691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3

Analysis

max time kernel
140s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
20-09-2024 18:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
Size

2.7MB
MD5

e80b5d6fb28284211542354b55af2e98
SHA1

3f3c0531c1dd664951bcc610f391c6ed85d47e31
SHA256

691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3
SHA512

a0ef807133f9b2f9dbc4e239588cacd0674cb9d87613fd9af62eebf98703ac9761115a1be64ba0a72bf3f6539e41732117e4938d77b1db36e86c6f30d618721d
SSDEEP

12288:vj7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7Y:3cX

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe

Deletes itself 1 IoCs

pid	Process
3068	cmd.exe

Executes dropped EXE 60 IoCs

pid	Process
2176	Logo1_.exe
2244	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
3024	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
2980	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
2584	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
1528	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
1040	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
2292	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
1676	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
1020	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
1492	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
1240	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
2476	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
2440	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
2848	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
2860	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
2784	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
2640	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
2672	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
1940	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
1608	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
1804	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
2336	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
2896	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
1752	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
824	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
1532	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
1288	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
2408	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
2484	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
2076	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
1620	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
1852	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
2528	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
2804	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
2856	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
2840	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
2728	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
492	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
1672	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
2432	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
2148	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
2688	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
1796	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
2996	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
2888	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
660	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
2080	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
1356	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
1308	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
2408	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
3064	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
1428	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
1304	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
2724	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
2876	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
2984	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
2184	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
532	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
2660	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe

Loads dropped DLL 64 IoCs

pid	Process
3068	cmd.exe
3068	cmd.exe
2856	cmd.exe
2856	cmd.exe
2944	cmd.exe
2944	cmd.exe
2612	cmd.exe
2612	cmd.exe
2600	cmd.exe
2600	cmd.exe
2052	cmd.exe
2052	cmd.exe
2884	cmd.exe
2884	cmd.exe
1964	cmd.exe
1964	cmd.exe
1128	cmd.exe
1128	cmd.exe
1308	cmd.exe
1308	cmd.exe
2480	cmd.exe
2480	cmd.exe
1464	cmd.exe
1464	cmd.exe
2528	cmd.exe
2528	cmd.exe
1844	cmd.exe
1844	cmd.exe
2764	cmd.exe
2764	cmd.exe
2840	cmd.exe
2840	cmd.exe
2728	cmd.exe
2728	cmd.exe
2584	cmd.exe
2584	cmd.exe
1512	cmd.exe
1512	cmd.exe
1272	cmd.exe
1272	cmd.exe
1596	cmd.exe
1596	cmd.exe
1800	cmd.exe
1800	cmd.exe
2196	cmd.exe
2196	cmd.exe
1964	cmd.exe
1964	cmd.exe
1600	cmd.exe
1600	cmd.exe
2712	cmd.exe
2712	cmd.exe
2808	cmd.exe
2808	cmd.exe
2256	cmd.exe
2256	cmd.exe
2460	cmd.exe
2460	cmd.exe
572	cmd.exe
572	cmd.exe
2088	cmd.exe
2088	cmd.exe
1592	cmd.exe
1592	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TempCom = "C:\\WINDOWS\\FONTS\\04503.com"	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Solitaire\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gu\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kn\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PIXEL\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENFR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Journal\Templates\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lo\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Journal\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\plugin2\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\co\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sq\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sv\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\on_desktop\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Mail\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\browser\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CANYON\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Purble Place\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ja\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\skins\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Word.en-us\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Internet Explorer\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\_desktop.ini	Logo1_.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File opened for modification	C:\WINDOWS\FONTS\04503.com	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\WINDOWS\FONTS\04503.com	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\rundl132.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Dll.dll	Logo1_.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1580	2176	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2064	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
2064	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
2064	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
2064	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
2064	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
2064	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
2064	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
2064	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
2064	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
2176	Logo1_.exe
2176	Logo1_.exe
2176	Logo1_.exe
2176	Logo1_.exe
2176	Logo1_.exe
2176	Logo1_.exe
2176	Logo1_.exe
2176	Logo1_.exe
2176	Logo1_.exe
2176	Logo1_.exe
2176	Logo1_.exe
2176	Logo1_.exe
2176	Logo1_.exe
2176	Logo1_.exe
2176	Logo1_.exe
2176	Logo1_.exe
2176	Logo1_.exe
2176	Logo1_.exe
2176	Logo1_.exe
2176	Logo1_.exe
2176	Logo1_.exe
2176	Logo1_.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2660	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 3068	2064	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe	30
PID 2064 wrote to memory of 3068	2064	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe	30
PID 2064 wrote to memory of 3068	2064	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe	30
PID 2064 wrote to memory of 3068	2064	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe	30
PID 2064 wrote to memory of 2176	2064	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe	31
PID 2064 wrote to memory of 2176	2064	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe	31
PID 2064 wrote to memory of 2176	2064	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe	31
PID 2064 wrote to memory of 2176	2064	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe	31
PID 2176 wrote to memory of 2396	2176	Logo1_.exe	33
PID 2176 wrote to memory of 2396	2176	Logo1_.exe	33
PID 2176 wrote to memory of 2396	2176	Logo1_.exe	33
PID 2176 wrote to memory of 2396	2176	Logo1_.exe	33
PID 2396 wrote to memory of 2440	2396	net.exe	35
PID 2396 wrote to memory of 2440	2396	net.exe	35
PID 2396 wrote to memory of 2440	2396	net.exe	35
PID 2396 wrote to memory of 2440	2396	net.exe	35
PID 3068 wrote to memory of 2244	3068	cmd.exe	36
PID 3068 wrote to memory of 2244	3068	cmd.exe	36
PID 3068 wrote to memory of 2244	3068	cmd.exe	36
PID 3068 wrote to memory of 2244	3068	cmd.exe	36
PID 2244 wrote to memory of 2856	2244	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe	37
PID 2244 wrote to memory of 2856	2244	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe	37
PID 2244 wrote to memory of 2856	2244	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe	37
PID 2244 wrote to memory of 2856	2244	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe	37
PID 2856 wrote to memory of 3024	2856	cmd.exe	39
PID 2856 wrote to memory of 3024	2856	cmd.exe	39
PID 2856 wrote to memory of 3024	2856	cmd.exe	39
PID 2856 wrote to memory of 3024	2856	cmd.exe	39
PID 3024 wrote to memory of 2944	3024	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe	40
PID 3024 wrote to memory of 2944	3024	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe	40
PID 3024 wrote to memory of 2944	3024	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe	40
PID 3024 wrote to memory of 2944	3024	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe	40
PID 2944 wrote to memory of 2980	2944	cmd.exe	42
PID 2944 wrote to memory of 2980	2944	cmd.exe	42
PID 2944 wrote to memory of 2980	2944	cmd.exe	42
PID 2944 wrote to memory of 2980	2944	cmd.exe	42
PID 2980 wrote to memory of 2612	2980	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe	43
PID 2980 wrote to memory of 2612	2980	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe	43
PID 2980 wrote to memory of 2612	2980	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe	43
PID 2980 wrote to memory of 2612	2980	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe	43
PID 2612 wrote to memory of 2584	2612	cmd.exe	45
PID 2612 wrote to memory of 2584	2612	cmd.exe	45
PID 2612 wrote to memory of 2584	2612	cmd.exe	45
PID 2612 wrote to memory of 2584	2612	cmd.exe	45
PID 2584 wrote to memory of 2600	2584	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe	46
PID 2584 wrote to memory of 2600	2584	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe	46
PID 2584 wrote to memory of 2600	2584	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe	46
PID 2584 wrote to memory of 2600	2584	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe	46
PID 2176 wrote to memory of 1188	2176	Logo1_.exe	21
PID 2176 wrote to memory of 1188	2176	Logo1_.exe	21
PID 2600 wrote to memory of 1528	2600	cmd.exe	48
PID 2600 wrote to memory of 1528	2600	cmd.exe	48
PID 2600 wrote to memory of 1528	2600	cmd.exe	48
PID 2600 wrote to memory of 1528	2600	cmd.exe	48
PID 1528 wrote to memory of 2052	1528	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe	49
PID 1528 wrote to memory of 2052	1528	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe	49
PID 1528 wrote to memory of 2052	1528	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe	49
PID 1528 wrote to memory of 2052	1528	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe	49
PID 2052 wrote to memory of 1040	2052	cmd.exe	51
PID 2052 wrote to memory of 1040	2052	cmd.exe	51
PID 2052 wrote to memory of 1040	2052	cmd.exe	51
PID 2052 wrote to memory of 1040	2052	cmd.exe	51
PID 1040 wrote to memory of 2884	1040	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe	52
PID 1040 wrote to memory of 2884	1040	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe	52

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1188
- C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
  "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$aC14C.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3068
  - - C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
      "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2244
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aC330.bat
        5⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2856
      - C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        6⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aC4B6.bat
        7⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aC533.bat
        9⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        10⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aC63C.bat
        11⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        12⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aC8BB.bat
        13⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        14⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aC9F3.bat
        15⤵
        Loads dropped DLL
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        16⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aCABE.bat
        17⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        18⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aCBF6.bat
        19⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        20⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aCDAB.bat
        21⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        22⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aCF9E.bat
        23⤵
        Loads dropped DLL
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        24⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1240
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aD0D6.bat
        25⤵
        Loads dropped DLL
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        26⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aD20E.bat
        27⤵
        Loads dropped DLL
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        28⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aD28B.bat
        29⤵
        Loads dropped DLL
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        30⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aD2C9.bat
        31⤵
        Loads dropped DLL
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        32⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aD317.bat
        33⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        34⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aD365.bat
        35⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        36⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aD3A4.bat
        37⤵
        Loads dropped DLL
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        38⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aD3F2.bat
        39⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        40⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aD430.bat
        41⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1272
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        42⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aD49D.bat
        43⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        44⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1804
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aD4FB.bat
        45⤵
        Loads dropped DLL
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        46⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aD559.bat
        47⤵
        Loads dropped DLL
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        48⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aD597.bat
        49⤵
        Loads dropped DLL
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        50⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aD5D5.bat
        51⤵
        Loads dropped DLL
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        52⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aD623.bat
        53⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        54⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aD662.bat
        55⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        56⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1288
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aD6CF.bat
        57⤵
        Loads dropped DLL
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        58⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aD71D.bat
        59⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        60⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aD76B.bat
        61⤵
        Loads dropped DLL
        
        PID:572
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        62⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2076
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aD7B9.bat
        63⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        64⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aD807.bat
        65⤵
        Loads dropped DLL
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        66⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1852
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aD855.bat
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        68⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aD893.bat
        69⤵
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        70⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aD8E1.bat
        71⤵
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        72⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aD920.bat
        73⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        74⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aD96E.bat
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        76⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aD99D.bat
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        78⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:492
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aDA58.bat
        79⤵
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        80⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aDAC5.bat
        81⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        82⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2432
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aDBCE.bat
        83⤵
        
        PID:848
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        84⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aDC6A.bat
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        86⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aDD45.bat
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        88⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aDDA2.bat
        89⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        90⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aDE00.bat
        91⤵
        
        PID:1180
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        92⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aDE5E.bat
        93⤵
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        94⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aDEBB.bat
        95⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        96⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aDEFA.bat
        97⤵
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        98⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1356
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aDF57.bat
        99⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        100⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1308
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aDF96.bat
        101⤵
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        102⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aDFE4.bat
        103⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        104⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aE022.bat
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        106⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1428
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aE070.bat
        107⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        108⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aE0BE.bat
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        110⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aE0FC.bat
        111⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        112⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aE16A.bat
        113⤵
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        114⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aE215.bat
        115⤵
        System Location Discovery: System Language Discovery
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        116⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aE273.bat
        117⤵
        System Location Discovery: System Language Discovery
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        118⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aE2F0.bat
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        120⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2660
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2176
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2396
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2440
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 588
      4⤵
      Program crash
      PID:1580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$aC14C.bat

Filesize
722B

MD5
a2ed712bfdb94604313d328104a20a9f

SHA1
aed7ac13994faf5e38c336819ab89747814ec14d

SHA256
4cb2e3197ed4442a0d8944e266f6a46e7a055267f6a0065c39de352da0a39c62

SHA512
7894bf163869e40f1d02b8ab99322959e5f46c60c8b53d68057ae47bc20b0d40d055b24a3eb5a9fffce4c0f82774079babe140ef256f49a6e42af973f2c335b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aC330.bat

Filesize
722B

MD5
60e66e5d9e585d99e5dd04300e2d8d21

SHA1
ea364584418cc3b41889f3f66f77b46298670b4a

SHA256
1a353203c559a8435451b9fecf34d786608b222bc1fb16d2aa680f8b5bbf6ec3

SHA512
605ca7011ca9fbeb4bde0491f2e3719f6e90f23017ea8605880ec9ec842e7185b680ef56df5ef343b9853da08d2892d56663209ad7acffada46fcc8b6bcc7659

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aC4B6.bat

Filesize
722B

MD5
2259c98074fb9f132297fa9ac30c1775

SHA1
1541112d474b4e6060047dc7360fd9c84c08f6c8

SHA256
33697e5bc67d17b8a9938344571176f5bbad7b2134bc28aea2b9e946f03ed1b5

SHA512
911f838cb7f4c0ae143404d4035f2e75091ce4723ccff05f44d090ec0abe7c03a35aad26b3c8f6543e547e93ddfddf8ecc7641379b132e2401a1ce23e4f84fee

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aC533.bat

Filesize
722B

MD5
a4f3bf0c57e1dc4d2167dffbd85d63c2

SHA1
89a60950d8d4e65b55d16774c3b43abcd6bb0bba

SHA256
5bf7f97f1b4f5f34c428e94b237047c0fa3aea6873bfefe48bb820f45ea5a705

SHA512
fa0bda6162ab8629739bbb7dc9402bcbb4a2b541e6fd8d8b22aa54e0513f182064f28fa65ac683662a44210247aaf66e662350068feecc685a15f3183e0ad18a

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aC63C.bat

Filesize
722B

MD5
35fa9ef62950f3c58871f2f3001f0beb

SHA1
8cc91d4c07d6499ef128551931b818b2a61b97da

SHA256
a847805bdfa97c09a70f4bf63c89b815fb07cc37c09cf68dacefb10f40115da2

SHA512
55bc2c0af0957936c17d630f22fdd294fc592a35aa0e1119edee235f7683fd0b13b01e1f69cf681c1d1d2e6fa6107781243cb3b8050449ceb73522b2015d7d73

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aC8BB.bat

Filesize
722B

MD5
b61a448409f401dd1e55ed0b2cea8ef5

SHA1
0d88e5499d8fc3f02951d04e2f022e273c2fc560

SHA256
8f5894226ebfa8ecd7a60c86919acaa563e25e12a257ec5b3b557bd3a7b95561

SHA512
45d43d313a496d60129732b6e1ce9736c3d9c7fc426e5b41ddafa2209a20c0f594992e776c41be31391791941c11d6ce9f14dd5cbf1a4203b5da0b02fc603a34

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aC9F3.bat

Filesize
722B

MD5
a758f6b832f49fe3451cf1ba309a689c

SHA1
8e08494cc1d29e82841512ad2e1620885188642a

SHA256
aeec34fa9dc59a5429518cbecba502ff44b89abf932541f29ed01780bac3fc18

SHA512
3bd48db6d07280db809ffa02b2e56167a1ad5e7c1c7b436e01e6f7748a83720a5d4aeede65bf39ddbe107df1583f7cf9eddfffda719fd35bb5c575c45494ae39

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aCABE.bat

Filesize
722B

MD5
e09de61455f4cc1607b4112c6b98cfac

SHA1
3b86dd2300c8e985977fc6a9f0e2b6f9bcf113af

SHA256
c2cf779281fdb8b7a85f08d44e27ddcb1018e35f907f47b61ce359877c63f825

SHA512
f26d64d13925d754713c8a3f40f3457e87e42ced2e3e970efd8d37b51d9ca3e303109756ad5215f864fa8e141a73779e7a17cf7f37eeb1107336f4c28f3b3b21

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aCBF6.bat

Filesize
722B

MD5
c4d16ab898416d293e5e2cd79126f000

SHA1
e3aa2e5e579cf390d83ffc51509a9e65884c408f

SHA256
57a84f917d7a47cf4b2bf2b0f7054059e202cf8d056f58f9ea59b4b41e3b0e40

SHA512
c7224208341fde348cd2ac9c30d858a15b1c86294add54a3e385307d89d49c82319a7cf924050e776e871660d114b52a56053094e0401e8f1aac5fdbd7d8dd71

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aCDAB.bat

Filesize
722B

MD5
4a68c4fe34a78130c9a6b07d5bffebe3

SHA1
0c6818570132d0f715fd0b8d0cc5bcd6a5a941cc

SHA256
964a9a9379d5eeb56bfd3f000a7c4e27da744acf9ea08b420be4eccd4eb75aff

SHA512
150a6e919ad460985734ab057cb60fb1ca5479fdaecf9e4b34a141b3d91ccdc07c61e78667b00d4d9328a8c81b8a2c645f006ab3fa2012094b80dd206b9c0be5

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aCF9E.bat

Filesize
722B

MD5
bfe13b44c44974e2efd884c11dc42b56

SHA1
282d074b388f08cc3f7cd78845aa24c37e3e880a

SHA256
f5a72fae8db700379fb5c19907ddf2758890167956b1efc3e7f5e087a0587769

SHA512
05c6a9867048790f9885934f60d1ed8d1530c8fbf5ef2dc5a2cb12d8bc4cac2ef6ddcaa95a0548c5f9e02c8b3f3e75fa22799115280b95196e2e1348e3c56469

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aD0D6.bat

Filesize
722B

MD5
11f3f665e464be5e04e555c9171c490f

SHA1
3ba80d2d057daf5df94cf5624b6b44093d2523bd

SHA256
d0b4e89a8503efa00c7c2642819bd18beb37836ef1bb3576bcaa26723fb0a53d

SHA512
61cb679e8ef6ec59cb15a2670612206a6cd8b440e8f59a01e710c157f6fd474baa0e75526e45f44e8f12ef2089b363ba18173939fac2fa59377475d473d17b8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aD20E.bat

Filesize
722B

MD5
a8973c30b621f5528c4e6f29aedf4969

SHA1
6e84f8668e0cf84aaab9f1efb6b4677cb45fe4b3

SHA256
b943e2ca6f374c1fbb29c964b50cfc2d65d4b1ffc6aa7899672c05ffe1a73daa

SHA512
c837d64611fcaa0bab67bceabb6aae6abff4e5b4b3b7e518f13bdce6e42e6b5901aadd579071cab5abed26b4d8f064c6614d8a00cebe347293a396ee833d628f

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aD28B.bat

Filesize
722B

MD5
75d9fda6181616cf92c8fe3790d7dbde

SHA1
d518aafb3e8bd5fadb9a13b39d8b15657fa1572a

SHA256
210ac400d6071d3e1c116900bbaa33aebb5f282bb72479c0020b2bac834d9613

SHA512
44b873b85064710f7413c24dfeac8b0f4a8465a66325146e4acc3d41bb4325b1d2acbe1c8e0fba2f335797ac3c944bd249a27674ccc1818cafd670c43d180383

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aD2C9.bat

Filesize
722B

MD5
c74315bd0e0f966b5b09ffffd5724720

SHA1
96a99554232192f654b52e80fc723c90afd3d163

SHA256
5f7e83eda538173ec72dd4f72a175c111c7d5d1eac8222dbe32ea7423a40122c

SHA512
12f9778b18a1a8ae3f6704fb8c8a9363797589a0dfd3594f5afe1032c69796edbbad73963f417be5331979267f2229bdca044c1f277f0449982b10b649e598ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aD317.bat

Filesize
722B

MD5
0e87119d27bba5b1e3bb83ade4ceb675

SHA1
6929e73aab18764fd8620043f3a6dc02085475d1

SHA256
bba4add6322bda37b18916cd57a76b87bc5477eaaaaf29f08f09e451ef6c1401

SHA512
4038a985e036e3bd7e605f995f7719e52d6929258384d375b77bd7835ac9213ed1301d3687a2ebf1c0ff72982058ac60cb99a4e8de788848c398bcffe6afadd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aD365.bat

Filesize
722B

MD5
145194c52aa559b5ddd8095bd84aed71

SHA1
332ecaf7450216fe2660ea5e0e04701f7cd51bc3

SHA256
bfa9075dd43936f8249729137da3af150c4146df15e2eb20b4ddc5b73d1f3f46

SHA512
3e8fa928769cafdead12995b424d0caa6edaa872cd3e3c0a0c2727a7b3fcf2b85e06af123d90362153c51074d6129f94a3985bd16d5b4066755dac2435094052

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aD3A4.bat

Filesize
722B

MD5
a5615123e87261ab0c193bc7e7aa2118

SHA1
a076d230525d86293ada9148cfacea36b8d37438

SHA256
cb7bb9ba88fce6a0df815755af635734624d816de9e541fbcef8df279832da00

SHA512
16ed8e10125453146bd4a7e686bcb9f1ac8f0bfec3fddc0b4ff47a37bf93bd9020737ee2f010bc2f16b02270d1328819599e5a09ca3a407b6fda0b26377b070c

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aD3F2.bat

Filesize
722B

MD5
ada4a8af2c904af58d5966699dddf7cd

SHA1
8b119a7af781cae78b36183f1e4167296f67d661

SHA256
da25db4c0bbfb1c7c33acb842ba79590f6352f5a9fbc82b10feb7dec327de16f

SHA512
a7c1a35006212f2dafaac04b4951a96a4e697b6157f87e686d5a735438f85286ed3756f3948e79ff5597e2e1ccc1ba4b7e85a7d8459c5921c88603c119d2020b

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aD430.bat

Filesize
722B

MD5
4b7e8f6792fe6b9ad757dcd839b18459

SHA1
cee4e5e8521f21ea0fd1520726757d927c998110

SHA256
75b8d85474527dbf95657342b90d1f2d33ffd82005023355ef2700f4832ad04c

SHA512
80a15f5990403ba3f761b87ccb99831ef39109dfe559932f73b1f542fb1d257d7d713ac9b23c5c900288f1f84ba6e7aae19b366b7ba5afc5c0d3d2179a6982c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aD49D.bat

Filesize
722B

MD5
c7fd25a07b984874a136254957fab881

SHA1
583e5961cba93e9911d107080ab5123123dc8bf6

SHA256
6a4a1b374776ba360bedc1a1f2aac1a821ae73bf3f6b0e1cb63e4067c207f611

SHA512
520027ab75b6d8b1587559763504bed59d3ff042a83fa788bb247d546874d897aac13f10ae1ed0d5038a31fef05fe02ce3eb9438ecda17a761ede2e48dfd131f

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aD4FB.bat

Filesize
722B

MD5
08c445259c238d02f4a51820a41630fd

SHA1
be25cdc050b6a1ec11d9675243eba3fc5b4d2e14

SHA256
ceb01fc194c54994d73a4044f321bebcf6c274ac471523b91d7c3791f05b3a39

SHA512
25d64f91abf0c33e420d01ab02ea0b59a95036702cf3d02a5858c63fad3fdad03f11f4d459408eb0716f61e9d2b9fef7dea5396c8878f5a4e05edfd18ed3ffdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aD559.bat

Filesize
722B

MD5
1f794ca2a823c8959c8ef1c023916bbd

SHA1
4d51f5c0f28c4acc5eb0d90cd310b1be22f4a841

SHA256
ec2e1f43709fd8d7eb0b2f0f83c7491fd5ef53fdac25b29d30b2b611b15d2e8b

SHA512
cf4ec8f6faa8b496055971f8c070b8a9dec3d053817dd82d1f3e77d0d1e56da362989cfc53a9dd62e686596ebd99f2f6a4074213e94c72a7caf128235a039972

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aD597.bat

Filesize
722B

MD5
d29bcf0c3d3e3793ee88bf4bfd6bb014

SHA1
0da42b99116d25d4785fec1f1d39e20568e18efe

SHA256
236ca873e4c41138624df2c5d87834812a707367d102e0f3f0384ab23b94f5cb

SHA512
ec400fb894af1c7b7dc1c96d0d5337eb3d79382b84307f3a00080ec44869837dd1547bcf23b4220a3fdc98c0dfe9f73d67239609b8f5389dbf3c47dff659b890

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aD5D5.bat

Filesize
722B

MD5
2aef9d224e07800eda9d42d0cda6ab60

SHA1
75fec0e17fee355b5a373964cbdd2a9ac626cc9a

SHA256
bef8b33b54bf9129a6bd9a893bb31a0d28f111e21d9402c3baa6c727523d5979

SHA512
d5770dd0ce77166ad8136bd25bdc7551c8b55e0ce7d2f00be43099ba130c293fa3b42d4690f7367dc8a90ae48be9573e87c361ae7b7374814daaeb7331c41679

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aD623.bat

Filesize
722B

MD5
b45ad1e67f9b13410e67781bab149239

SHA1
d28b296eadeac438d298e0b57c07c97bbf58a619

SHA256
43181c3fdd9de0441f048b5c068b79a7c9bef2ce676c41fe258d1711e710d705

SHA512
80500a9f0c4e6aa159f42af8c2ecf9721220a85aeb845374cde61c63180dc419bd5c542f43253f498d9ca68fa4422f7f45965b0eb33e842bcb70c36bb975633b

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aD662.bat

Filesize
722B

MD5
7980ea25c604ca04f5a83ea229489a4b

SHA1
acdbc57a2bd7cd7c65c719361896608fe56b6571

SHA256
8a04339966d6101930e855f03845dee958f84e53c4407e7f7d0bbe55d1d79c0a

SHA512
65a5733cf5525492b1df8993730659352f6ed7946579ddd94699d6acf167ef43541abd61da2de8aec4ec12cb1cb9e0c1c1c9fadac9ff66951c9ee2fab5351c10

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aD6CF.bat

Filesize
722B

MD5
ddcdcecfbceaa86ac1654b7fdaea3135

SHA1
2ff4109129b162ec9e696b68fe062ecf1732812d

SHA256
746ee1faaedb6e8e6f120ffccb4656556054c027f27bc0bdea28cb65bdb68c08

SHA512
e7ffb287025908671a5692268c92ba093c94e52a395f202e992c93be3387a99a24bdfadeb536b46a784fa3b85347018db10c1816631afd22458bc9a6bc2f0c9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aD71D.bat

Filesize
722B

MD5
66ba062cca9bcf78454bd2a4341ac6ee

SHA1
d2add48fc0d3f46e603da3449a70f1318d128b45

SHA256
dc2afd15832ff0cdeffddeadc0f34288739f07803d1764ac5a1a15ca2eedb24f

SHA512
718e4d8f6024fcfc3fff7cd24d4019d8589e6684998c6b40b661f4a70f2de2e623d0e21a78eb488a0544551962c743a556f68319a432a4c2b9750902b139d2b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aD76B.bat

Filesize
722B

MD5
39eaf7eb38f6ab2838f996e9cdb6b406

SHA1
6a22b45ccd386197348dfd3695e382a49ffa5f33

SHA256
96d92f427d18e0cae0b7031b004193394a69b04072aa25ace731a885f25c8be0

SHA512
79340bbfa2103d59963d915c299c27aa67730ec1e96d207b02212319f666b1a629cececed32ca26578d15291f0e7936bba8feda304535d74cc7021735be4baea

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aD7B9.bat

Filesize
722B

MD5
862e8bcb2516228cc8e40980eaa4cabc

SHA1
73791ccece20e383a193e3a1602dcf980d20b5f8

SHA256
abfaa64f5a04e3ef1d13fc6644768d9c3ba6d64484ce0d50bfa36a4e7159e36f

SHA512
469bbda8fcc86a5a410f56bfc5e70b55c9bace1d2e175095ee7cf68bb53a85d46318ba3bdb507dfcff2ca159ee8b3c107d641e534bc1378dc1f356720c97757a

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aD807.bat

Filesize
722B

MD5
9a80fc3ce7520a4187cc5918d3e69142

SHA1
a2d9d67d075fdc5fbab6323d034ecf58d35f47bb

SHA256
2adb0bbb1606363b9c685e4ae65c7a32082b5fc63080c50c1ee43789ba20fd3e

SHA512
2057e689c8b133f305db7814f7f1bb3505a52c5ba57f707b030dee94659245fd0381c7b5e10478342668595b23dd3480b8ebc50a69c80a37e3a3067f41470e6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aD855.bat

Filesize
722B

MD5
88aa092e71dbf1049f0b5ce3341059dd

SHA1
13ca19e2513050640b1060afe36161ce05bc8a6d

SHA256
5e35c5c7f4e45595396414662d9091f64d46739f2eb109ff9679bbb91adc76d3

SHA512
58927c91e02345d6118f10dc63e70c814af1188f3f508827a41534d7274d8fd70c12c06ba1ba6316ba432f73033d73618d88b7d130c4c87f551de69a80776f3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aD893.bat

Filesize
722B

MD5
ae73e6f5159e016654fa6515b77a1854

SHA1
763aee1a0489d08cc0894b13a1ad5711da2ace0a

SHA256
168a7449acf279ba230179719f08c8b9010dca331b9d35ed1d4e432598554d6b

SHA512
1d8a779b4ba86154779639acd79c9165601d838b2070fb9ba99162ac59a791006a9ca133a9cf1d77bb35f40c1a998bfbaae41698b75d7d9e93d3e793f94b0a6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aD8E1.bat

Filesize
722B

MD5
012118b805f9c23defcef7496b7be798

SHA1
3dc4a3f739e21ea7913d22329f8cf1335bd7e1b9

SHA256
6013e7dbe7f469b22f28cee80981ed600770789d3143607613b50bbbb438ffd9

SHA512
8b7e772fd555f36b10381626744af60a424a23df461fd2ae32978c86d1c91481f3eef89d63e9428176c5df7e38251c92682bd4eef5b468b167d6e545111f037e

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aD920.bat

Filesize
722B

MD5
0cdc583677064a8a833790ecb79cd55c

SHA1
f5f4d58086f4577cde6d313ea0576b34c1bc9b75

SHA256
802c333464480f2306fc50a8ce5a36d4b1b5db80004dffc1f2544d26a29a3134

SHA512
2611d007f7d1d6abeeef830eb4842c61d8df90be803f773c68e2da6f9e4b8c22cfc0c29eafc665b8345f8103e82d4194ddbcd8d9801c45bb91bcf5a5bd38f80f

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aD96E.bat

Filesize
722B

MD5
70bb135f9b387e7c61213e2acc0e6cc5

SHA1
b938a46fd075c23206e0e2e063b3dc6b14ef2814

SHA256
bab62a8b355fb119d18b414c3fa0fca88fec58d05dfae41b8810d28de426ef9c

SHA512
8656383e14c82d646580b78edd6c57bf3d1fb75b526d17cc3bce0a66687f6c7e88b330cf1bd2e9f45e7ec00571e41807cd9e3b5354fe02671f39e3b087b6e6b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aD99D.bat

Filesize
722B

MD5
430aa5ada910b78e6d14471e7c51acc1

SHA1
1b8408bb78c54431024ec526256fe5bf839f7a99

SHA256
694e2ac0788ca05f98925e44eed018c89afcd1e2c7c6756ec5101bfb67b4b558

SHA512
f8e5aea68893a36db57ec6f23e491dcb26a35e28d194bb95d3d91fb50b38935fab2e738bb8b69412b4750de91946c68adf4a7d39b943a5d192b71dbb08b49ddc

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aDA58.bat

Filesize
722B

MD5
cc5e9610bd1529a49aa48301fb8d530d

SHA1
de17d8c8a4a91b789aa9128aa61eda8524ba8af8

SHA256
86bf4858ad005d05e99ee786a3f096b86b0b6117af208b64d4f70c0a0340bc17

SHA512
4b46131524ef6fed6ab66ac646402275a080ccaac7c610267702f9488f02fcf20800e50ceac33e29236a92b1e6bdf62a4d015ec2a4d6c4d512ec1a230e4bcf00

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aDAC5.bat

Filesize
722B

MD5
ab15ed144bdcb85eb92c8747b0674876

SHA1
4e5356e3c2713489a9254c758816297be2683ae3

SHA256
79c89e6057a4c5e5edfbeb53b00e53c3c9425a84e389eb7e26d134cc94517190

SHA512
5d836773ce668b9d296cdf88b8d668488316207b034fa36ce0b4b2be29a350dfeb685c0d04abb93898ed3dbfb716061428e66bea85379442df694c5b69bbcf1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aDBCE.bat

Filesize
722B

MD5
918e687179721c8ff94b1ea68d2561ad

SHA1
466ffc10da834148ca57aac81b62651b52f66030

SHA256
b0dbcf2cb0f2de3220dd2c6dbbd51cd37df4996621cde16af2e7ba74193fb6e3

SHA512
d42d0c33f78e9acfa1472735b38a544955dd0b919a35b76d643c74f64690e07c648f8768268cc5bdf54a2b9b0fcf8216c4a3bd08824ddc50d4432f6c187701bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aDC6A.bat

Filesize
722B

MD5
badf2726f6d005d59a8fac6a6c3433b8

SHA1
bd09f943fd1070b39da692cf5fbcc7e91ae2af62

SHA256
b0a23f9bf2f14a1bc8f05dcbb70383fbc82501b3f25bf3c1fbe2fd57e278a865

SHA512
8270490e02c4fa91259bc209fb29b573c5538686b985fcfa537e028968ee36aff25fc7a375fb0bf359a929f0edc9aeb0ac3c66609e8ff0068362dd21c5078da5

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aDD45.bat

Filesize
722B

MD5
51feace46844b166144c842e63effc71

SHA1
a41ca59c0022d3dbb6a58e27fdb2eff66059fa60

SHA256
5d1eff97efaeb76e8e6b1c02cd530e1cd646b04f4035ceb958c34c4f68926bb1

SHA512
177211554f97040ecaa54e3bf32780009b68d329efa1140c16d9dbe14ab7b3c809e0a907e95fdcd6cc1e39d4acf1d6f878fe6457079585cf72c7ac1b4dd68a43

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aDDA2.bat

Filesize
722B

MD5
944bf3f68441936e3512b22d5cffab31

SHA1
08a86952b079d3b5b1737f69548e9570f54b9185

SHA256
f551bac540c7eb5319453a945685ed2409a46210ada052827d00b14cd24ade16

SHA512
eeb5993d188592a2926161f3c9df7f1c510d5db70ece3c88a0e80da673b2ce62e747db07caf5c8a358d91c59433a83b1acc0d95502b35bbe8e74f4ba1e1d1945

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aDE00.bat

Filesize
722B

MD5
89456cbc6019096b061a3e06877679bc

SHA1
66e3c0e8c66a2f3cb3d50b14e0bf2428d8d9c63e

SHA256
08d2e59d8457ad85281e532b3c44c2b7e250ab0bc46ca9b6b3640c095161c4ef

SHA512
de9d6c33a499442cb255a0da6fe427b44fe964bc2dd830f8a1833eb2bce5dfb8fd9ec9997fdd00a28b219207db06b49d79ecb16b2ef9230adbbb21799ee00a48

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aDE5E.bat

Filesize
722B

MD5
d67be8312c2d3e4cf5ab1b61fb969866

SHA1
d8db0381463db10cb06750baa4478384e0cb0fc2

SHA256
8794611d507e013a79db1e0420a362fd00934e151a7af54b1c6385ace6a9e63a

SHA512
821e16acbc4c1542e795f443d1594ad07f32cdbf711c8b38ff8f07e42a595179e062b5d11d8d8b73068ecd19507a48f716a715c879dd1a7a75966455311a438e

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aDEBB.bat

Filesize
722B

MD5
30f4ed7b5c740a039cacacfed4249317

SHA1
b68ff006d0a86c0edcde13d2135afb696bc64a06

SHA256
add9bb409771fd5a72844128c2a5d3d96b93e615edc2b819c50297a2f602471e

SHA512
4985c98135119d43e7b5657442d3dbd3c4dfeb78b5ca02ff5e815917aa6e2c4c4aa01c5dbe65b751964ce95665ab9412c6c145d47f4fb1d5edd07ed422effda2

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aDEFA.bat

Filesize
722B

MD5
65e5b4b43a93d0adb88aa84b67db62af

SHA1
a25e7b37d4bb75de6b5d78c91ef9b16c09feab53

SHA256
1ccc94f742dd295b26a9543a27f63f4eecf71e9db83652334281678802fdb246

SHA512
ae8e22f2b68e4bf492130a9557274f94c51870e7418a818bbdfd39e2ee819e6c496d855c061df7a11e391030559dc08f4c3a462d59492e9b8b99c8d313ccb8cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aDF57.bat

Filesize
722B

MD5
d60029ea98089442f54d235e979ec955

SHA1
6bc7002cd146ae142b9cde9b5281b452dd5de306

SHA256
9cd60764a01daed36c8a1e40dd1c8f33a518fb1d910af1132c3d6eafc3256aaf

SHA512
edd14f2e51542edc900569f8ff628dad6f27c1962f557c7dcba88644b7f398de199493308fbf781082494a68568525668c4d6ecbb52d5fcad896788ab70d2a21

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aDF96.bat

Filesize
722B

MD5
bf5640668fbb11f25b05ace8faaecba5

SHA1
b5bef91e5c2968eb1cb9f738593544bda5edc180

SHA256
b279a44c3d22a3a2215e88283abc64dab00ded40795a6faf91ee3fbce44cbfb0

SHA512
4ab5ef9e53a33b9c748ef13b2ffef87a6cee341fd1968fc5ff6c2aa9f0a65a433001611fdbf9df7db06e8ebc9cd2cb170df6e581792284ac29d900772b317e15

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aDFE4.bat

Filesize
722B

MD5
6513e8326ed695d2a5060e14c41fabe2

SHA1
6862702f46fb4bceed92494ecefa23fb869a4ef6

SHA256
cf8dc4b33e3bf99e5d27df5912df4578f7e128812362d01ac77e02bb89eaadbd

SHA512
90b324004275e52d254a5022ce86fbc98e8d3c1c89a013d1bcea599a017123b77fbbf21d3bb0dcd591784ee8eab8c1fed7107bc8e0391b4cab31b34543150c65

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aE022.bat

Filesize
722B

MD5
cac472f2e16009ac5019574881f10c4c

SHA1
d9a722c73411f6fed4488a25ebe68c8ba2229e3a

SHA256
68e4c1a43065ea5d9104db73e03d5322628a0015916c067bd6f9703256bbfc47

SHA512
1ee7c8753a1a8d92eb02c36e2fcad40e7f676424a6fdbbc64e944f5fda4c03d479f7d511238c852685265857f90058fb2698212013450fe6bb06d6a8c4786763

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aE070.bat

Filesize
722B

MD5
6d44b6bcbb55de34812c21f414b50fd7

SHA1
e0084a76fef3bab652c6896051fae34ff5e8afe9

SHA256
ad3c1839fccc1ac40f3ded82feb9a996dab2d91965adcd62d8717c9c86b9f3d2

SHA512
39ac55a4ca6543512b4fb16f4a61fc41f075e6912280f367d5a49f5d37ab69ef927d61052d63149321fba31a60b9cb86e28c4e32c5e3e61718289dcc8e8e0e90

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aE0BE.bat

Filesize
722B

MD5
c365029e1dd4cc7b2e26fc49ea89b6d6

SHA1
8bc031fa07e722dc1d51eb2fb0f85cfbb35286b7

SHA256
1591a00834c2ec1b77a79ffe633fe41a0a3f5a131ccd8541379552dd3ea1d117

SHA512
f44a697a3c6ce9d8a06cf4619e3b173824018d54406151a9aa3d9629daeee69d14e2c0a92a055db866e9244bbd39f80a29265e9c5243d160f8bc32336a52bd22

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aE0FC.bat

Filesize
722B

MD5
1ab69dc285f113058aee4bc4f453fe17

SHA1
ad7f59d9d1ac242c4ea19f4f01ace7f84eacef6e

SHA256
11636a0515a41abaa7b66f988e1c18f3659c19f98924303c4f16ec046e27c915

SHA512
7989d2e48f7dded5879b720131e15c14198d02db675c06d07b74decda7cf85e05f875c698a8c30bb178ec8a9299f18bf32a1eed78df5fc32d815707f27db4182

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aE16A.bat

Filesize
722B

MD5
c0bea62a90f8f6021b678083507cfe9c

SHA1
12f191c53091342bcfc50c92c95f8fa965d8391f

SHA256
67de02b2b28af14051b07f4247db7737c82781858d7b410c31ff5365e20e7732

SHA512
6d177d180fa4534416edeb2f21fdd12b1008361d8ecfdf06731dc9a65463f36f36ebd1a5c9aba291095ecb6a14015ba3a8a346e04ade0701104f9a0103f60d55

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aE215.bat

Filesize
722B

MD5
22bf0145f9ff76f53f90a8ffb6397d19

SHA1
9163137eac32ce9b7ab855223dda6e413b0025de

SHA256
7d8815bab66320c1d47387f271062926e0755d90e5ab26dc631418e8608fb60f

SHA512
5d031fcccb76ee52ba5cbc73e3af16d9abb7a531fad1af03ab83fb28e31ce29e8a48280c580fa58e74d93427442c5be52479e46cefecc65f87d971b2d894daad

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aE273.bat

Filesize
722B

MD5
952984fff74abe2c6253950ba75f0bc0

SHA1
8204ef5a01ecbd90a45f663597ccd4d682299c0b

SHA256
a1c5cf5656deb957cb22cc28262a97d46eaa563cb5e165813e135e39f48f4d2f

SHA512
29ae8e4cc428811948cc4032366e550b63539a5b773b7bf8957d67e248a0dfc239a9591a2f5126650ac6f33b402a8977a7a1a0e508ee188e8148adec46e852fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aE2F0.bat

Filesize
722B

MD5
43aae5fa435a1d1bd4164a3b16856e53

SHA1
0a98cd205aa154329578458c19153d2c0a815d3f

SHA256
4b1fbc29082060a32842a632d175fed309313bbd419b2ffbcaf3c7e898c65cd4

SHA512
6c0278eee1c3cc262a283b3af7a34dab5bdca86c0ac119690ebbdda33c9faff3c371435fd85cfc8c985debfc665569a146c419674fc8e550a0cdf5ac63e02d10

Download Submit
C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe.exe

Filesize
2.3MB

MD5
ee5224c7af0ca448809311f5d5d0ac92

SHA1
6e9d7c7b30a008db94a17f40bd0df234b34b035e

SHA256
1e631817553d5d6546691864c336086c6e6158b7031d93abd85b7be28f952e95

SHA512
46dd8f473c8b28d152d9d176b2f7c3e670c61f58eda2ab21a6e5fcfd328fbb57ca57d38419e5228a2db8057bd9c53048650985bde5d2f0106d53c1ce0dd4ff19

Download Submit
C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe.exe

Filesize
2.2MB

MD5
0655f93740d40e73a63659f993376388

SHA1
84e3cc33c3c25c26392128ea0dc5062cbc89c8ed

SHA256
e5301178fee0cf24e3a15b43642c7d1da8ebe5e945cdeee6e4688d9e72f82b15

SHA512
91e7b34f63c9b4a3a9077462254238d4024553fe189d598f8ee913ef2f45293472e3244870659e88e33beddc184ecc48e1812ac9a912d9bc9fcf4fd5b9c12ed2

Download Submit
C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe.exe

Filesize
2.7MB

MD5
a0d5d1a7e51ddf3a16cabfebdca1abd2

SHA1
634b3231de7fb93cca784a292235f54faf0f5d81

SHA256
f0fc47be8d77e7d6fb3cc7e2e2101483893e30928fb7c1de6a01fb59d9415877

SHA512
b81fdcbcebc7a614163807aade53f1c6209f9c3b5b86af19268e0e43c4854f74e950948abac1e2f6eb01a4d5e3b47213246b81a88c1c6f7412aa8e2c3b925ca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe.exe

Filesize
2.7MB

MD5
ae8196496642782572876d6f41d52ea2

SHA1
f94015c1f463180f51e51c0fb3f34333cb42be11

SHA256
68dc1f70be2631441db836e63a0ad0dabf20ce849afe2ce3ce4e06ea364d052a

SHA512
6e0de64ae6a06825bb841c9c3889a63704627869c53045e2043847c20b26095ce159275d83fe50a3ea00b125f5873a34fe549dc2be3947be8029dc91ed3aa492

Download Submit
C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe.exe

Filesize
2.6MB

MD5
c1fe2f5aa024333c9e16b50f567e7edd

SHA1
f0e1e898af04b82b45c24d5350c2afe7f9d2e2d3

SHA256
a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf

SHA512
554b72d82a6a329957070dadfc38253899044de67c9d6bd4f27cb9531b097fe1897b6345be2360a76c8a76a6edd780b71c3e0deccffcdec2e76f8cb6880b6f46

Download Submit
C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe.exe

Filesize
2.5MB

MD5
2d8020710bd51a9280bb8c23c28bff6a

SHA1
3b6ad35921dd59358b04ec304b922a7aaa2149e0

SHA256
c58bcec14503c2167a549ddec40418a4151c1624287f76961539d66e52bc7146

SHA512
d7e146017539111d7f45efa9260d3ac12840ec34574ed6512a3c498ff368eabfe68ae5117c34207170057e81361daceda7ece2c48b25642dc2ee33b82b0b8b6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe.exe

Filesize
2.4MB

MD5
3baae1aacb86eefd1732edd07f95936f

SHA1
e8e6b0b06ebae55a45c6405e27d131076b280208

SHA256
055e7eb2f930f945226daf682591695c6895cfc321c30a1ed1c580d3addcec25

SHA512
3a8d665f83c8ce15e4f093bdc10ed4388d8ce603c8f6ea41741f56909659afd46ef8a1bd9d49e065e9a7abe5f400f0660aaaff1956b26f6b1abb7ca213f6d752

Download Submit
C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe.exe

Filesize
2.6MB

MD5
318d2c741656f06f7d7aa2da999a32f9

SHA1
0522ded7028b5cabcacf251fa66bbaa97658eb14

SHA256
c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b

SHA512
5f4ef057b74e27fde7970f714db3fbc9585ffe4ef3096c89297b4a892446c4790373dfe2c6b0c784c25869c0a85ba22d71627c2012b4b9011e46ac3f840c9fe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe.exe

Filesize
2.5MB

MD5
082e82ae38f578da89a8fb10407dd43d

SHA1
efa9c8f351a27e0534213096b10e43468e69f4fe

SHA256
7a0e4349ed98deafa6f26ddd1289a9c671fbbcf2f8d3fdfb45acfe809e89f0a7

SHA512
be73b48aed9fbedf424c65cd5c6d83442f628205856364ed57d5eaceda20ed852d613456e376e7fd85c17bb9be533e6695894af0578a6625788b80069ac6a23d

Download Submit
C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe.exe

Filesize
2.4MB

MD5
58231e8a54a4d5ad10981a9261d6df2f

SHA1
79fd962af3dede9832de8856fb96b7723cc2ef09

SHA256
1a2fd6986c0d5d25002b7ef2ffdeab383f7cb19ead19248c7207e5d26bd67f99

SHA512
7e53168e58d3c2d8472a589a711366d932f5295e330544b6ded5a32e44d857f823465ef572ff5d2145ebb5e9d597913c91b6e798177c8d81876bd63eaadb94e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe.exe

Filesize
2.4MB

MD5
ac788323972e7ee7243e740ff2f8daae

SHA1
6acd6d700849ca9ad064481461f4b7988dab1945

SHA256
5e7a0c5ef3211fc58e0eca20df194b478942534d5968441fc354686ba7222ebe

SHA512
ba1e52d4d8ea9400b359ef4982504010bd12a007d174ac86187050368c03b78e89b51324429d909741e4f1598be2eab28d0b400f0698b8e085f12beeb6921778

Download Submit
C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe.exe

Filesize
2.3MB

MD5
ead3d576cab6bb3e77414935b36ace66

SHA1
e347ab64ced05a4e50b4905cb800147620a18e6a

SHA256
5600effef951ba7fa3bed54b59a857bc26814b45e68c7462f67b1714258b73f5

SHA512
38fd77828d2d8796a33b52e0b57cefb792064a9cef691c8dab97331321a3b3eae6a7c0918c3617a00bab16a686f52c9296ffb022d2b78bcaaa51e9cd1146112d

Download Submit
C:\Windows\rundl132.exe

Filesize
44KB

MD5
6d85a04f5bb329cbba3880c43337ec52

SHA1
8c2e62f730619b2e06a5fb802e115606b664525a

SHA256
ff95e5e3fea6e5f9692d24c81ab36bae1013658a34bc60cdcd9b4c591e7feec1

SHA512
31919b83c1b66e4eb99612c6b23a7dfc1cd107e51e3178bc8fb695c8243d7493f43b05a4ab8d0880763aa584ccbecdb1b61b31f0a66d8a92938884b9ef04daf8

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3551809350-4263495960-1443967649-1000\_desktop.ini

Filesize
9B

MD5
888e0958022ac10e914e1c9ca3f383ab

SHA1
37d80b3ecaacfed7092fcbe70d7c1000a5246e09

SHA256
627942d6123a7fed1e8414a3d46906af51b7c5f06837df6d288707d29a84e1a1

SHA512
a643219412a29dde13c4d0a9619dbdea00193e91276e163edf546f3392c704a8c2936a2c27d2a0206bfc3ca592d7d79be849c51a1d9af0e4d237cd3dc47eeec4

Download Submit
memory/492-832-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/532-3095-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/572-447-0x0000000000270000-0x00000000002BD000-memory.dmp

Filesize
308KB

Download
memory/660-2318-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/824-405-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/848-1823-0x0000000000180000-0x00000000001CD000-memory.dmp

Filesize
308KB

Download
memory/848-1810-0x0000000000180000-0x00000000001CD000-memory.dmp

Filesize
308KB

Download
memory/948-2370-0x0000000000280000-0x00000000002CD000-memory.dmp

Filesize
308KB

Download
memory/1020-182-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1040-130-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1044-1290-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1044-1275-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1128-167-0x0000000000210000-0x000000000025D000-memory.dmp

Filesize
308KB

Download
memory/1128-165-0x0000000000210000-0x000000000025D000-memory.dmp

Filesize
308KB

Download
memory/1180-2297-0x0000000000130000-0x000000000017D000-memory.dmp

Filesize
308KB

Download
memory/1188-93-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/1240-213-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1240-203-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1272-340-0x0000000000170000-0x00000000001BD000-memory.dmp

Filesize
308KB

Download
memory/1288-424-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1304-2389-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1308-186-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1308-2899-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1308-2349-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1356-2338-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1428-2379-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1464-227-0x0000000000190000-0x00000000001DD000-memory.dmp

Filesize
308KB

Download
memory/1480-3085-0x0000000000190000-0x00000000001DD000-memory.dmp

Filesize
308KB

Download
memory/1492-197-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1528-109-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1532-414-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1532-2339-0x0000000000310000-0x000000000035D000-memory.dmp

Filesize
308KB

Download
memory/1596-350-0x0000000000380000-0x00000000003CD000-memory.dmp

Filesize
308KB

Download
memory/1600-396-0x0000000000270000-0x00000000002BD000-memory.dmp

Filesize
308KB

Download
memory/1608-349-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1616-707-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1620-466-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1628-476-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1636-2286-0x0000000000330000-0x000000000037D000-memory.dmp

Filesize
308KB

Download
memory/1648-2978-0x0000000000170000-0x00000000001BD000-memory.dmp

Filesize
308KB

Download
memory/1672-922-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1676-161-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1676-152-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1716-506-0x0000000000350000-0x000000000039D000-memory.dmp

Filesize
308KB

Download
memory/1752-395-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1796-2285-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1800-362-0x0000000002290000-0x00000000022DD000-memory.dmp

Filesize
308KB

Download
memory/1804-351-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1804-361-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1844-3097-0x0000000000130000-0x000000000014C000-memory.dmp

Filesize
112KB

Download
memory/1844-282-0x00000000022A0000-0x00000000022ED000-memory.dmp

Filesize
308KB

Download
memory/1844-3096-0x0000000000130000-0x000000000014C000-memory.dmp

Filesize
112KB

Download
memory/1852-475-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1940-339-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1944-2320-0x00000000001F0000-0x000000000023D000-memory.dmp

Filesize
308KB

Download
memory/1964-148-0x0000000000210000-0x000000000025D000-memory.dmp

Filesize
308KB

Download
memory/2064-76-0x0000000000450000-0x000000000049D000-memory.dmp

Filesize
308KB

Download
memory/2064-0-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2064-17-0x0000000000450000-0x000000000049D000-memory.dmp

Filesize
308KB

Download
memory/2064-16-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2076-456-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2080-2329-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2088-457-0x0000000000130000-0x000000000017D000-memory.dmp

Filesize
308KB

Download
memory/2148-1937-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2176-19-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2176-79-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2176-3104-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2184-3000-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2184-3032-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2244-38-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2244-29-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2256-425-0x0000000000270000-0x00000000002BD000-memory.dmp

Filesize
308KB

Download
memory/2292-144-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2336-371-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2408-2358-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2408-434-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2432-1583-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2440-281-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2460-435-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2476-269-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2484-446-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2484-436-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2528-271-0x0000000000130000-0x000000000017D000-memory.dmp

Filesize
308KB

Download
memory/2528-477-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2528-487-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2584-89-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2584-78-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2596-2309-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2600-99-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2600-97-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2612-77-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2640-311-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2640-320-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2660-3098-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2660-3103-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2672-329-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2688-2273-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2724-2398-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2728-524-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2764-292-0x0000000000130000-0x000000000017D000-memory.dmp

Filesize
308KB

Download
memory/2784-898-0x00000000001D0000-0x000000000021D000-memory.dmp

Filesize
308KB

Download
memory/2784-310-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2784-895-0x00000000001D0000-0x000000000021D000-memory.dmp

Filesize
308KB

Download
memory/2804-496-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2808-415-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2840-515-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2848-291-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2856-505-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2856-44-0x00000000008B0000-0x00000000008FD000-memory.dmp

Filesize
308KB

Download
memory/2856-45-0x00000000008B0000-0x00000000008FD000-memory.dmp

Filesize
308KB

Download
memory/2860-301-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2876-2650-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2888-2308-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2888-2298-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2896-381-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2956-2274-0x0000000000430000-0x000000000047D000-memory.dmp

Filesize
308KB

Download
memory/2956-2275-0x0000000000430000-0x000000000047D000-memory.dmp

Filesize
308KB

Download
memory/2980-2264-0x0000000000850000-0x000000000089D000-memory.dmp

Filesize
308KB

Download
memory/2980-68-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2984-2947-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2996-2296-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3024-54-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3064-2369-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3064-2359-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3068-26-0x0000000000500000-0x000000000054D000-memory.dmp

Filesize
308KB

Download