41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327

Analysis

max time kernel
149s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-09-2024 18:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Size

1.8MB
MD5

f7bd915047964c6345eee588679d3f6c
SHA1

818772db9065eda9a6ccd20eef06d5256280e17f
SHA256

41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327
SHA512

301ac44daf8b6121b70c3bdf106b6e15af2c8727c91ec81a595186614ad3f1b4cc431d254dd59564ed84abee23883c25bed5e9233b2dc20c6fcb0393e7bb6585
SSDEEP

12288:vj7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7g:fcX

Score

10^/10

discovery evasion persistence spyware stealer

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 39 IoCs

pid	Process
2388	Logo1_.exe
4364	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
2360	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
1328	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
4672	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
100	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
5116	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
3908	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
4816	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
2344	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
868	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
3564	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
1300	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
2176	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
4840	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
4564	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
856	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
2636	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
1420	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
1320	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
1592	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
1344	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
4264	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
1220	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
2828	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
1076	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
2764	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
1616	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
1724	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
1056	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
1216	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
3564	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
4452	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
2196	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
860	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
3468	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
4564	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
3396	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
4600	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TempCom = "C:\\WINDOWS\\FONTS\\1B6EB.com"	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\eu-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nb-no\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\root\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\sl-si\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\AugLoop\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Media Player\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\pt-br\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\he-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\de-de\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\da-dk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\en-gb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\da-dk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sv-se\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\dc-annotations\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\root\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fi-fi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\zh-cn\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\identity_proxy\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ta\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\he-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sl-si\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Google\Temp\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\it-it\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example1.Diagnostics\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\eu-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\sv-se\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\css\_desktop.ini	Logo1_.exe

Drops file in Windows directory 43 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File opened for modification	C:\WINDOWS\FONTS\1B6EB.com	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Dll.dll	Logo1_.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\rundl132.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\WINDOWS\FONTS\1B6EB.com	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
60	4600	WerFault.exe	202

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
392	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
392	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
392	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
392	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
392	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
392	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
392	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
392	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
392	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
392	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
392	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
392	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
392	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
392	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
392	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
392	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
392	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
392	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4600	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 392 wrote to memory of 5088	392	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	81
PID 392 wrote to memory of 5088	392	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	81
PID 392 wrote to memory of 5088	392	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	81
PID 392 wrote to memory of 2388	392	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	83
PID 392 wrote to memory of 2388	392	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	83
PID 392 wrote to memory of 2388	392	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	83
PID 2388 wrote to memory of 4804	2388	Logo1_.exe	84
PID 2388 wrote to memory of 4804	2388	Logo1_.exe	84
PID 2388 wrote to memory of 4804	2388	Logo1_.exe	84
PID 4804 wrote to memory of 716	4804	net.exe	86
PID 4804 wrote to memory of 716	4804	net.exe	86
PID 4804 wrote to memory of 716	4804	net.exe	86
PID 5088 wrote to memory of 4364	5088	cmd.exe	87
PID 5088 wrote to memory of 4364	5088	cmd.exe	87
PID 5088 wrote to memory of 4364	5088	cmd.exe	87
PID 4364 wrote to memory of 5076	4364	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	88
PID 4364 wrote to memory of 5076	4364	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	88
PID 4364 wrote to memory of 5076	4364	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	88
PID 5076 wrote to memory of 2360	5076	cmd.exe	90
PID 5076 wrote to memory of 2360	5076	cmd.exe	90
PID 5076 wrote to memory of 2360	5076	cmd.exe	90
PID 2360 wrote to memory of 4464	2360	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	91
PID 2360 wrote to memory of 4464	2360	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	91
PID 2360 wrote to memory of 4464	2360	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	91
PID 4464 wrote to memory of 1328	4464	cmd.exe	93
PID 4464 wrote to memory of 1328	4464	cmd.exe	93
PID 4464 wrote to memory of 1328	4464	cmd.exe	93
PID 1328 wrote to memory of 4836	1328	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	94
PID 1328 wrote to memory of 4836	1328	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	94
PID 1328 wrote to memory of 4836	1328	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	94
PID 4836 wrote to memory of 4672	4836	cmd.exe	96
PID 4836 wrote to memory of 4672	4836	cmd.exe	96
PID 4836 wrote to memory of 4672	4836	cmd.exe	96
PID 4672 wrote to memory of 1064	4672	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	97
PID 4672 wrote to memory of 1064	4672	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	97
PID 4672 wrote to memory of 1064	4672	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	97
PID 1064 wrote to memory of 100	1064	cmd.exe	99
PID 1064 wrote to memory of 100	1064	cmd.exe	99
PID 1064 wrote to memory of 100	1064	cmd.exe	99
PID 100 wrote to memory of 3268	100	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	100
PID 100 wrote to memory of 3268	100	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	100
PID 100 wrote to memory of 3268	100	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	100
PID 3268 wrote to memory of 5116	3268	cmd.exe	102
PID 3268 wrote to memory of 5116	3268	cmd.exe	102
PID 3268 wrote to memory of 5116	3268	cmd.exe	102
PID 5116 wrote to memory of 1724	5116	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	103
PID 5116 wrote to memory of 1724	5116	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	103
PID 5116 wrote to memory of 1724	5116	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	103
PID 1724 wrote to memory of 3908	1724	cmd.exe	105
PID 1724 wrote to memory of 3908	1724	cmd.exe	105
PID 1724 wrote to memory of 3908	1724	cmd.exe	105
PID 3908 wrote to memory of 4868	3908	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	106
PID 3908 wrote to memory of 4868	3908	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	106
PID 3908 wrote to memory of 4868	3908	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	106
PID 4868 wrote to memory of 4816	4868	cmd.exe	108
PID 4868 wrote to memory of 4816	4868	cmd.exe	108
PID 4868 wrote to memory of 4816	4868	cmd.exe	108
PID 4816 wrote to memory of 1536	4816	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	109
PID 4816 wrote to memory of 1536	4816	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	109
PID 4816 wrote to memory of 1536	4816	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	109
PID 1536 wrote to memory of 2344	1536	cmd.exe	111
PID 1536 wrote to memory of 2344	1536	cmd.exe	111
PID 1536 wrote to memory of 2344	1536	cmd.exe	111
PID 2344 wrote to memory of 2876	2344	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	112

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3532
- C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
  "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC14C.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5088
  - - C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
      "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4364
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC2B4.bat
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5076
      - C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        6⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC302.bat
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC38E.bat
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        10⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC40B.bat
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        12⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC488.bat
        13⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3268
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        14⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC5B1.bat
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        16⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC63E.bat
        17⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        18⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC709.bat
        19⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        20⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC767.bat
        21⤵
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        22⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC822.bat
        23⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        24⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC890.bat
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:3516
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        26⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC8FD.bat
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:3572
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        28⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC97A.bat
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:5004
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        30⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC9F7.bat
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        32⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCA84.bat
        33⤵
        System Location Discovery: System Language Discovery
        
        PID:1180
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        34⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCB7E.bat
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:3164
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        36⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCC0A.bat
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        38⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCC58.bat
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:3524
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        40⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCCC6.bat
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        42⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCD33.bat
        43⤵
        System Location Discovery: System Language Discovery
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        44⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCDB0.bat
        45⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        46⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCE1D.bat
        47⤵
        System Location Discovery: System Language Discovery
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        48⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCE7B.bat
        49⤵
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        50⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCEE9.bat
        51⤵
        System Location Discovery: System Language Discovery
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        52⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCF37.bat
        53⤵
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        54⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCF85.bat
        55⤵
        System Location Discovery: System Language Discovery
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        56⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCFE3.bat
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        58⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD040.bat
        59⤵
        
        PID:664
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        60⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD09E.bat
        61⤵
        System Location Discovery: System Language Discovery
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        62⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD10B.bat
        63⤵
        System Location Discovery: System Language Discovery
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        64⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD169.bat
        65⤵
        System Location Discovery: System Language Discovery
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        66⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD1F6.bat
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        68⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD282.bat
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        70⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD2F0.bat
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        72⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD32E.bat
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        74⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD38C.bat
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        76⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD3EA.bat
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        78⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4600
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 184
        79⤵
        Program crash
        
        PID:60
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2388
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4804
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4600 -ip 4600
1⤵
PID:4684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$aC14C.bat

Filesize
722B

MD5
b9d82f4b59efbeba0045fc5714fa5dce

SHA1
fa6503ba77705c4e0b55660b7404b3a345b662bb

SHA256
668f7e58ac2fd95a5a8c0d6dd6f16505369129dd7ed2053fe1651fed2fac8281

SHA512
ecddefc5fdb6588e24ad0733125adf13de1621ff4bc1de81f44036ec5b52668571c6af8f0c030abbefaab394a26b8168a8f0c14511fa194705b1e2edf7d6b558

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aC2B4.bat

Filesize
722B

MD5
f6519ac1fa425ce30c9c84499b44a727

SHA1
2cff4f5863fc1a81bb00c4b540d005bb7325d343

SHA256
93ca09efdd7082982e078fbe3aa59d7deb2d24be7c1708a019eb39eabe25f49a

SHA512
4cb5827d0572b978678177a7a22c7e56d660ddb44b8e6051e3a203e9430f9a0207233ae15cb9cada3ccc3fbe58caa8a633d24eef1a10aa94bec9619096c63928

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aC302.bat

Filesize
722B

MD5
3ed7ae9e1313ec7d83312727ca4cf834

SHA1
1d8775fda284fba8e7738af03bb1e43088436cdd

SHA256
8b9476fd46ebe5d8322f3f79c3c9a816a9529c0ab92cbc7f400944e36d9399e8

SHA512
389c229eee96b4edd3643a16f5d55e710a4f6c720305fb0561b8797f8aaec3cb25ed4e6f551bc32b9ee1ea051451a9d1575e2097a2d98d956a17e5b7a372345f

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aC38E.bat

Filesize
722B

MD5
d187c42d56502f7b34da19039eb07019

SHA1
a988cc2c028fdb6ca58e491450091fd6eed53cb6

SHA256
33504ea3590f2f664d153f88ad3c6903ab45aa895d243ebd07ee489615043ebd

SHA512
6bb49a03b8831e4dd1c0f586c673e6cc2db77125ab9cdc797d07143f4c96f7c1f983a2467fda413f5c15e3a97ab7c837d4fc0fb4499496fd48e2bb98844a08d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aC40B.bat

Filesize
722B

MD5
df5236d45c79ebee15806fb304e553c4

SHA1
f1c5a28ffcc81295b1f34b61645f3cee6ad7c311

SHA256
bdc771911a63ffde2747b8505196570f49e7ec53b262ab940c6d3164ca9984de

SHA512
295ee1c6216e6ddbb9a1ec429f6087cdf8a22c0fe98339d0c525361955782757ab781597e493eb0cee37c536bbfbd0680fc136049245a71f5fe0aef5d5845913

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aC488.bat

Filesize
722B

MD5
50e6ba0e340282ef2a3fc55eba4f1e6f

SHA1
27879ac4af937dfd2138a8bf08c976845c66f717

SHA256
069c95711b3caa2777a51a541f203dc593e1cd34c0e031ebc50d7577cd0176c6

SHA512
b59a69d08be7c1db37881913b1e2443550856c12e2fa56ef60550811f0d648fb54d418ac7dc922781929ff4d8711a0de06c3134d255acb39e1957a851f7afbdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aC5B1.bat

Filesize
722B

MD5
82a4c2f63c98f2cc59b353d0f0ee7d8d

SHA1
f94444f9f4e51ed687113955bf8750acff214e11

SHA256
f36260f4226781f8b306beee7a43a59dfe08900f0b6db1332ae98450baa7df29

SHA512
3ad531b67e6dd691806778c7136fde891452dc96af2e2da822e7d2de9f84b6cfb176db60f2331909a68abe524d39d13bb11acd6df34921ea42cde104cda50a62

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aC63E.bat

Filesize
722B

MD5
a245823e119666396b5775b63dd7e705

SHA1
118759cc9b1701e6125a386276f6475c12f0a284

SHA256
b0035e09fb39ba34ed7c78095065a3d41743bb8da6eb9d3932360c72233baf31

SHA512
c0f4f58e73bbd1e830550c7f40abbaa50f04f817d782aeceba33accd8ce25a20326314270604fe4ce4b85f9a373cdaaca42f579d4e0a5328912200a612ba22cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aC709.bat

Filesize
722B

MD5
f2c423787b392a1acfbae8b2cf5ed23d

SHA1
a2fabaee9eebfdd95f525672054d32eab3112a21

SHA256
2cfe15e3d322702fe485b1c4f5c1251da2b24102a8602b0dc37e1d8ebbb434ae

SHA512
dd1583f4eabb4caf20d5fbaa8f5245ff7a0d71bf78e050c1d442d16720756996537061c597c8cad2d129af19ee48519699621026202f130662e528c93c7be31e

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aC767.bat

Filesize
722B

MD5
d61f7d407ad244c67f5af8547ad25270

SHA1
6ad51b5d13009bcf1e3b1abd4b416afcbe1bad16

SHA256
05350e02a76830313297fd0a00903bc877240e33a7d5e70eeeb1214da54b300d

SHA512
d2282ee7220ee407ae3a7d1d9b830b7c618946fce76ba8df1b6a2e79ca3b1d0fbf5099f6d389e3a44ab8469b4062674fdf41e97c786c24f32573a03ab3a9eacc

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aC822.bat

Filesize
722B

MD5
d39e112bd5bda9161c911ddfc0856b36

SHA1
ef5a8080d185108f3b862fc1ec84a15bf7a62c6a

SHA256
37100ee352c60816a03251b38ef8b4056ebc1a0008c99dc09a92df62b01390b3

SHA512
ae1c5bc02863e06a5c5370a3a02380ff14e9a6a395e25ae8f75be8fae46567051a2df37c84ec4c004d67a52b38a4bce4964f3ea21912185c802bfff350d471f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aC890.bat

Filesize
722B

MD5
e2c7b2d070554c3ffe5e431c374d4b33

SHA1
a548fe1eef127f5a3c1fad7e0c384a3a4e98f390

SHA256
d6abb930dd92c0592daf4057ca300755de9378296e3c4de873a4c4dbacc5bdcf

SHA512
bef2df390703392413f09bb1cadb9dbee611bb1f6e42ac910e6a81ae759baaccc3ad16135b50205d0ff43b6e80af08a6226bfd58f5ebe1314b4ed98211f1cc74

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aC8FD.bat

Filesize
722B

MD5
467a505665452c9b0911d9701e7e1459

SHA1
37edb7803a47043602534155b034552a5db3dc14

SHA256
29466e24e7a6281d5654ddd7e7522efbc50800532108c535c84a6deff7683e19

SHA512
4443e257118e20f6737b5f145944a1821dbdc81ae428920a237a5fe17e9018fcfcbee32fbc53be26c2877c8047c84592e62de01766e7f05a7a729fea53d95b51

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aC97A.bat

Filesize
722B

MD5
be64fcb421c718d054ea7608f42bfec1

SHA1
24c908465e1a5ec247551329bdadaeb5b5267f66

SHA256
0e5dd79a935df9c0adedda2901b59a0bb8da929ae1eaa3ed3a446b506ccc7b8c

SHA512
f4c5c6544a82a0efa4923b4f7f6861ef624c107ea746971374c54f51a0e46b5b35c483749dc2d3fd45f628fc95becdf19ede032d64a1d7be0b8c663f25de46e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aC9F7.bat

Filesize
722B

MD5
79eedfbd611e6bbe25664fa8f04e0b70

SHA1
1577fc4ee36ba69cb76833d7ddcef261ef22c48c

SHA256
25d462f51df337c74051c5b255cd956bdc8f57a8fd04570f6984609ebcc00126

SHA512
9ae5379f3d62ad31133655e986de6ce00c164de1007335b136e3384bad0463eae840d40fd50022629d6d7fe14281aae930e792fdf55fce6754ab85660cee106e

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aCA84.bat

Filesize
722B

MD5
450d4f69e7e84d08c8759b987a53871e

SHA1
527de992f16827c4d48d062a212b69dfd97c0ead

SHA256
5f3306cf06d3af11384eedadfd13ab6488ab13f71d87957210fa89eeb1ab63e0

SHA512
80dbf47769e1e659199b696a8efe928ab33c01b11d716b02aadc0f8b4f496fd5958548760ac93edf0d888ea637fd5acf04c11796078122c26dfc2ed1412612e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aCB7E.bat

Filesize
722B

MD5
cf7ba3aeb156440b8d938cd89330b89f

SHA1
744079ba3d7fe7c2f0b508a18d2e9d214f64d458

SHA256
899830587c5ca6fedcfe05808f4d3233d0aa6adc39e9f9a018cea4e8ce52c9b9

SHA512
15331041ce9f3076a802d21fe06ac914b031a5be407d71ad7632d0041c73fc1f9935e45daa2d8f1581d8346aacc095568a972a8d477f147d336748b466375a35

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aCC0A.bat

Filesize
722B

MD5
88886d83b68f745438644e618177ad1b

SHA1
5c77b3a2a2ba753755531eec295aa9686f46446f

SHA256
97f76db8a06ee3543e3b3ce713b967cf8fdfdba49e5f217e0d0deeb13bb99c3e

SHA512
28695eebdd48b1b0fa201638b5a0896dff63cc008185a023273b8c71501d6eddeba41f80d764f5c5b1d19c03133cd727f4cb01e168e577978251bbe6ae02c444

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aCC58.bat

Filesize
722B

MD5
beb5237d9679d956c329aa6cd9777123

SHA1
62a620a11e41d944a95c302a681c1769a77338b0

SHA256
29c20776269f4759c7f975d156067c27f8b17c9dc3d0d3cf4ae00f4c0e4a4e28

SHA512
d2367fc3daea8f8a7d6bb73530250a69689a6a733d5d17dfbc081f81e3f5474fbfc578535d7cabc1a2eaa90d2ae08194126b2b7a110f97669f416469a7d71dc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aCCC6.bat

Filesize
722B

MD5
b48cf891935350628b30e1fb2a4a615b

SHA1
3f076736ae1da655eefc5a44ec13843c2deabd42

SHA256
88bd93075624586b866ca5478ca55133fa99175e7aa80d972e60dd42579a22c6

SHA512
32ef74cf9723a2e04ace8c2e555bf7223ca944b26c16da46f4bac9d6cd535e7272fdbea85e93aa3f322a2b6b3617acd123c48634e653c4052d42769b3633f49d

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aCD33.bat

Filesize
722B

MD5
5d88ad8c33d17d086779bc1e205c4b1f

SHA1
71f1d8a33d6080b1baed6be4075d697355d47c20

SHA256
221fcf7bfa086ef471e0ad3bffb5f93d4a6588bb4351e616ba74a341d0ef6b9e

SHA512
67ad5f0015b6dbe3957e9d360aeaa39bc7807346db60102d7586289838a4f16a3a5a0ecb29f43137a12c3c39182643f23795a22239617c0f978c97e1ccd6c899

Download Submit
C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe.exe

Filesize
1.8MB

MD5
ef5ec16ae976ab4940243d706ab9a235

SHA1
d9c291d767481b73cd38f29d2821a45b886ec05b

SHA256
36c11124fb05c4fbe69e5ee1b57b4bb12438704b3c98f91e482e993806ddcfda

SHA512
271f4f640961dce4b7df29485a41f59c9d1bc78f55e1f252da4ec4814b59fb8a5a55d7dfbe228c074318807078ea94290b5c89c88191d23ac88d8d0ea020eb80

Download Submit
C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe.exe

Filesize
1.4MB

MD5
6453c16919e8470f1ba2bc5d5a107ba8

SHA1
bd1acacb00564a4d3ef5bce6024f6c0ff57fd06e

SHA256
e32c3ef6c1bd9f6894bd3eb0c725becdc79e384fd1801003b4b1b4d10704701f

SHA512
57fc8cadef16699392ec155c57fe5fa93df00f9d5705ea0a539f0b2820cc43a145963effd961b5309a158673e00f7f1cc83af6a333c117de35a0aaf63c7fa156

Download Submit
C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe.exe

Filesize
1.2MB

MD5
a64074245477d333dacd4f24d40747b4

SHA1
b5b9a9673bf5f5f30fae61beeb5b229d956fb7df

SHA256
efb10c0efe9d588e8f7e6b645869585869d1a612ecd482164b7bc21072237e6d

SHA512
e07a0189dab47a88602d8cf0540e1629141f4a558103d4aa71d6b8b691a7351883eb0eca89c6899e7bb9fcaeb8d50cc74ed3edb3ab794c5040cf8ba5bc1a44cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe.exe

Filesize
1.8MB

MD5
819c835041cf406f61377f3f434672ec

SHA1
6b69fd7f0163e338e26f8548657cd8f02d6bd783

SHA256
d8fd9cab261550edf66e0ada7109a321765e645a1122004f6661f86092ede187

SHA512
81045de8da7a5d12bb8751c1860de2412416b7aebc6bfce5231bdb91b1fa5eb0b7b82e49f1dd1a4208c8f7b9909adee09fb9e7096f49695ae8658189903fdbfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe.exe

Filesize
1.7MB

MD5
b2b328794fcd97500ae2370f88d93678

SHA1
c58aacfa72f89ac8cd56f700571e82659f6b011f

SHA256
be89a2ccaa2da559e8a58119f8251cc16e8af9de27e7b90fa8480092daafd70f

SHA512
7208abd523b5cc1f0e229709557f50073d360d2e8c01205995e04ab772243798bf9d2c93c7e4112a7714b4321cd39abc0ff1d7845b5977250cb039947c50ad7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe.exe

Filesize
1.3MB

MD5
46a565c71f3275a08a943e75a9630534

SHA1
600479e2363c656b6a797a9e8e29c23eb8b56af6

SHA256
dcff89cbe4178ae735dd747205fd555d55012bb3209f082c49fa422badfb2f51

SHA512
ab0ca82a17fcfbb2695f2d9650ca14ca5a4b69df03c206531426f97d03a1b3273771c9a277b9146431ea7499780870a8d9206c08dfcd37228ed65335693d230a

Download Submit
C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe.exe

Filesize
1.1MB

MD5
4e49fcebb06945f128e6a0d859db04e5

SHA1
8d285dc8a8a56766b3457d2d43f5fc46e241c8bd

SHA256
885a7558106653623010fd415d1ada8a7ac0b1720839f7b0913f4f18cc9c74e1

SHA512
9e95b7de1dea3c745ba22685f0fa7753730d28f7815014ab818ced23a76cd35f240be927be1bf9c62850fd09ea23c3a79c5514bb3261d7d8e3c91ae940d01111

Download Submit
C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe.exe

Filesize
1.7MB

MD5
22ed0526ac6f69992e23505e8d7dc004

SHA1
af3cbe14fc0c4364bc499de1fdc243d252c81d38

SHA256
2bdb0cf8c704fc2c96c7ec9dcf60190f59bec6cb814adfbb430a97dd1391bb53

SHA512
fd7fb5699e48bfc2ec446ec732f993452f831df6567f976ab5ebac40392ce13a038a705a0eafe65104f4c2eeb5a60bd9a0975b6613ddb78d709b1219376ee5a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe.exe

Filesize
1.6MB

MD5
82b3daffe88db9c756ad91478ec15fbd

SHA1
fc70b0daa48a76b81271b63c686022ca20a744c8

SHA256
71172527e1cb0a326afde52f1344214a8ad0c1e2f91f95540d58d282017d9c2d

SHA512
f6588d7c4901843690121c897f93b3c363ab336a8b97fcadebe0a8c0e0f47627e8430d826adc1d8782bf7b95ca5c33ded22b4bd3da2e19f2145f29fa3c77f63d

Download Submit
C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe.exe

Filesize
1.0MB

MD5
36f9edc24d01b52655548a13c9a2e414

SHA1
0e1e32e2a04812ed63e3b94adb57462e5afefa2c

SHA256
240a3127e384fa3cfdec86720731ef65f72d74a3f1a324def522aa7d582e8b14

SHA512
7cf6bbc995cb6baf8274d4798960c7fdcaf705344cb8428c9d9cc5a597dde8328245093d315bc09d821b9cffcade124770a914e30f091946ab3971120cfca966

Download Submit
C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe.exe

Filesize
1.6MB

MD5
0758588c903431ca72f83873fed5ee6d

SHA1
04058fc8ca64b3339b3af93ca360661e97dac4a9

SHA256
cf80a37957c28bf6cfb8adc34e96176ed178d2add5fd51c6c5dabb0aa444ac69

SHA512
a14a9ff0399b8254f06b9bcbfe2184487d61487ec6990edb312fedfeb782e1481645dbba33d9bf60489b016d1a77363acf8306495703ac86e145198fd764cf21

Download Submit
C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe.exe

Filesize
1.5MB

MD5
8390eee42804fa3972f15313bea91454

SHA1
5f2c563b2a5efed63fea038a31ae8ea4d3d42817

SHA256
54fd5140ca19323d87e8357c792e6f106b9467acbbb56ecd69c9ec2bba68974c

SHA512
a3a351ff1779119e26dd1afaa9d78b2e4e6d70978dce6386379475dc8bcf44f18ee7988b8fedff263b32598c81733f49ed93f79a77e02a0b5ba9b0374f69e232

Download Submit
C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe.exe

Filesize
1.5MB

MD5
ceb672b59ae8aa63de17b91f23eeb781

SHA1
be4d83d3b9706ef528f539013c8f7cc95a4626da

SHA256
915c2b05751586028e879881c01d046d0ae6965e17875b6eddafde3d48d65e3a

SHA512
753cfb61689d712600830665c239ef91f516a670c969759c44996bbce7f8fd36f97c402f09fb701a8affc90aa169e7730b764c577d54ad241f323f492f821545

Download Submit
C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe.exe

Filesize
1.4MB

MD5
79781d1144eac7e04aa9f4df837425a3

SHA1
2c0a7111f009c06653e45336e8360ed14bf210fd

SHA256
7af58533168028e5b89c0d1f2b9383157a7a68591f8f532acaa6666becbbde2b

SHA512
243382f4305c94f7b75e276cf16138f35062fc5f957128116a6f1f1f7412fe834e772439395c8aa570bdf50a596e203641d0e7f3e5cdf01008bd0b24516b6867

Download Submit
C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe.exe

Filesize
1.5MB

MD5
9b5c76799d9d1a8d9967f302ac3fc1ec

SHA1
1a5cacedc4f22e33ae7870f2e7e190748285e0de

SHA256
0586201a8fd94d3f46ab51e78ef54eae70d8dda96f0c04a28c5d3957455d8cec

SHA512
23da9c5484b617a57e3544d7f331809bd1d0f288bc90efce61361c761fd4191033aa28281fb9785fe7e5f0709f9fb9d5d098f44d4adba185fe9a85171f9243f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe.exe

Filesize
1.3MB

MD5
17c7ace555fe5108801581e0537e1de5

SHA1
261ba39c10e678188d3fbdf28241ea4f5f499684

SHA256
e34c6b05ae4d41c1835566311a6a2b3343665e3a6315ff880fc9e6156a3704b6

SHA512
d5eb4d6c68e2a17df59cd4c15b841f89942140116786cb81a9c064bc769a42b837c0ea65791834bf0f8286703fbd376e180ed2ed07d687e2613e7c35c564f2f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe.exe

Filesize
1.2MB

MD5
55539e0ce83fb90a30929adba4017b85

SHA1
e5306374553b58d1295223e36452689f7fbd56a8

SHA256
e64404e3ae9feb4b080622f702bee11d88c345c1b39623fe945b8667d5734f83

SHA512
1f4b2cad565793b751b2a7c0615f4bc6244e776f2e96ce5d9b26b2a1602f4f270e66d5eafeb7f1f1976af991318cde81a1d56bfa8559d268401ee7203b06db63

Download Submit
C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe.exe

Filesize
1.2MB

MD5
87bd0d2582071bda48652f00f8722af1

SHA1
1e8033cac3b89c8a881dd20102a0f8d28568b80e

SHA256
1bb708a8fce7a2ace5c06ac47fe3cbc8f2365812ac7f8995a946b968c4d6e642

SHA512
6b2fa9835be7172cef138cf3289b31f58e0c4cc072a55cafb384a145a85350de5a1ef18adf25f349b3180c49bcccc26ac3229ef75efda21042a8473ed3146145

Download Submit
C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe.exe

Filesize
1.1MB

MD5
5341caf61e76d901f66808c6873890bf

SHA1
c03bbad4dc340b1d8f049dd2cf2331389bb1936d

SHA256
8975321ec8fec6cb378f70fd08b433a20dbf1ee51bc93e81054324bc9c06d2a0

SHA512
52d5b4b9b5db994d4ee354ee4cd6788a2efa38c7254bf715d2a6d686501732e7395331b8472dfb0e9b5f739a2c933856910337193815b5c12d6ba566752fc5e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe.exe

Filesize
1005KB

MD5
edc1811d0ea8535a3e353d8c899cbdb0

SHA1
d9918b54d361a32ffb22a2169009d6f8d5b2a2b4

SHA256
bb41d52cd9d5a0f5bc55f5f6fcb4c7c4fa8f24a596ace413275b876a76b6b41e

SHA512
41eeeea83a1aed3ce7e919520665a504be51cbd8d57cac59b4d4017102fb12e9f50a5f8bd069f593e1efc40eb7fa93ec9a3096287b971de3bcaf2de5d08b4fb7

Download Submit
C:\Windows\Logo1_.exe

Filesize
44KB

MD5
6d85a04f5bb329cbba3880c43337ec52

SHA1
8c2e62f730619b2e06a5fb802e115606b664525a

SHA256
ff95e5e3fea6e5f9692d24c81ab36bae1013658a34bc60cdcd9b4c591e7feec1

SHA512
31919b83c1b66e4eb99612c6b23a7dfc1cd107e51e3178bc8fb695c8243d7493f43b05a4ab8d0880763aa584ccbecdb1b61b31f0a66d8a92938884b9ef04daf8

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2718105630-359604950-2820636825-1000\_desktop.ini

Filesize
9B

MD5
888e0958022ac10e914e1c9ca3f383ab

SHA1
37d80b3ecaacfed7092fcbe70d7c1000a5246e09

SHA256
627942d6123a7fed1e8414a3d46906af51b7c5f06837df6d288707d29a84e1a1

SHA512
a643219412a29dde13c4d0a9619dbdea00193e91276e163edf546f3392c704a8c2936a2c27d2a0206bfc3ca592d7d79be849c51a1d9af0e4d237cd3dc47eeec4

Download Submit
memory/100-48-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/392-0-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/392-11-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/856-135-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/860-227-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/868-87-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1056-205-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1076-189-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1216-209-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1220-181-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1300-101-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1320-156-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1328-34-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1344-169-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1420-149-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1592-164-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1616-197-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1724-201-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2176-108-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2196-223-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2344-78-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2360-27-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2388-5479-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2388-8-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2388-83-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2388-9128-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2636-142-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2764-193-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2828-185-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3396-240-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3396-236-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3468-231-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3564-94-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3564-213-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3908-64-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4264-173-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4364-20-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4452-217-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4564-235-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4564-128-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4600-241-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4600-1978-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4672-41-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4816-71-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4840-119-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/5116-55-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download