41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
20-09-2024 18:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Size

1.8MB
MD5

f7bd915047964c6345eee588679d3f6c
SHA1

818772db9065eda9a6ccd20eef06d5256280e17f
SHA256

41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327
SHA512

301ac44daf8b6121b70c3bdf106b6e15af2c8727c91ec81a595186614ad3f1b4cc431d254dd59564ed84abee23883c25bed5e9233b2dc20c6fcb0393e7bb6585
SSDEEP

12288:vj7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7g:fcX

Score

10^/10

discovery evasion persistence spyware stealer

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe

Deletes itself 1 IoCs

pid	Process
2988	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 39 IoCs

pid	Process
2704	Logo1_.exe
1508	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
3064	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
2188	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
2396	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
2356	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
2348	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
1056	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
2936	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
1628	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
2112	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
1940	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
872	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
872	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
764	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
3052	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
1004	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
3048	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
2760	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
2732	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
2224	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
2720	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
2152	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
3056	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
1904	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
1220	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
860	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
916	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
2940	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
2204	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
2272	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
2028	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
2080	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
1972	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
712	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
1668	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
292	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
2836	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
1088	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe

Loads dropped DLL 64 IoCs

pid	Process
2988	cmd.exe
2988	cmd.exe
2568	cmd.exe
2568	cmd.exe
1204	cmd.exe
1204	cmd.exe
572	cmd.exe
572	cmd.exe
1200	cmd.exe
1200	cmd.exe
1116	cmd.exe
1116	cmd.exe
2508	cmd.exe
2508	cmd.exe
2980	cmd.exe
2980	cmd.exe
1644	cmd.exe
1644	cmd.exe
2936	cmd.exe
2936	cmd.exe
1276	cmd.exe
1276	cmd.exe
2008	cmd.exe
2008	cmd.exe
3008	cmd.exe
3008	cmd.exe
1688	cmd.exe
1688	cmd.exe
908	cmd.exe
908	cmd.exe
2400	cmd.exe
2400	cmd.exe
1512	cmd.exe
1512	cmd.exe
2748	cmd.exe
2748	cmd.exe
2000	cmd.exe
2000	cmd.exe
1620	cmd.exe
1620	cmd.exe
1716	cmd.exe
1716	cmd.exe
2584	cmd.exe
2584	cmd.exe
2236	cmd.exe
2236	cmd.exe
2648	cmd.exe
2648	cmd.exe
916	cmd.exe
916	cmd.exe
2396	cmd.exe
2396	cmd.exe
2676	cmd.exe
2676	cmd.exe
784	cmd.exe
784	cmd.exe
1888	cmd.exe
1888	cmd.exe
1948	cmd.exe
1948	cmd.exe
1880	cmd.exe
1880	cmd.exe
900	cmd.exe
900	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TempCom = "C:\\WINDOWS\\FONTS\\B85F8.com"	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\be\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_output\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\modules\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Internet Explorer\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Purble Place\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fa\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\it\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\bin\server\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Library\Analysis\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proofing.en-us\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECLIPSE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ku_IQ\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ru\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zh_CN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Hearts\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\si\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SPRING\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Internet Explorer\_desktop.ini	Logo1_.exe

Drops file in Windows directory 43 IoCs

description	ioc	Process
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Dll.dll	Logo1_.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\WINDOWS\FONTS\B85F8.com	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\rundl132.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File opened for modification	C:\WINDOWS\FONTS\B85F8.com	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
1072	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
1072	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
1072	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
1072	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
1072	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
1072	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
1072	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
1072	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
1072	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
2704	Logo1_.exe
2704	Logo1_.exe
2704	Logo1_.exe
2704	Logo1_.exe
2704	Logo1_.exe
2704	Logo1_.exe
2704	Logo1_.exe
2704	Logo1_.exe
2704	Logo1_.exe
2704	Logo1_.exe
2704	Logo1_.exe
2704	Logo1_.exe
2704	Logo1_.exe
2704	Logo1_.exe
2704	Logo1_.exe
2704	Logo1_.exe
2704	Logo1_.exe
2704	Logo1_.exe
2704	Logo1_.exe
2704	Logo1_.exe
2704	Logo1_.exe
2704	Logo1_.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1088	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1072 wrote to memory of 2988	1072	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	30
PID 1072 wrote to memory of 2988	1072	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	30
PID 1072 wrote to memory of 2988	1072	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	30
PID 1072 wrote to memory of 2988	1072	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	30
PID 1072 wrote to memory of 2704	1072	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	31
PID 1072 wrote to memory of 2704	1072	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	31
PID 1072 wrote to memory of 2704	1072	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	31
PID 1072 wrote to memory of 2704	1072	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	31
PID 2704 wrote to memory of 2224	2704	Logo1_.exe	32
PID 2704 wrote to memory of 2224	2704	Logo1_.exe	32
PID 2704 wrote to memory of 2224	2704	Logo1_.exe	32
PID 2704 wrote to memory of 2224	2704	Logo1_.exe	32
PID 2224 wrote to memory of 2928	2224	net.exe	35
PID 2224 wrote to memory of 2928	2224	net.exe	35
PID 2224 wrote to memory of 2928	2224	net.exe	35
PID 2224 wrote to memory of 2928	2224	net.exe	35
PID 2988 wrote to memory of 1508	2988	cmd.exe	36
PID 2988 wrote to memory of 1508	2988	cmd.exe	36
PID 2988 wrote to memory of 1508	2988	cmd.exe	36
PID 2988 wrote to memory of 1508	2988	cmd.exe	36
PID 1508 wrote to memory of 2568	1508	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	37
PID 1508 wrote to memory of 2568	1508	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	37
PID 1508 wrote to memory of 2568	1508	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	37
PID 1508 wrote to memory of 2568	1508	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	37
PID 2568 wrote to memory of 3064	2568	cmd.exe	39
PID 2568 wrote to memory of 3064	2568	cmd.exe	39
PID 2568 wrote to memory of 3064	2568	cmd.exe	39
PID 2568 wrote to memory of 3064	2568	cmd.exe	39
PID 3064 wrote to memory of 1204	3064	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	40
PID 3064 wrote to memory of 1204	3064	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	40
PID 3064 wrote to memory of 1204	3064	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	40
PID 3064 wrote to memory of 1204	3064	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	40
PID 2704 wrote to memory of 1260	2704	Logo1_.exe	21
PID 2704 wrote to memory of 1260	2704	Logo1_.exe	21
PID 1204 wrote to memory of 2188	1204	cmd.exe	42
PID 1204 wrote to memory of 2188	1204	cmd.exe	42
PID 1204 wrote to memory of 2188	1204	cmd.exe	42
PID 1204 wrote to memory of 2188	1204	cmd.exe	42
PID 2188 wrote to memory of 572	2188	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	43
PID 2188 wrote to memory of 572	2188	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	43
PID 2188 wrote to memory of 572	2188	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	43
PID 2188 wrote to memory of 572	2188	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	43
PID 572 wrote to memory of 2396	572	cmd.exe	109
PID 572 wrote to memory of 2396	572	cmd.exe	109
PID 572 wrote to memory of 2396	572	cmd.exe	109
PID 572 wrote to memory of 2396	572	cmd.exe	109
PID 2396 wrote to memory of 1200	2396	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	46
PID 2396 wrote to memory of 1200	2396	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	46
PID 2396 wrote to memory of 1200	2396	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	46
PID 2396 wrote to memory of 1200	2396	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	46
PID 1200 wrote to memory of 2356	1200	cmd.exe	48
PID 1200 wrote to memory of 2356	1200	cmd.exe	48
PID 1200 wrote to memory of 2356	1200	cmd.exe	48
PID 1200 wrote to memory of 2356	1200	cmd.exe	48
PID 2356 wrote to memory of 1116	2356	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	49
PID 2356 wrote to memory of 1116	2356	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	49
PID 2356 wrote to memory of 1116	2356	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	49
PID 2356 wrote to memory of 1116	2356	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	49
PID 1116 wrote to memory of 2348	1116	cmd.exe	51
PID 1116 wrote to memory of 2348	1116	cmd.exe	51
PID 1116 wrote to memory of 2348	1116	cmd.exe	51
PID 1116 wrote to memory of 2348	1116	cmd.exe	51
PID 2348 wrote to memory of 2508	2348	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	74
PID 2348 wrote to memory of 2508	2348	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	74

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1260
- C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
  "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1072
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a2CAC.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2988
  - - C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
      "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1508
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a2E03.bat
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2568
      - C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        6⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a3015.bat
        7⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a3331.bat
        9⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:572
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        10⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a363D.bat
        11⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1200
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        12⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a39B6.bat
        13⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1116
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        14⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a3D3F.bat
        15⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        16⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a407A.bat
        17⤵
        Loads dropped DLL
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        18⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a4338.bat
        19⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        20⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a45F6.bat
        21⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        22⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a4921.bat
        23⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        24⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a4B52.bat
        25⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        26⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a4DC2.bat
        27⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        28⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a50BF.bat
        29⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        30⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a512C.bat
        31⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:908
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        32⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a516A.bat
        33⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        34⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a51B8.bat
        35⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        36⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a5216.bat
        37⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        38⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a5264.bat
        39⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        40⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a52B2.bat
        41⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        42⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a52F0.bat
        43⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        44⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a533E.bat
        45⤵
        Loads dropped DLL
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        46⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a539C.bat
        47⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        48⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a5419.bat
        49⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2648
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        50⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1904
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a5486.bat
        51⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:916
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        52⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1220
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a54D4.bat
        53⤵
        Loads dropped DLL
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        54⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a5551.bat
        55⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        56⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a55CE.bat
        57⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:784
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        58⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a563B.bat
        59⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        60⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a5698.bat
        61⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        62⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a56F6.bat
        63⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        64⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a5763.bat
        65⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:900
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        66⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a57B1.bat
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        68⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a57F0.bat
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        70⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a583E.bat
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        72⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a586D.bat
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        74⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:292
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a58BB.bat
        75⤵
        
        PID:1156
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        76⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a58F9.bat
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        78⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1088
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2224
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2928

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "13914415201393450817-14958533392079668866-510082124-1182458924-1389077261343906491"
1⤵
PID:2508

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-64543641-737459896-1188772543-66842701-190063624631427986-16965670261897688622"
1⤵
PID:3056

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-8751782653302246-7764828951924480403-1351212661-997105623-54696480-1144603841"
1⤵
PID:1628

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "16378449491960952733-16403513751665438839-19452264281685399670173299180436794440"
1⤵
PID:908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$a2CAC.bat

Filesize
722B

MD5
7da8c1b7b7e46235df26965b17e184e0

SHA1
4693d5370ba9bf481f4c240b04b02cb8e03335d3

SHA256
6f427896ff5ca486c21bdf803801203f11b60dae97aa42906546f9c30ada3272

SHA512
0802d0a9eb2506b598f464063d461590486e1d79150eed885325b6242bafe0ae0b31a1e6570e923e5f2ae9377b0c1b446f564d47155b358a696257bf2cd05fdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a2E03.bat

Filesize
722B

MD5
1b2800d5eb1e675183aa0b930db9e06f

SHA1
1ee9c622825449b4a90748ca7108c99b9a981a5d

SHA256
fe5844282483a97d015e9386cc40189c84060fcb3a87b3282bcc757524e39548

SHA512
0341f5b0baf9369336733a1c764730eaf26d0b100b24ff729a3b0c5ad281c12266425c45ead66129999080540a0955a1543489442f58c509a3fe593de9a2cb11

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a3015.bat

Filesize
722B

MD5
82241eb8094a84465876505f158ee48b

SHA1
4b8f75edcb90240ded01bd3074eb8a416056e16a

SHA256
f6196b8e15b2e78af4354ae635176fef4f7c1a894ed4d7b4f057430d63b36369

SHA512
e4aa9ce5fd5331a99c2444928ae9b157de7ea0e50833ce3c9a2a6781a62236d967e8ee556801148eaed416e32706cc1292d36f946ed259e7d975f8388e26479b

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a3331.bat

Filesize
722B

MD5
2aedf8bc3af63d2b76aa760a3f9df7e2

SHA1
bba027c2e350062de33961ad466b2a3ca7f8cceb

SHA256
fc75869b6d805f948caf69d09a9190743952a90703a3fb7f3e7237c60b58b41c

SHA512
d857ce9490be0547f0e263a5b6c2f7428b3424fad3acd7eafedf10ad00515488ebee76e692b8af799b44fe2949a8861ffb91b458886255e35dddd5619ac35254

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a363D.bat

Filesize
722B

MD5
50cdd6bc9284767b8b87d991124fb8f4

SHA1
35292676ccbd1040ad90637c81eabeaf334ce0a0

SHA256
887b03bc48344afc883adcd08cd6957fced153c69aaac24e7a3d3cbd88bb0899

SHA512
4fbce41e921f1a0f0587d22939daf71ee64582666a0044066e922281824daec317a3907fc711834a21a7803c81e20d25b58430abbd725eb137c93e21ec9c9533

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a39B6.bat

Filesize
722B

MD5
1f322b0e5feb55dc1ac06f45cfb96eca

SHA1
e3d3228ffb521f7e17e908feaa9f2afb219f31b2

SHA256
6045ed85f715f3dde34c9dd945d6a1a853f486d90d665bdbd9347099278ed9c3

SHA512
0731a8830c2319f6a2cb9e3532224d928fdc13df4e1e0d1618a4514fb0314d3129baaf2c4431de7e489c86a50cf1dd035527eab069be79024f41386e98ed08b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a3D3F.bat

Filesize
722B

MD5
03a7faf5cfaf981b0e0fb59e07ad3f3e

SHA1
7011e532bf77d605029473159c29198d52c5ff1b

SHA256
5993a913be8d3dede94f7aa3a3c90434243cccee18c8500eed797754b8ba89fa

SHA512
4680e4f22450641a1c12f47e03cb6d4062aa0cabf7e750c99e78e238f77952d6030e480871341b61fc44b40d365f8915676526a4947996bb848823263729a382

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a407A.bat

Filesize
722B

MD5
72199e51ec9e4c81345663c148875526

SHA1
5fdcc012e5779792d7ae7d483356d975db67357f

SHA256
712c98cadd2d0f7b0e0d84309b6dd2479c7aaf07f88fbc5dc6b899306b56b2b6

SHA512
f43d5b13dde61f04337b3248be51bc3a5a1bfbb41f6bdb445d46e08ca0b7dcd4665465c0d8b1960964f44148b14d449cb052fa49e83c49b1851da783b8b4374f

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a4338.bat

Filesize
722B

MD5
4625f87398dceff9213e3c046563ecba

SHA1
374605cad9867e0f45fdc92f677f52c08b469351

SHA256
09cde97e2335b7c2515c04862dd52c4da1d26c5c455e82205e6cafeb3f8cc558

SHA512
ac739ec0474a774e2dc7e77d0fb2b3d55c28c6286d3f2a8e88fb3d366489092f06a61b2f51470c6b4fd14369e70f3b68b659228065cd0ce67d58c9408ac3bf2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a45F6.bat

Filesize
722B

MD5
f72d71f14cb246744805afefce455fe0

SHA1
75b5481deaae29d68b5809f45cd817ca61af0a7c

SHA256
7c2c3acbabcd248945320c31c704f6e5a9ac6affccfeb2cbb8ffa1aec37c362a

SHA512
c5a1aba9485bfc3915a220df59f5c21faa5cdc6e1fa1c2b11eef894f7ddb2ae3d5eede80dbfbdeac0e58da2f3ab1f01e1981cfdde4308899a8b109a62a79ccd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a4921.bat

Filesize
722B

MD5
2731801b6ef1ebdd86062a97244b8c96

SHA1
cdbd5c09c673fdb86d43cd062d50454c11443c51

SHA256
4825b9d3f0c98fc8d29e6827c6ddfb882ac8100fc267e86e83a7f50d82b61baa

SHA512
4171dff1c37a6196a947f3d51091cc6292d1cce8da86a9a92551460f652c3372a32ad45a81561a5feafca95cf64c2765b74ba44bfd5ed178a29626e7a00bc1da

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a4B52.bat

Filesize
722B

MD5
4a23d2b20bf68b789b683f1c49fa170f

SHA1
1ef1dec9be7ec9fd84462b4475c43291d61fec28

SHA256
bbbf3cb8a52250e2d0c9c5d201f7e4e25f9e32a0a4f8392e4f2377620feda771

SHA512
a9c9df5ee8659bf1e90ff7281885d33f2d676c075e776d2275604135cba0a080d187e885fcb0789608600063a60b2168b82692d56ce683ee3c94fc4aa15c2715

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a4DC2.bat

Filesize
722B

MD5
1f9f7c83f3e91c69281c5665c060b6a2

SHA1
17040167236e9f2f4d3484a60574654401f8a2f1

SHA256
75c5453d4a00430833baf8cec611f740fa33cf597f2e72fe84e1ae52d7c5e337

SHA512
a788deb0592170c39944bba64942ebaa507e76428a2a702f322f8eea483ab859d2fa924489dc63d4226e07d213ab6c758777956591d9f8e569c3d1180a041928

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a50BF.bat

Filesize
722B

MD5
4469fc8a8c87f93c255985c6fd8cd4bc

SHA1
9450a51abf3b992983336505109a2feb4e9d19c9

SHA256
0c44308fbe9895094951bdab5758dbd2bb472077fc07c198083ec5411bd6cc54

SHA512
99375e7430cbbac1215de43cf83a4778dab84ac98d30ac94a1c7a4fdb7ff3c1817a2fbde944fc0db20d558bc7351b55d064257aff2f66d8addb79db37720fbdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a512C.bat

Filesize
722B

MD5
e2bb8d3799f57a3ddc862e803f77b101

SHA1
12ce990c1a89a498aa51f2f5e5527ec309289ec4

SHA256
a5bdcb230aa34f6ee736589a6707553742e6fdf38828d2110406091c7d5ef1ab

SHA512
fd1c36ef83d600e98b5327c4c1ecadb5a14f2b3ef9e1f4da0848ca54b1b29210eb7add6711b563c937b16d6de4ba68366920a623a83200281afafedf1a17f25e

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a516A.bat

Filesize
722B

MD5
85d9a058e74e226c891efc15369a5305

SHA1
fe595dd4812f764c35276ece77ae85b39b088c84

SHA256
e0c0a44aba2b6282bd453d50cbb6747ee1b69df49d0281369330731915dc8d5c

SHA512
50ac793198b557923d4854dd176ff698fa28438a078a13bb126722d87f86f0f113d2d6d194bf36be1c29516459b3bac5073a3eae56f8d31c6d58c0b84a172ccf

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a51B8.bat

Filesize
722B

MD5
d5bbc2e6ab55129ef694a053253279c3

SHA1
8478728b329463287102fb7c4fa3f5faaea8603f

SHA256
c1ecf0b842e6ced17ecedfb6990bb8a309329034446217e60627a5a31fb02dd4

SHA512
cb2c492a288d07ab7e5e3ebe95810cff4ced5b4d02b9f0d808d35e9ae6291435a016c036f26b8551c3a19b29cd0a696847a6d69a88c55a5c631c133059b30e00

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a5216.bat

Filesize
722B

MD5
6494435efe2e714d3d60e46c7c3ff2c5

SHA1
5b3d5c3ae035b013f55e54ef138fb5ffbb98f6bf

SHA256
d73c25c405d5d60500918d648a3add4fa8e5a22fc7b9a877709fab284507570b

SHA512
65d7111304ff0ee2f0be942e0e20bcc3604368c0f0e00cad31e1dbb054dca22f67075b31f50783b30db166fd0d80140094e2f57d76c28b823ea2db1ea0dc4d51

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a5264.bat

Filesize
722B

MD5
7d84327b67dd5569013e6781fe11be69

SHA1
b5156e4aaca53929623f62d50a5ba324d214f420

SHA256
1f48a17caf0f6fcf9e245323d33534d585a9b63555b2a94ef10b315c8c3ef527

SHA512
f1633f59b040a09b443832170f09dd1248c3688256ac7370d103095231f7d2d41f5845284c9977b7d97f9206791180292cea130213fda159d71e367b0ef06beb

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a52B2.bat

Filesize
722B

MD5
05fcc723629e16f16a2a9532e29bc26f

SHA1
49cbaa641d1df096b0b818c844dd8cab24a32fa5

SHA256
8fb68ae93fccbde1d57bfd9cd8f80e8533cd2142b9b1b2f99da857d774299572

SHA512
6eda80e39f59775fe3e9687c41a139d60efb5e4b404178dc1f7cf1ca5c2a2af35361bb5ca06ea1a8d7d40b2f554714cf8cd75568a82a558633804c8012e6c0d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a52F0.bat

Filesize
722B

MD5
037d6b4d8fbb79fa99b73bdc15cd0156

SHA1
3d68dbbd9c171e4e43f5059c65b900da86806653

SHA256
ff4d2ef9bed3c452fa56352110ad7c9f3525ae451fa0d35acf1ffaeed2d52ead

SHA512
4872f955b0d2da8f914e155190cb5f2f27a61b2f3e7f7af72b9e1e9fa71c6b2783749ce0960c4980f1698612aa814844f8b3f3bc2e1ba59558982f2af75a7da5

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a533E.bat

Filesize
722B

MD5
f178e1f5a43fe88ae99a66ad8fe3cdf8

SHA1
3b4aa3b252fcac4c1491d26f48b3819674edf1b2

SHA256
cb79cc6beb8bb5392843d9ff7d75063da3d673016ec895b230fa77bd6e0b892d

SHA512
2e732007fa74275c6bdeb153079914470b4f1d06b8c637c4d2b39959a4e69d6bb6a11a42b89a70ee1c552a5eda5906d95771a56554179ab42baf8f39d7fed2b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a539C.bat

Filesize
722B

MD5
1a3b693ba214f6dfb43cd5291e496fc6

SHA1
73ed5dd43d93b0fdc50afc879460467f1394af22

SHA256
ab1db845098fcbb0589c8eff45915bb4955501a201ef3da771ee8f09f3fdedd0

SHA512
595ae975b221357f118627b2417576fbe7c050512379caccee367aaaf18ad35030593a050c3c35640adf93a6d3a116654497b89ba709c38e455a8d7223e6caab

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a5419.bat

Filesize
722B

MD5
e7085d0bab95b42dacb276ff6c6b85e4

SHA1
710b595aa87942beb81c40e1c539f7cfaf768ab4

SHA256
2e72bbadf801dd75337f7d9e1b7589426a9b1059bd64e5eddd3627c32eeefc1f

SHA512
4dcbf2d1062eebc146a5612db9a5edc123334fbfc6a6fcd6c5ecd3e7be3e73f0b91bd940a77cee0d9001426fecf813c380dcbaa63156bf92c077ba2e59036a27

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a5486.bat

Filesize
722B

MD5
8a738e9178b4e02ccca24d776f71f324

SHA1
f907cfd758997104f4fba35259c9c24eb67ef065

SHA256
20c6c40c2496c94308c8ae7a93e9fcd46dca0f50c7f6c5eb2d3c9c0aa1fbc299

SHA512
f52704cfa7317e71d92ba0a1fef86b7080cf05e6afa4b0f7b0eb13bd837135ec2e935209e83440cdec6f61dc56a7c7b696dbf899f1ee6b81c73434123d691ef9

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a54D4.bat

Filesize
722B

MD5
6a7a45faf793cf128de5d5e9679cf882

SHA1
b27ec36f10ba4db28f9481ea2699004399b6cf8f

SHA256
21cc901ab11186dc559bce7fcb6882f4cfc4f5447a262ebb21973e4d102e561b

SHA512
48ba86de4b6e90e5f4d52faf58add22755a013a15ae506a523935070c5269b6f8680bb16e8f6903d840a658e02ef16dfdb98604913b30d1203542de14862ff3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a5551.bat

Filesize
722B

MD5
16f31fa4beade4375e0b04da9c5a727b

SHA1
0edb935e9746f0ebe6aeb2bb05d35112a3dbf58e

SHA256
c4148fe30000c5b40779994db75f95ce41e400d749f97ddeb8fde0b36baf547e

SHA512
80bde910eb991e6c24e216786758c9f0978e832c936c4288355b14e6c1ef533108a14f1e7954f3b9f1888147c78a829e1aa71957d91c4c6c51a4b75e9f8636b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a55CE.bat

Filesize
722B

MD5
e60401fbdc38e84f4e09412b3f9ef95a

SHA1
3d99d6c87fcbd171a95d14651ab23117ea016521

SHA256
cd3253873071f4c48c52b18dc9b381fe2d8f20c9560efa36383fdc9227f1c8ec

SHA512
5b6e56dd39a49a48e1d49a2b81b09ca0cab290f45e468ddb714f332af26527a2a3312957dfca183bbd5dc568935140ae3c1c7e59d54fd56217d369d759ff8b40

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a563B.bat

Filesize
722B

MD5
1626dc76e69701521e234c2d2cb9a0d5

SHA1
6fa5bb61011d4fc0445fb97bc7d38a56222d5cff

SHA256
98a805da781a55f25ef767c065be36aaaea1c31aa28c57b18b5b7d2de23521df

SHA512
381be338944fc598906bf55bfa0a64dc95234f668d7ca56078b0584dfcc11d59f6a8c36b5f0a4caf2c9d7207968e7b56a0c227391539d28cdf1e35c524589857

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a5698.bat

Filesize
722B

MD5
1b4dab76dd86d9ff3cbde9ab620e1026

SHA1
5bee3514e734cbb80f56e361ef731a3a4ff59c79

SHA256
fbfdce6afe8c8d017db279845ce305063f5a953322ad8bda48fed754e6f1d08c

SHA512
f1b2e3e45c00a8fb68ed2bfa7473fa32e9ceea984702b97227af8ff7983afbbe9265ac199d4f7e33c10abb6573a1bc64010907d7f24e60f5758bd29bc0f072e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a56F6.bat

Filesize
722B

MD5
fb966afea761cae6c885781e24523b19

SHA1
8e8c3497d68a9881bfe2d982eeb2f9da7572734b

SHA256
463f1664f0ca9655aae6b3b3a656a4b2471e9fc7ec0f666e835d882efc6d1f4f

SHA512
ec0333b436a68b9b0bb34a966b7a6588bef91534c03e1c64ca4ca817b8e30bc9032dd38f106cff25b5c5a1a52335011d21ae85059b021e752239e2e7296bdc14

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a5763.bat

Filesize
722B

MD5
92bf0c3c58220f86ffd24a7e01538903

SHA1
63a19b090ef993522c573dcf7809661d7510315b

SHA256
9f73d15148b8c82d45556b776eb57eef5b79ef76c752d788e99696cc05e36cc2

SHA512
99a457df7b4f1624215a4f2fbecbf97a30059c51415e7eeb4f7d5ae859703befe94a0e5cac9106f74fb31e20363bddd730988025dd598caed470c81788bf8f49

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a57B1.bat

Filesize
722B

MD5
d2f9618e6bdb18374f26e6c198939e2e

SHA1
d5ec0f71c3dc7f6344cdff6bcf1e45ba1b5ee57b

SHA256
488410912e15fddc3acc9cb715f74eb5b14ee3ec98f285ac14a1e6feda95d94a

SHA512
ee38f1361215160fa51d94de28a5b52d82f3e7c71690759799730311ba5e94d3b9de0bc2ad61ff411faa68574ed953e953e9934064aee38a3776446808bc08b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a57F0.bat

Filesize
722B

MD5
9c1c7015f325868cf675034459c07a69

SHA1
b85a3e7dbc246f2ad5b8032e5678cbc290eb74fc

SHA256
734d81c558ce05bf0d9a32f9ae113f1f6672e03b5655c08bcab501323cafcb0e

SHA512
9405eb56a06ce24a735764706a306bb3c19043e4c7b083d6878367af18a8a3a6287960058fa20f7873f92ecece42ab710b0bc8e6882592fbf9edd7e59b786a3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a583E.bat

Filesize
722B

MD5
99679f3fcf1616dd5e80b66611da0889

SHA1
d22a2f19f63286e03a87c1d1582f3d4c36b8740b

SHA256
3ca58528ab3607ee500c008b687f402177ebebb2ddfda776aa436a97dd7e5e2d

SHA512
3964ff114150016e0bd4125dd4c38e42d8144f0cfe54f7d5f525a5f6d14e4b73d6df834061519029d932837c7c5ca59959c4a413a4731390684030fde534e455

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a586D.bat

Filesize
722B

MD5
bb649ff878f4f9c140b79a989a0d003d

SHA1
fc1d7c1034c979aabb2b375feaaa7d43ce880381

SHA256
add1ad7828a214123716ae1f4dd0374706681c7774c0b985ddd1f7c49c693233

SHA512
99b8889d2376db925950387db77e806ba996bbb51a474944fd590e229eced18994ac400fa86b8ae4d75d67b3afd41fba62fab03a86d5c1408c2b01efb7edf134

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a58BB.bat

Filesize
722B

MD5
df5706613e833aab9076cebe1f137b1a

SHA1
85bf318b96f3f0b2d8a88e5f2bb3caf0000a21c0

SHA256
9bb51194f67d5abed1cb45d0becee2727ca7d31adeff7f4ffdf24377604ef42d

SHA512
a5bd084be48f028e8f7adc254828fb67ca1ad0571cee17d50b4a5d546695791be3a508c1709dcd609fc8bac32d1132e591e46a1bff6b75f0f675e5f32f94ed9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a58F9.bat

Filesize
722B

MD5
d4b111190d5682b4694e7f2c3e85dee6

SHA1
dbad45d3aa3fa5ae0b9d5b1a47ff7b6c683633bc

SHA256
c6d0772743c51e233c6b80f8f2af573288a9111d29490a2a1e82c11b78525a3d

SHA512
85c7ae217ac0881747767bcca9d2ff7ecf3080ae36c3d103acc68ad2a4cbca5d7ffec8e9d07db5573dd6b39a02b3adc1e8e0965051903e84904fea244f130660

Download Submit
C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe

Filesize
1.4MB

MD5
6453c16919e8470f1ba2bc5d5a107ba8

SHA1
bd1acacb00564a4d3ef5bce6024f6c0ff57fd06e

SHA256
e32c3ef6c1bd9f6894bd3eb0c725becdc79e384fd1801003b4b1b4d10704701f

SHA512
57fc8cadef16699392ec155c57fe5fa93df00f9d5705ea0a539f0b2820cc43a145963effd961b5309a158673e00f7f1cc83af6a333c117de35a0aaf63c7fa156

Download Submit
C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe

Filesize
1.3MB

MD5
17c7ace555fe5108801581e0537e1de5

SHA1
261ba39c10e678188d3fbdf28241ea4f5f499684

SHA256
e34c6b05ae4d41c1835566311a6a2b3343665e3a6315ff880fc9e6156a3704b6

SHA512
d5eb4d6c68e2a17df59cd4c15b841f89942140116786cb81a9c064bc769a42b837c0ea65791834bf0f8286703fbd376e180ed2ed07d687e2613e7c35c564f2f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe

Filesize
1.7MB

MD5
22ed0526ac6f69992e23505e8d7dc004

SHA1
af3cbe14fc0c4364bc499de1fdc243d252c81d38

SHA256
2bdb0cf8c704fc2c96c7ec9dcf60190f59bec6cb814adfbb430a97dd1391bb53

SHA512
fd7fb5699e48bfc2ec446ec732f993452f831df6567f976ab5ebac40392ce13a038a705a0eafe65104f4c2eeb5a60bd9a0975b6613ddb78d709b1219376ee5a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe

Filesize
1.7MB

MD5
b2b328794fcd97500ae2370f88d93678

SHA1
c58aacfa72f89ac8cd56f700571e82659f6b011f

SHA256
be89a2ccaa2da559e8a58119f8251cc16e8af9de27e7b90fa8480092daafd70f

SHA512
7208abd523b5cc1f0e229709557f50073d360d2e8c01205995e04ab772243798bf9d2c93c7e4112a7714b4321cd39abc0ff1d7845b5977250cb039947c50ad7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe

Filesize
1.5MB

MD5
8390eee42804fa3972f15313bea91454

SHA1
5f2c563b2a5efed63fea038a31ae8ea4d3d42817

SHA256
54fd5140ca19323d87e8357c792e6f106b9467acbbb56ecd69c9ec2bba68974c

SHA512
a3a351ff1779119e26dd1afaa9d78b2e4e6d70978dce6386379475dc8bcf44f18ee7988b8fedff263b32598c81733f49ed93f79a77e02a0b5ba9b0374f69e232

Download Submit
C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe.exe

Filesize
1.4MB

MD5
79781d1144eac7e04aa9f4df837425a3

SHA1
2c0a7111f009c06653e45336e8360ed14bf210fd

SHA256
7af58533168028e5b89c0d1f2b9383157a7a68591f8f532acaa6666becbbde2b

SHA512
243382f4305c94f7b75e276cf16138f35062fc5f957128116a6f1f1f7412fe834e772439395c8aa570bdf50a596e203641d0e7f3e5cdf01008bd0b24516b6867

Download Submit
C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe.exe

Filesize
1.8MB

MD5
819c835041cf406f61377f3f434672ec

SHA1
6b69fd7f0163e338e26f8548657cd8f02d6bd783

SHA256
d8fd9cab261550edf66e0ada7109a321765e645a1122004f6661f86092ede187

SHA512
81045de8da7a5d12bb8751c1860de2412416b7aebc6bfce5231bdb91b1fa5eb0b7b82e49f1dd1a4208c8f7b9909adee09fb9e7096f49695ae8658189903fdbfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe.exe

Filesize
1.5MB

MD5
ceb672b59ae8aa63de17b91f23eeb781

SHA1
be4d83d3b9706ef528f539013c8f7cc95a4626da

SHA256
915c2b05751586028e879881c01d046d0ae6965e17875b6eddafde3d48d65e3a

SHA512
753cfb61689d712600830665c239ef91f516a670c969759c44996bbce7f8fd36f97c402f09fb701a8affc90aa169e7730b764c577d54ad241f323f492f821545

Download Submit
C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe.exe

Filesize
1.5MB

MD5
9b5c76799d9d1a8d9967f302ac3fc1ec

SHA1
1a5cacedc4f22e33ae7870f2e7e190748285e0de

SHA256
0586201a8fd94d3f46ab51e78ef54eae70d8dda96f0c04a28c5d3957455d8cec

SHA512
23da9c5484b617a57e3544d7f331809bd1d0f288bc90efce61361c761fd4191033aa28281fb9785fe7e5f0709f9fb9d5d098f44d4adba185fe9a85171f9243f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe.exe

Filesize
1.8MB

MD5
ef5ec16ae976ab4940243d706ab9a235

SHA1
d9c291d767481b73cd38f29d2821a45b886ec05b

SHA256
36c11124fb05c4fbe69e5ee1b57b4bb12438704b3c98f91e482e993806ddcfda

SHA512
271f4f640961dce4b7df29485a41f59c9d1bc78f55e1f252da4ec4814b59fb8a5a55d7dfbe228c074318807078ea94290b5c89c88191d23ac88d8d0ea020eb80

Download Submit
C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe.exe

Filesize
1.6MB

MD5
82b3daffe88db9c756ad91478ec15fbd

SHA1
fc70b0daa48a76b81271b63c686022ca20a744c8

SHA256
71172527e1cb0a326afde52f1344214a8ad0c1e2f91f95540d58d282017d9c2d

SHA512
f6588d7c4901843690121c897f93b3c363ab336a8b97fcadebe0a8c0e0f47627e8430d826adc1d8782bf7b95ca5c33ded22b4bd3da2e19f2145f29fa3c77f63d

Download Submit
C:\Windows\rundl132.exe

Filesize
44KB

MD5
6d85a04f5bb329cbba3880c43337ec52

SHA1
8c2e62f730619b2e06a5fb802e115606b664525a

SHA256
ff95e5e3fea6e5f9692d24c81ab36bae1013658a34bc60cdcd9b4c591e7feec1

SHA512
31919b83c1b66e4eb99612c6b23a7dfc1cd107e51e3178bc8fb695c8243d7493f43b05a4ab8d0880763aa584ccbecdb1b61b31f0a66d8a92938884b9ef04daf8

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2703099537-420551529-3771253338-1000\_desktop.ini

Filesize
9B

MD5
888e0958022ac10e914e1c9ca3f383ab

SHA1
37d80b3ecaacfed7092fcbe70d7c1000a5246e09

SHA256
627942d6123a7fed1e8414a3d46906af51b7c5f06837df6d288707d29a84e1a1

SHA512
a643219412a29dde13c4d0a9619dbdea00193e91276e163edf546f3392c704a8c2936a2c27d2a0206bfc3ca592d7d79be849c51a1d9af0e4d237cd3dc47eeec4

Download Submit
\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe

Filesize
1.6MB

MD5
0758588c903431ca72f83873fed5ee6d

SHA1
04058fc8ca64b3339b3af93ca360661e97dac4a9

SHA256
cf80a37957c28bf6cfb8adc34e96176ed178d2add5fd51c6c5dabb0aa444ac69

SHA512
a14a9ff0399b8254f06b9bcbfe2184487d61487ec6990edb312fedfeb782e1481645dbba33d9bf60489b016d1a77363acf8306495703ac86e145198fd764cf21

Download Submit
memory/292-3936-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/572-88-0x0000000000330000-0x000000000037D000-memory.dmp

Filesize
308KB

Download
memory/712-3918-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/764-3376-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/784-3846-0x0000000000300000-0x000000000034D000-memory.dmp

Filesize
308KB

Download
memory/860-3735-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/872-2322-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/872-2200-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/872-3298-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/900-3891-0x0000000000190000-0x00000000001DD000-memory.dmp

Filesize
308KB

Download
memory/908-3377-0x0000000000300000-0x000000000034D000-memory.dmp

Filesize
308KB

Download
memory/916-3845-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/916-3480-0x0000000000290000-0x00000000002DD000-memory.dmp

Filesize
308KB

Download
memory/1004-3396-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1056-191-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1072-0-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1072-16-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1088-4790-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1116-166-0x00000000001B0000-0x00000000001FD000-memory.dmp

Filesize
308KB

Download
memory/1156-3937-0x00000000022C0000-0x000000000230D000-memory.dmp

Filesize
308KB

Download
memory/1200-108-0x0000000000270000-0x00000000002BD000-memory.dmp

Filesize
308KB

Download
memory/1200-109-0x0000000000270000-0x00000000002BD000-memory.dmp

Filesize
308KB

Download
memory/1204-66-0x0000000000170000-0x00000000001BD000-memory.dmp

Filesize
308KB

Download
memory/1220-3491-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1260-59-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/1276-1941-0x0000000000180000-0x00000000001CD000-memory.dmp

Filesize
308KB

Download
memory/1508-37-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1508-27-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1512-3397-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1620-3428-0x0000000000170000-0x00000000001BD000-memory.dmp

Filesize
308KB

Download
memory/1628-552-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1644-520-0x0000000000130000-0x000000000017D000-memory.dmp

Filesize
308KB

Download
memory/1668-3927-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1688-3367-0x0000000000170000-0x00000000001BD000-memory.dmp

Filesize
308KB

Download
memory/1716-3439-0x0000000000170000-0x00000000001BD000-memory.dmp

Filesize
308KB

Download
memory/1880-3881-0x00000000002A0000-0x00000000002ED000-memory.dmp

Filesize
308KB

Download
memory/1888-3858-0x0000000000140000-0x000000000018D000-memory.dmp

Filesize
308KB

Download
memory/1888-3857-0x0000000000140000-0x000000000018D000-memory.dmp

Filesize
308KB

Download
memory/1904-3479-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1940-1952-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1940-1943-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1948-3869-0x0000000000110000-0x000000000015D000-memory.dmp

Filesize
308KB

Download
memory/1948-3870-0x0000000000110000-0x000000000015D000-memory.dmp

Filesize
308KB

Download
memory/1972-3909-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2000-3418-0x0000000000280000-0x00000000002CD000-memory.dmp

Filesize
308KB

Download
memory/2028-3890-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2080-3900-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2112-1906-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2112-1934-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2152-3458-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2188-76-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2204-3859-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2204-3868-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2224-3438-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2236-3460-0x00000000022A0000-0x00000000022ED000-memory.dmp

Filesize
308KB

Download
memory/2272-3880-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2272-3871-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2348-165-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2348-176-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2356-118-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2396-98-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2396-3570-0x0000000002280000-0x00000000022CD000-memory.dmp

Filesize
308KB

Download
memory/2400-3387-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2496-3947-0x0000000000170000-0x000000000018C000-memory.dmp

Filesize
112KB

Download
memory/2508-182-0x0000000000450000-0x000000000049D000-memory.dmp

Filesize
308KB

Download
memory/2568-43-0x0000000000270000-0x00000000002BD000-memory.dmp

Filesize
308KB

Download
memory/2584-3449-0x0000000000420000-0x000000000046D000-memory.dmp

Filesize
308KB

Download
memory/2676-3836-0x00000000002F0000-0x000000000033D000-memory.dmp

Filesize
308KB

Download
memory/2704-4791-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2704-86-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2704-18-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2704-3459-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2720-3448-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2732-3427-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2748-3408-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2760-3417-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2836-3946-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2936-201-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2936-211-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2940-3847-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2940-3856-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2988-28-0x0000000000170000-0x00000000001BD000-memory.dmp

Filesize
308KB

Download
memory/3008-3091-0x00000000001C0000-0x000000000020D000-memory.dmp

Filesize
308KB

Download
memory/3048-3398-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3048-3407-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3052-3386-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3056-3461-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3056-3470-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3064-54-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3064-44-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download