Filesize
2.2MB

MD5
0655f93740d40e73a63659f993376388

SHA1
84e3cc33c3c25c26392128ea0dc5062cbc89c8ed

SHA256
e5301178fee0cf24e3a15b43642c7d1da8ebe5e945cdeee6e4688d9e72f82b15

SHA512
91e7b34f63c9b4a3a9077462254238d4024553fe189d598f8ee913ef2f45293472e3244870659e88e33beddc184ecc48e1812ac9a912d9bc9fcf4fd5b9c12ed2

Download Submit
C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe.exe

Filesize
2.2MB

MD5
14b760d79bf066c92c043709056178ab

SHA1
153176def6ae9b5e3db4a1d70d30a65d315d3276

SHA256
b410192124d4903c587feeb9837753fac84c61209f3ae1d0b79bff93de82d2d2

SHA512
2d66ecf676de0fd9b18ad3db0ed2b4dbb3ab1a88519303155af4a396bde4ab900e0c7891de96d93037669ba16f76d6bd8cd21b0cf73737a65bb5bca422a9c355

Download Submit
C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe.exe

Filesize
2.0MB

MD5
6f1ffe9f3e17d6f1cda7e625d1b89b9c

SHA1
6c2e76cdf67bcdd5d4a354f319ab529586130cae

SHA256
ea51d7ab1e6a2d2aed2aa02c1a1088c30ea53afd8579be36f20b79e7e4fe74e7

SHA512
edb3d591356d6d2963f61dda2678d579df61366d7502b5e4d8d54e8dc7c1bfea167a77745d9a8eb0019be5efc41032bc3369cac2070531a565d71574de0757f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe.exe

Filesize
2.0MB

MD5
760a878c0062e76cd1c4685ff30ecfca

SHA1
1c6c49bea462a0a5eff52c635f606f5e73bcfb7b

SHA256
d5c8b63e8e9b41355232bca7a5858058b489bd439c8d3d446c9de098dde7e4a1

SHA512
ae861a14a1302a63e28dd94014b2ddd4a2335e0656d31fda3ef30bb6c435a6a6c2138bbbc616aeb7fd0fad5d5d63a504ac34ff193f0ce54b0e539490c53ab0ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe.exe

Filesize
2.5MB

MD5
082e82ae38f578da89a8fb10407dd43d

SHA1
efa9c8f351a27e0534213096b10e43468e69f4fe

SHA256
7a0e4349ed98deafa6f26ddd1289a9c671fbbcf2f8d3fdfb45acfe809e89f0a7

SHA512
be73b48aed9fbedf424c65cd5c6d83442f628205856364ed57d5eaceda20ed852d613456e376e7fd85c17bb9be533e6695894af0578a6625788b80069ac6a23d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe.exe

Filesize
2.1MB

MD5
286dfd9e19e5bb83a98ac2b2e20a7403

SHA1
f4ca430d2669af6a56f89a1c3adfb6cca459cc60

SHA256
060afb27e8d052abd7965c922e4b826e3325db24646037b3dd6b92aad77f1858

SHA512
45742bbb0017f2a25b4ee773504a7369b5d0d454bb570192fb05e4747d80ab0240f99bbf2c8484ccfa44978db1b3c815c378d0efad66bf6161b67639c81f716f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe.exe

Filesize
2.1MB

MD5
7b781c296c9518ce7e93f77b8fe3bda3

SHA1
124bd189e2510f852183f51faf67278c8cd1b2e6

SHA256
c50db397ecab6ee6a577d51d1f81d51cb99b2ce149797c8d8c0d59882ab2a7d6

SHA512
24be4115fa2230e35649dce2d1536f25f3df3a7192e530a87cdda00393f1de715264acbab98c745ea7f65f64ce713d01598ed031ada25a61c66a830b2e872c1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe.exe

Filesize
1.9MB

MD5
66c74ff5a6fd63536d9510a0ef504561

SHA1
6b34a7e9fb3e220899f77b76c2b26db3e8fa175a

SHA256
535c14bafe9e75f724fae0480e24d0be0c801dbf1d2b81d9d300abbdc7eac326

SHA512
12ce8aa2c0f55fe69d865473580953748bc479e5970b3a82ac673aa2020f89b89ded1ace166f3e5a95138fe996f3f6f804b69a81424404db706527543df865e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe.exe

Filesize
2.5MB

MD5
2d8020710bd51a9280bb8c23c28bff6a

SHA1
3b6ad35921dd59358b04ec304b922a7aaa2149e0

SHA256
c58bcec14503c2167a549ddec40418a4151c1624287f76961539d66e52bc7146

SHA512
d7e146017539111d7f45efa9260d3ac12840ec34574ed6512a3c498ff368eabfe68ae5117c34207170057e81361daceda7ece2c48b25642dc2ee33b82b0b8b6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe.exe

Filesize
2.4MB

MD5
3baae1aacb86eefd1732edd07f95936f

SHA1
e8e6b0b06ebae55a45c6405e27d131076b280208

SHA256
055e7eb2f930f945226daf682591695c6895cfc321c30a1ed1c580d3addcec25

SHA512
3a8d665f83c8ce15e4f093bdc10ed4388d8ce603c8f6ea41741f56909659afd46ef8a1bd9d49e065e9a7abe5f400f0660aaaff1956b26f6b1abb7ca213f6d752

Download Submit
C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe.exe

Filesize
2.1MB

MD5
9b6b7050405a5f58449bc2939acf98ef

SHA1
4e5d761679c6b602cb1082f9264a4a332d524efb

SHA256
5d5d2ef460f6be067a1cb5a15f116ddd5bc66e6c687d3c65b8777fce2fa5dd41

SHA512
1b3624b711aa854d28f0d3e37e0e83fb5e74c7a57e13c52823b33ce254a7003516e46b4383201ee397c1fbfb472c5ca183fd9b994b0929e746cb6caf317cc55b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe.exe

Filesize
2.4MB

MD5
58231e8a54a4d5ad10981a9261d6df2f

SHA1
79fd962af3dede9832de8856fb96b7723cc2ef09

SHA256
1a2fd6986c0d5d25002b7ef2ffdeab383f7cb19ead19248c7207e5d26bd67f99

SHA512
7e53168e58d3c2d8472a589a711366d932f5295e330544b6ded5a32e44d857f823465ef572ff5d2145ebb5e9d597913c91b6e798177c8d81876bd63eaadb94e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe.exe

Filesize
2.4MB

MD5
ac788323972e7ee7243e740ff2f8daae

SHA1
6acd6d700849ca9ad064481461f4b7988dab1945

SHA256
5e7a0c5ef3211fc58e0eca20df194b478942534d5968441fc354686ba7222ebe

SHA512
ba1e52d4d8ea9400b359ef4982504010bd12a007d174ac86187050368c03b78e89b51324429d909741e4f1598be2eab28d0b400f0698b8e085f12beeb6921778

Download Submit
C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe.exe

Filesize
2.3MB

MD5
ee5224c7af0ca448809311f5d5d0ac92

SHA1
6e9d7c7b30a008db94a17f40bd0df234b34b035e

SHA256
1e631817553d5d6546691864c336086c6e6158b7031d93abd85b7be28f952e95

SHA512
46dd8f473c8b28d152d9d176b2f7c3e670c61f58eda2ab21a6e5fcfd328fbb57ca57d38419e5228a2db8057bd9c53048650985bde5d2f0106d53c1ce0dd4ff19

Download Submit
C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe.exe

Filesize
2.3MB

MD5
ead3d576cab6bb3e77414935b36ace66

SHA1
e347ab64ced05a4e50b4905cb800147620a18e6a

SHA256
5600effef951ba7fa3bed54b59a857bc26814b45e68c7462f67b1714258b73f5

SHA512
38fd77828d2d8796a33b52e0b57cefb792064a9cef691c8dab97331321a3b3eae6a7c0918c3617a00bab16a686f52c9296ffb022d2b78bcaaa51e9cd1146112d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe.exe

Filesize
1.9MB

MD5
e306a7fec9113e90189084cb07499334

SHA1
6c12e3ab33c22293a6a996a1a154b6919b3a4adc

SHA256
dd2728054713339202299c7ea5c925f0e013a109606d634d7f5f1a78c3bf9294

SHA512
769d475e6367e75bfdd1988c0a381ddb015ada030fe3240adcf9e7d4218a2be681dccb3db80485761576499b64c90630c08d43c872ddc8c45ef525b19f7a6afa

Download Submit
C:\Windows\rundl132.exe

Filesize
44KB

MD5
6d85a04f5bb329cbba3880c43337ec52

SHA1
8c2e62f730619b2e06a5fb802e115606b664525a

SHA256
ff95e5e3fea6e5f9692d24c81ab36bae1013658a34bc60cdcd9b4c591e7feec1

SHA512
31919b83c1b66e4eb99612c6b23a7dfc1cd107e51e3178bc8fb695c8243d7493f43b05a4ab8d0880763aa584ccbecdb1b61b31f0a66d8a92938884b9ef04daf8

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1194130065-3471212556-1656947724-1000\_desktop.ini

Filesize
9B

MD5
888e0958022ac10e914e1c9ca3f383ab

SHA1
37d80b3ecaacfed7092fcbe70d7c1000a5246e09

SHA256
627942d6123a7fed1e8414a3d46906af51b7c5f06837df6d288707d29a84e1a1

SHA512
a643219412a29dde13c4d0a9619dbdea00193e91276e163edf546f3392c704a8c2936a2c27d2a0206bfc3ca592d7d79be849c51a1d9af0e4d237cd3dc47eeec4

Download Submit
memory/112-1839-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/372-50-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/532-2257-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/664-2330-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/680-2326-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/740-9-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/740-2176-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/740-1306-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/892-2277-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1008-2354-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1060-2211-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1064-2360-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1064-2365-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1080-2334-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1092-2232-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1100-0-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1100-11-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1164-2245-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1556-2166-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1584-1349-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1584-2297-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1612-2301-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1652-2228-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1692-62-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1816-2309-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1856-2187-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1856-2338-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1876-2224-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2092-2367-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2092-2366-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2092-2237-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2416-20-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2420-2289-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2448-2355-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2448-2359-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2636-2249-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2636-2322-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2640-69-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2748-2253-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2800-2305-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2804-2159-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3064-2285-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3200-1832-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3440-2346-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3636-2204-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3656-2350-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3900-2215-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3944-29-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3988-2236-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4008-2313-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4220-78-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4264-2219-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4340-2241-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4372-2342-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4372-37-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4404-2173-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4512-2273-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4548-1846-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4732-372-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4736-2269-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4808-2281-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4884-2318-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4892-2293-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4956-2261-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/5056-2265-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/5072-2197-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download