691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3

Analysis

max time kernel
150s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-09-2024 18:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
Size

2.7MB
MD5

e80b5d6fb28284211542354b55af2e98
SHA1

3f3c0531c1dd664951bcc610f391c6ed85d47e31
SHA256

691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3
SHA512

a0ef807133f9b2f9dbc4e239588cacd0674cb9d87613fd9af62eebf98703ac9761115a1be64ba0a72bf3f6539e41732117e4938d77b1db36e86c6f30d618721d
SSDEEP

12288:vj7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7Y:3cX

Score

10^/10

discovery evasion persistence spyware stealer

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 59 IoCs

pid	Process
4748	Logo1_.exe
1236	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
1800	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
4264	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
2256	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
4592	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
4348	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
2932	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
2236	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
1248	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
4816	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
4244	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
4728	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
3056	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
3540	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
4544	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
3044	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
4484	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
1688	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
4936	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
2824	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
1056	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
3508	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
2308	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
1256	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
2232	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
2936	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
2236	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
4948	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
2372	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
1340	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
3636	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
376	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
4432	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
3320	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
456	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
2140	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
3608	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
4468	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
448	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
1056	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
3444	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
4668	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
3320	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
5084	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
1636	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
4548	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
4400	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
1772	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
2552	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
3064	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
2544	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
2760	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
1640	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
2364	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
4312	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
3376	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
232	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
2468	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TempCom = "C:\\WINDOWS\\FONTS\\FC2F8.com"	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\Adobe\ARM\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\_platform_specific\win_x64\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sl-si\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sl-si\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\logger\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\Comprehensive\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\es-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\plugin2\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ca\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\root\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hr-hr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\en-gb\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\root\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\de\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kab\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\he-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\ModifiableWindowsApps\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pt_PT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\he-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\home-view\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\nl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TEXTCONV\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ja-jp\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\tr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\BIN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\en-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\zh-cn\_desktop.ini	Logo1_.exe

Drops file in Windows directory 63 IoCs

description	ioc	Process
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\WINDOWS\FONTS\FC2F8.com	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\rundl132.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Dll.dll	Logo1_.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File opened for modification	C:\WINDOWS\FONTS\FC2F8.com	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
File created	C:\Windows\Logo1_.exe	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3600	2468	WerFault.exe	267

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
3172	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
3172	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
3172	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
3172	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
3172	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
3172	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
3172	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
3172	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
3172	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
3172	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
3172	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
3172	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
3172	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
3172	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
3172	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
3172	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
3172	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
3172	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
4748	Logo1_.exe
4748	Logo1_.exe
4748	Logo1_.exe
4748	Logo1_.exe
4748	Logo1_.exe
4748	Logo1_.exe
4748	Logo1_.exe
4748	Logo1_.exe
4748	Logo1_.exe
4748	Logo1_.exe
4748	Logo1_.exe
4748	Logo1_.exe
4748	Logo1_.exe
4748	Logo1_.exe
4748	Logo1_.exe
4748	Logo1_.exe
4748	Logo1_.exe
4748	Logo1_.exe
4748	Logo1_.exe
4748	Logo1_.exe
4748	Logo1_.exe
4748	Logo1_.exe
4748	Logo1_.exe
4748	Logo1_.exe
4748	Logo1_.exe
4748	Logo1_.exe
4748	Logo1_.exe
4748	Logo1_.exe
4748	Logo1_.exe
4748	Logo1_.exe
4748	Logo1_.exe
4748	Logo1_.exe
4748	Logo1_.exe
4748	Logo1_.exe
4748	Logo1_.exe
4748	Logo1_.exe
4748	Logo1_.exe
4748	Logo1_.exe
4748	Logo1_.exe
4748	Logo1_.exe
4748	Logo1_.exe
4748	Logo1_.exe
4748	Logo1_.exe
4748	Logo1_.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2468	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3172 wrote to memory of 4312	3172	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe	82
PID 3172 wrote to memory of 4312	3172	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe	82
PID 3172 wrote to memory of 4312	3172	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe	82
PID 3172 wrote to memory of 4748	3172	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe	83
PID 3172 wrote to memory of 4748	3172	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe	83
PID 3172 wrote to memory of 4748	3172	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe	83
PID 4748 wrote to memory of 464	4748	Logo1_.exe	85
PID 4748 wrote to memory of 464	4748	Logo1_.exe	85
PID 4748 wrote to memory of 464	4748	Logo1_.exe	85
PID 464 wrote to memory of 2824	464	net.exe	87
PID 464 wrote to memory of 2824	464	net.exe	87
PID 464 wrote to memory of 2824	464	net.exe	87
PID 4312 wrote to memory of 1236	4312	cmd.exe	88
PID 4312 wrote to memory of 1236	4312	cmd.exe	88
PID 4312 wrote to memory of 1236	4312	cmd.exe	88
PID 1236 wrote to memory of 3332	1236	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe	89
PID 1236 wrote to memory of 3332	1236	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe	89
PID 1236 wrote to memory of 3332	1236	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe	89
PID 3332 wrote to memory of 1800	3332	cmd.exe	91
PID 3332 wrote to memory of 1800	3332	cmd.exe	91
PID 3332 wrote to memory of 1800	3332	cmd.exe	91
PID 1800 wrote to memory of 1244	1800	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe	92
PID 1800 wrote to memory of 1244	1800	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe	92
PID 1800 wrote to memory of 1244	1800	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe	92
PID 1244 wrote to memory of 4264	1244	cmd.exe	94
PID 1244 wrote to memory of 4264	1244	cmd.exe	94
PID 1244 wrote to memory of 4264	1244	cmd.exe	94
PID 4264 wrote to memory of 3612	4264	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe	95
PID 4264 wrote to memory of 3612	4264	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe	95
PID 4264 wrote to memory of 3612	4264	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe	95
PID 3612 wrote to memory of 2256	3612	cmd.exe	97
PID 3612 wrote to memory of 2256	3612	cmd.exe	97
PID 3612 wrote to memory of 2256	3612	cmd.exe	97
PID 2256 wrote to memory of 5028	2256	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe	98
PID 2256 wrote to memory of 5028	2256	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe	98
PID 2256 wrote to memory of 5028	2256	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe	98
PID 5028 wrote to memory of 4592	5028	cmd.exe	100
PID 5028 wrote to memory of 4592	5028	cmd.exe	100
PID 5028 wrote to memory of 4592	5028	cmd.exe	100
PID 4592 wrote to memory of 1476	4592	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe	101
PID 4592 wrote to memory of 1476	4592	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe	101
PID 4592 wrote to memory of 1476	4592	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe	101
PID 1476 wrote to memory of 4348	1476	cmd.exe	103
PID 1476 wrote to memory of 4348	1476	cmd.exe	103
PID 1476 wrote to memory of 4348	1476	cmd.exe	103
PID 4348 wrote to memory of 2468	4348	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe	104
PID 4348 wrote to memory of 2468	4348	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe	104
PID 4348 wrote to memory of 2468	4348	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe	104
PID 2468 wrote to memory of 2932	2468	cmd.exe	106
PID 2468 wrote to memory of 2932	2468	cmd.exe	106
PID 2468 wrote to memory of 2932	2468	cmd.exe	106
PID 2932 wrote to memory of 4172	2932	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe	107
PID 2932 wrote to memory of 4172	2932	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe	107
PID 2932 wrote to memory of 4172	2932	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe	107
PID 4172 wrote to memory of 2236	4172	cmd.exe	109
PID 4172 wrote to memory of 2236	4172	cmd.exe	109
PID 4172 wrote to memory of 2236	4172	cmd.exe	109
PID 2236 wrote to memory of 1536	2236	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe	110
PID 2236 wrote to memory of 1536	2236	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe	110
PID 2236 wrote to memory of 1536	2236	691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe	110
PID 4748 wrote to memory of 3464	4748	Logo1_.exe	56
PID 4748 wrote to memory of 3464	4748	Logo1_.exe	56
PID 1536 wrote to memory of 1248	1536	cmd.exe	112
PID 1536 wrote to memory of 1248	1536	cmd.exe	112

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3464
- C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
  "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3172
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA410.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4312
  - - C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
      "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1236
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA529.bat
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3332
      - C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        6⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA5E5.bat
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA6DF.bat
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3612
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        10⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA836.bat
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        12⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA8C3.bat
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        14⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA950.bat
        15⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        16⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA9EC.bat
        17⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4172
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        18⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aAA88.bat
        19⤵
        Suspicious use of WriteProcessMemory
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        20⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aAB44.bat
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        22⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aABFF.bat
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        24⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aACDA.bat
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:728
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        26⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aAD76.bat
        27⤵
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        28⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aAE22.bat
        29⤵
        
        PID:752
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        30⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aAF6A.bat
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:3204
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        32⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aAFC8.bat
        33⤵
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        34⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB083.bat
        35⤵
        
        PID:232
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        36⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB100.bat
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        38⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB16E.bat
        39⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        40⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB1DB.bat
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        42⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB268.bat
        43⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        44⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB314.bat
        45⤵
        
        PID:740
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        46⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB3BF.bat
        47⤵
        
        PID:3364
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        48⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB45C.bat
        49⤵
        System Location Discovery: System Language Discovery
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        50⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB4B9.bat
        51⤵
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        52⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB517.bat
        53⤵
        
        PID:3620
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        54⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB585.bat
        55⤵
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        56⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB602.bat
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        58⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB650.bat
        59⤵
        System Location Discovery: System Language Discovery
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        60⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB6BD.bat
        61⤵
        System Location Discovery: System Language Discovery
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        62⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB6FC.bat
        63⤵
        
        PID:4248
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        64⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB74A.bat
        65⤵
        
        PID:4160
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        66⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB788.bat
        67⤵
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        68⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB7C7.bat
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        70⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB815.bat
        71⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        72⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB882.bat
        73⤵
        
        PID:3968
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        74⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB8FF.bat
        75⤵
        
        PID:896
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        76⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB9CA.bat
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        78⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBA86.bat
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:4104
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        80⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBB32.bat
        81⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        82⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBC0C.bat
        83⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        84⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBCB8.bat
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:3980
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        86⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBDB2.bat
        87⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        88⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBE4F.bat
        89⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        90⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBEDB.bat
        91⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        92⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBF49.bat
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        94⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBFA6.bat
        95⤵
        
        PID:3636
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        96⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBFF4.bat
        97⤵
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        98⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC043.bat
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        100⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC0A0.bat
        101⤵
        
        PID:3076
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        102⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC0EE.bat
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:4000
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        104⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC14C.bat
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        106⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC18B.bat
        107⤵
        
        PID:544
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        108⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC1D9.bat
        109⤵
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        110⤵
        Executes dropped EXE
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC256.bat
        111⤵
        System Location Discovery: System Language Discovery
        
        PID:3704
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        112⤵
        Drops file in Windows directory
        
        PID:3264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC2A4.bat
        113⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        114⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC311.bat
        115⤵
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        116⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC39E.bat
        117⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        118⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC42B.bat
        119⤵
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe"
        120⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2468
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 184
        121⤵
        Program crash
        
        PID:3600
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4748
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:464
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2468 -ip 2468
1⤵
PID:3212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$aA410.bat

Filesize
722B

MD5
302e872a515ae1a00e766fbc266b869b

SHA1
0030fb5420898bbdc4fdd97ac3151c01c30fe82d

SHA256
15168833350c8c0bab2e63d56d3fa7ddfbd38653bfe29c9f54a3f76f34182d8f

SHA512
ad2133d5bd18463c1a8783c06773639f82c90bce196100327d00e9379c376158ee5bdd4632e9923e1d7a10c70b513d1e3afcae1367ab8d33d569035be9262d4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aA529.bat

Filesize
722B

MD5
f1dd3a96fc4d032ec4c73fc6cce89b79

SHA1
9e4d0c3310a8df5e4f131dd1a26bcba0504441d1

SHA256
080c0ef8eb1995e27eb8e6110e61a3eef339ef91c15fc9e017deab3a647ff467

SHA512
6e43db0611b2ee4fc640244c316f56b62d441bd4e013060452b1bbbc66538276eae0209b4ba0512b07d59017ce23ebe5244168453ceb649af81919663d6358dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aA5E5.bat

Filesize
722B

MD5
2c9a6c65de7e53a13803c49f960680ee

SHA1
58678412e4b8de3c826af697d579c151ab314e9c

SHA256
766cb154c7823fad098c083bb3f7dbc82c499210b198ec516374d58177e64397

SHA512
e47e6b80d2a9d992b00750937db1be89a011f5174cf2179a3b9667742eb0c70f53f32fa2d16f1bb91f4c7c7b652ee55de01f1c283608fd3df48d108dde0e8e02

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aA6DF.bat

Filesize
722B

MD5
79f7a5c48f2437b66dc3ea4296369ac0

SHA1
3d77c9dcfe51dfede53e6f5e77ec024de15b4ae8

SHA256
339ac73478c4f9c42ae494dd0fff9583d8d8070afc1b8bfe673fec2ec6af1b17

SHA512
e57dd756d4a9efc979f9ba11d1ce867cde4154dcdd6031d450edb940439ba5c65f262293e538e8079fd5b2d7900c4ced00d64754968e7d72747215153379eade

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aA836.bat

Filesize
722B

MD5
cb62dd45674f0829e9cad662bc35b84c

SHA1
0d09790577d3e47679fdb856a0580a739ab10a77

SHA256
4f89a99e6d07646473cfb71888a651ce102e56d8e037d9d2124683c92cbf0ee7

SHA512
eab594ff45148c7650a262ce8f81e214d6797719af89e0f772cfcf37503b3f0e3f5783b5e1b5cf5b13b8858b11408b7b4ca9f3c827bcb1cd928da2647a125b7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aA8C3.bat

Filesize
722B

MD5
73ad13e3ae71beb4470708e52e4a2872

SHA1
735e2dd6634efb8c26e0c1404ccc1d2c594fd918

SHA256
5b996a4c21f0b391261b85e8253559171007056fb610abd794cdb1d7b17e8f83

SHA512
f4f56730c99ac7c74c2a8767a016b2dfd2874eee956a87a43648038c6f4acb5493b314c6e5a2cf0ca55bd4bee241eeb9f7ce43a2152a2e7cd42cd68462418cb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aA950.bat

Filesize
722B

MD5
f0184cb734e69918953714d43f4e0552

SHA1
c1e3442ccf2af090acd0c4abf57d2826eb75c0e4

SHA256
290b562a5f4c754eb3bd9e83969032b52ef30df904abefc3924ca8141ad694e2

SHA512
eff6f3182c67836913c41e980a5b68248395e8163e4ed9266d002e7b496d0cc8e7b482aff829dfc6629261faad70bbc6f401e311513619509989929883074e08

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aA9EC.bat

Filesize
722B

MD5
76504c1fad8cd543e4ce5642fbfa106b

SHA1
ad831ed24814ff9e6e773bc389f145aaa2380163

SHA256
2a51078a641103ee608bba5475de56e85967b7dd60d555ab4db3d80daf70db42

SHA512
a1745c581dec5be11ffc985a820e0724e5c5098075f8c5106bd2dad865433afdb2e821bd69329673abf6036773f0eebf44dc6a36874c4f1a4967e7286d041f91

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aAA88.bat

Filesize
722B

MD5
fc6a63e92448d283b139a858d5a9b83b

SHA1
efdcfe489dd85908d0a9833bb3bc66d4b8fbf4f3

SHA256
931f533a7bd8b4e7c55fff7ae97e8d498c64c5f79b4296fa116d4e1873b2a2b7

SHA512
bc2947b5b3fa68da936544590b1d5978a0953b52df218ae8951d47fd29e73a872783cf3728951e5d0724101b7409668ee2475667bf722b736a49eebb36171c59

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aAB44.bat

Filesize
722B

MD5
88f084685c5d9cb9adcec2ba18cc9754

SHA1
b339e9c0d861116d3c2a5d98bc25760bfe3d85b0

SHA256
b8efb9a26896e0a664ad0cb0c9197d59edb7cbe2e4515746a557ce715008a633

SHA512
2b398f57ef4166d13605e209589c1255be5fd68d379df63789d4e45304dc50bb37a8f449f38e4b6c79e3762b2cf4a4e0469df7b4501dc38d0e2d963d3ff30385

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aABFF.bat

Filesize
722B

MD5
5fd06bf5e8aae18e944e5efd22e0f85c

SHA1
6f8eee9d5c8f55816f0cdbafda2c51d9e6339344

SHA256
d1449999a8d842e35a56eb423636191e1eb2ffd5e49445b6e1111a3826cec02d

SHA512
65d3f1d49be703865b48b78cd02c425745b586b93f05e4451de43784074eccc1348951e8dfaa80899714e5faa0c962eb34ee4498d37d5eaea5dcea154051a5d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aACDA.bat

Filesize
722B

MD5
c5e7034c653fd86c83390dc4c11c039a

SHA1
92df00a3bc576e66ef0835c8c81105c60174fc28

SHA256
11dd7e5bae0040b11793a8d226e7698d6901d0f665bfc5f90bcd8cd295faf218

SHA512
67c1ffd446f7057b8e6e7640ef5a89fe7bd8020bb1c4c2d0fcc4e78bf5692e1bb8acaa09d36cd2567f0619e7ef183905d7deb639704b1a7d8f7594d88d6ec0ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aAD76.bat

Filesize
722B

MD5
2f2cd59a2db6fe0b24121163024196bf

SHA1
3c01f5deb7edd46badf533f771a33ecd0cab6be1

SHA256
636ce9d634af7926435777e86646e450e3d6ffe24c96c6ba10405d05ededb4c1

SHA512
8c23412b1cf5a05f9a238eddb9c258632a7bf622da32f6876354351d1ed45c183883083e71f1ae5cfee01445d1f546de0fa28c23bcfb20370b6dea1651bef831

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aAE22.bat

Filesize
722B

MD5
c2afe1491853159450bb7452966c4b52

SHA1
0b84db59ee5d934194ed1adf06ed593bfaefbf79

SHA256
fcd3badc03cde6665538849a77c28c645d635af0e2dc845939447326bb2b189c

SHA512
fabca639e2500439cc67d47b1f790f961512adee6b96dea77f8ea3a4a2d45ee157678af52c10ba4fef97c94b39c08f27971042b4245b0653b86438fbfcf09590

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aAF6A.bat

Filesize
722B

MD5
3a37f357bb5b508df13183d5991a6d3c

SHA1
f129a1824f39e6c7d0d0d75383dc21cf82600a96

SHA256
55fb9b1ad0e8dd9d34117071dfd399933a36dbe733c7e9b3080324701a873f59

SHA512
eef02df730caec238cc0e23bed77cc5969f4510cba4eceafd8103c37119902ccfdfe4e9962a3ef70cb7f378192a61b1bcf2774de6dab9443db338099acd53fd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aAFC8.bat

Filesize
722B

MD5
eac0e57926213854c74cdadd06ed05d0

SHA1
35adf94e41969904452aa0ca356dbf5b7de232bb

SHA256
537a85ac68c7e2ec2b6edfb4d021bb362fecb135966152a4b3071eb37b14e6b8

SHA512
148a383923c8f339f6cf848c7dc44257a67d438900a958b16bfad07b9d1270115aa01849e888947af585fb80f9ba1e4344b105c4d6d8508bd68759de58caf4a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aB083.bat

Filesize
722B

MD5
0608be3905db33926c14492d9ac886cc

SHA1
d3c8b9038c9045c870ca73e6e5569ae35a7721ba

SHA256
2737492cf53af1c9d4fa0843759a5c2950487148e1140feff227205eb089198e

SHA512
7c05c0c7427b58c3580549afb541b5c29dd6e004f272837f1d3b5dc726965accef1be85ee608883d523a64497b63d740d89720bf04677a537d7127253a783564

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aB100.bat

Filesize
722B

MD5
b3a97b8e9bd7b5b0300e199cf4d477b1

SHA1
fad6dc8895dd4c758ae657074aad8ded1d6e39d9

SHA256
318a3d82a6b7b082f4d7256d52333edaf88f1f20b7c045cb8d98a732587810c4

SHA512
a88fd87032ce6dfeced532a26487ed784213faf44468d85548681693bf3670c6b386d2a1b753f93bb93ed64cf456192fbee1f676e36d627a1ab51992ace7b96c

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aB16E.bat

Filesize
722B

MD5
303c7e5ded7c7136e683e7d00a910b3a

SHA1
f829f3d1448b757b189997ac916c3a1e378fa81c

SHA256
521b26a2813ae37345631ff5db7d58061e13cdd68c99098ca383bf1a6d40ee58

SHA512
e35b8f53c36fbc01f3f042cbf9f6d16bb5f4ba2f3d6679bc2f8ecc983ddc050be8f515b5f634fa8b69a4a12cab90151720d2d9fbacb0c3327e28b88473a5565c

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aB1DB.bat

Filesize
722B

MD5
b9a8d8ef207ca18714cbd99db397c423

SHA1
29b1217f36fb124615533b0939ea70b3b3cf34d3

SHA256
24088aad408724cc122faf8e65720441847b3601186057a84301e61938150afd

SHA512
24cc121492c2f3578e7b846dbf7c9b5af422df8a14e52e3687847dc70057dd23968fb15d23de904713549c3ef15c3a8593eddc44aee3907e608a0efce7e98ee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aB268.bat

Filesize
722B

MD5
5c6b6e04964067145cdb44982dc829c5

SHA1
ef89b018438bb7b820b5364bbd7018da54736960

SHA256
bca1db0fe4bb95ca237a33948280e9b12d5bca91a1201e774561e2f015ac5c9c

SHA512
a7188ffcc1ad4aa45e1c63fc59533933de07cc3ac675287fb94580e52cc7703fbbdf322cfd60cd1c54a86270ec3a2ba1b27b9aa15052a20d23f9f1e9ee20f142

Download Submit
C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe.exe

Filesize
2.7MB

MD5
a0d5d1a7e51ddf3a16cabfebdca1abd2

SHA1
634b3231de7fb93cca784a292235f54faf0f5d81

SHA256
f0fc47be8d77e7d6fb3cc7e2e2101483893e30928fb7c1de6a01fb59d9415877

SHA512
b81fdcbcebc7a614163807aade53f1c6209f9c3b5b86af19268e0e43c4854f74e950948abac1e2f6eb01a4d5e3b47213246b81a88c1c6f7412aa8e2c3b925ca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe.exe

Filesize
2.0MB

MD5
6f1ffe9f3e17d6f1cda7e625d1b89b9c

SHA1
6c2e76cdf67bcdd5d4a354f319ab529586130cae

SHA256
ea51d7ab1e6a2d2aed2aa02c1a1088c30ea53afd8579be36f20b79e7e4fe74e7

SHA512
edb3d591356d6d2963f61dda2678d579df61366d7502b5e4d8d54e8dc7c1bfea167a77745d9a8eb0019be5efc41032bc3369cac2070531a565d71574de0757f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe.exe

Filesize
2.5MB

MD5
082e82ae38f578da89a8fb10407dd43d

SHA1
efa9c8f351a27e0534213096b10e43468e69f4fe

SHA256
7a0e4349ed98deafa6f26ddd1289a9c671fbbcf2f8d3fdfb45acfe809e89f0a7

SHA512
be73b48aed9fbedf424c65cd5c6d83442f628205856364ed57d5eaceda20ed852d613456e376e7fd85c17bb9be533e6695894af0578a6625788b80069ac6a23d

Download Submit
C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe.exe

Filesize
2.7MB

MD5
ae8196496642782572876d6f41d52ea2

SHA1
f94015c1f463180f51e51c0fb3f34333cb42be11

SHA256
68dc1f70be2631441db836e63a0ad0dabf20ce849afe2ce3ce4e06ea364d052a

SHA512
6e0de64ae6a06825bb841c9c3889a63704627869c53045e2043847c20b26095ce159275d83fe50a3ea00b125f5873a34fe549dc2be3947be8029dc91ed3aa492

Download Submit
C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe.exe

Filesize
2.6MB

MD5
c1fe2f5aa024333c9e16b50f567e7edd

SHA1
f0e1e898af04b82b45c24d5350c2afe7f9d2e2d3

SHA256
a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf

SHA512
554b72d82a6a329957070dadfc38253899044de67c9d6bd4f27cb9531b097fe1897b6345be2360a76c8a76a6edd780b71c3e0deccffcdec2e76f8cb6880b6f46

Download Submit
C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe.exe

Filesize
2.4MB

MD5
ac788323972e7ee7243e740ff2f8daae

SHA1
6acd6d700849ca9ad064481461f4b7988dab1945

SHA256
5e7a0c5ef3211fc58e0eca20df194b478942534d5968441fc354686ba7222ebe

SHA512
ba1e52d4d8ea9400b359ef4982504010bd12a007d174ac86187050368c03b78e89b51324429d909741e4f1598be2eab28d0b400f0698b8e085f12beeb6921778

Download Submit
C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe.exe

Filesize
1.9MB

MD5
66c74ff5a6fd63536d9510a0ef504561

SHA1
6b34a7e9fb3e220899f77b76c2b26db3e8fa175a

SHA256
535c14bafe9e75f724fae0480e24d0be0c801dbf1d2b81d9d300abbdc7eac326

SHA512
12ce8aa2c0f55fe69d865473580953748bc479e5970b3a82ac673aa2020f89b89ded1ace166f3e5a95138fe996f3f6f804b69a81424404db706527543df865e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe.exe

Filesize
2.4MB

MD5
3baae1aacb86eefd1732edd07f95936f

SHA1
e8e6b0b06ebae55a45c6405e27d131076b280208

SHA256
055e7eb2f930f945226daf682591695c6895cfc321c30a1ed1c580d3addcec25

SHA512
3a8d665f83c8ce15e4f093bdc10ed4388d8ce603c8f6ea41741f56909659afd46ef8a1bd9d49e065e9a7abe5f400f0660aaaff1956b26f6b1abb7ca213f6d752

Download Submit
C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe.exe

Filesize
2.6MB

MD5
318d2c741656f06f7d7aa2da999a32f9

SHA1
0522ded7028b5cabcacf251fa66bbaa97658eb14

SHA256
c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b

SHA512
5f4ef057b74e27fde7970f714db3fbc9585ffe4ef3096c89297b4a892446c4790373dfe2c6b0c784c25869c0a85ba22d71627c2012b4b9011e46ac3f840c9fe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe.exe

Filesize
2.3MB

MD5
ead3d576cab6bb3e77414935b36ace66

SHA1
e347ab64ced05a4e50b4905cb800147620a18e6a

SHA256
5600effef951ba7fa3bed54b59a857bc26814b45e68c7462f67b1714258b73f5

SHA512
38fd77828d2d8796a33b52e0b57cefb792064a9cef691c8dab97331321a3b3eae6a7c0918c3617a00bab16a686f52c9296ffb022d2b78bcaaa51e9cd1146112d

Download Submit
C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe.exe

Filesize
2.5MB

MD5
2d8020710bd51a9280bb8c23c28bff6a

SHA1
3b6ad35921dd59358b04ec304b922a7aaa2149e0

SHA256
c58bcec14503c2167a549ddec40418a4151c1624287f76961539d66e52bc7146

SHA512
d7e146017539111d7f45efa9260d3ac12840ec34574ed6512a3c498ff368eabfe68ae5117c34207170057e81361daceda7ece2c48b25642dc2ee33b82b0b8b6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe.exe

Filesize
2.2MB

MD5
14b760d79bf066c92c043709056178ab

SHA1
153176def6ae9b5e3db4a1d70d30a65d315d3276

SHA256
b410192124d4903c587feeb9837753fac84c61209f3ae1d0b79bff93de82d2d2

SHA512
2d66ecf676de0fd9b18ad3db0ed2b4dbb3ab1a88519303155af4a396bde4ab900e0c7891de96d93037669ba16f76d6bd8cd21b0cf73737a65bb5bca422a9c355

Download Submit
C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe.exe

Filesize
2.4MB

MD5
58231e8a54a4d5ad10981a9261d6df2f

SHA1
79fd962af3dede9832de8856fb96b7723cc2ef09

SHA256
1a2fd6986c0d5d25002b7ef2ffdeab383f7cb19ead19248c7207e5d26bd67f99

SHA512
7e53168e58d3c2d8472a589a711366d932f5295e330544b6ded5a32e44d857f823465ef572ff5d2145ebb5e9d597913c91b6e798177c8d81876bd63eaadb94e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe.exe

Filesize
2.1MB

MD5
7b781c296c9518ce7e93f77b8fe3bda3

SHA1
124bd189e2510f852183f51faf67278c8cd1b2e6

SHA256
c50db397ecab6ee6a577d51d1f81d51cb99b2ce149797c8d8c0d59882ab2a7d6

SHA512
24be4115fa2230e35649dce2d1536f25f3df3a7192e530a87cdda00393f1de715264acbab98c745ea7f65f64ce713d01598ed031ada25a61c66a830b2e872c1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe.exe

Filesize
2.3MB

MD5
ee5224c7af0ca448809311f5d5d0ac92

SHA1
6e9d7c7b30a008db94a17f40bd0df234b34b035e

SHA256
1e631817553d5d6546691864c336086c6e6158b7031d93abd85b7be28f952e95

SHA512
46dd8f473c8b28d152d9d176b2f7c3e670c61f58eda2ab21a6e5fcfd328fbb57ca57d38419e5228a2db8057bd9c53048650985bde5d2f0106d53c1ce0dd4ff19

Download Submit
C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe.exe

Filesize
2.2MB

MD5
0655f93740d40e73a63659f993376388

SHA1
84e3cc33c3c25c26392128ea0dc5062cbc89c8ed

SHA256
e5301178fee0cf24e3a15b43642c7d1da8ebe5e945cdeee6e4688d9e72f82b15

SHA512
91e7b34f63c9b4a3a9077462254238d4024553fe189d598f8ee913ef2f45293472e3244870659e88e33beddc184ecc48e1812ac9a912d9bc9fcf4fd5b9c12ed2

Download Submit
C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe.exe

Filesize
2.1MB

MD5
286dfd9e19e5bb83a98ac2b2e20a7403

SHA1
f4ca430d2669af6a56f89a1c3adfb6cca459cc60

SHA256
060afb27e8d052abd7965c922e4b826e3325db24646037b3dd6b92aad77f1858

SHA512
45742bbb0017f2a25b4ee773504a7369b5d0d454bb570192fb05e4747d80ab0240f99bbf2c8484ccfa44978db1b3c815c378d0efad66bf6161b67639c81f716f

Download Submit
C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe.exe

Filesize
2.1MB

MD5
9b6b7050405a5f58449bc2939acf98ef

SHA1
4e5d761679c6b602cb1082f9264a4a332d524efb

SHA256
5d5d2ef460f6be067a1cb5a15f116ddd5bc66e6c687d3c65b8777fce2fa5dd41

SHA512
1b3624b711aa854d28f0d3e37e0e83fb5e74c7a57e13c52823b33ce254a7003516e46b4383201ee397c1fbfb472c5ca183fd9b994b0929e746cb6caf317cc55b

Download Submit
C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe.exe

Filesize
2.0MB

MD5
760a878c0062e76cd1c4685ff30ecfca

SHA1
1c6c49bea462a0a5eff52c635f606f5e73bcfb7b

SHA256
d5c8b63e8e9b41355232bca7a5858058b489bd439c8d3d446c9de098dde7e4a1

SHA512
ae861a14a1302a63e28dd94014b2ddd4a2335e0656d31fda3ef30bb6c435a6a6c2138bbbc616aeb7fd0fad5d5d63a504ac34ff193f0ce54b0e539490c53ab0ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3.exe.exe

Filesize
1.9MB

MD5
e306a7fec9113e90189084cb07499334

SHA1
6c12e3ab33c22293a6a996a1a154b6919b3a4adc

SHA256
dd2728054713339202299c7ea5c925f0e013a109606d634d7f5f1a78c3bf9294

SHA512
769d475e6367e75bfdd1988c0a381ddb015ada030fe3240adcf9e7d4218a2be681dccb3db80485761576499b64c90630c08d43c872ddc8c45ef525b19f7a6afa

Download Submit
C:\Windows\Logo1_.exe

Filesize
44KB

MD5
6d85a04f5bb329cbba3880c43337ec52

SHA1
8c2e62f730619b2e06a5fb802e115606b664525a

SHA256
ff95e5e3fea6e5f9692d24c81ab36bae1013658a34bc60cdcd9b4c591e7feec1

SHA512
31919b83c1b66e4eb99612c6b23a7dfc1cd107e51e3178bc8fb695c8243d7493f43b05a4ab8d0880763aa584ccbecdb1b61b31f0a66d8a92938884b9ef04daf8

Download Submit
C:\_desktop.ini

Filesize
9B

MD5
888e0958022ac10e914e1c9ca3f383ab

SHA1
37d80b3ecaacfed7092fcbe70d7c1000a5246e09

SHA256
627942d6123a7fed1e8414a3d46906af51b7c5f06837df6d288707d29a84e1a1

SHA512
a643219412a29dde13c4d0a9619dbdea00193e91276e163edf546f3392c704a8c2936a2c27d2a0206bfc3ca592d7d79be849c51a1d9af0e4d237cd3dc47eeec4

Download Submit
memory/232-2360-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/232-2414-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/376-220-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/448-984-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/456-264-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1056-1230-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1056-173-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1236-20-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1248-79-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1256-188-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1340-212-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1636-2004-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1640-2036-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1688-154-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1772-2016-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1800-27-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2140-344-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2232-192-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2236-72-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2236-200-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2256-41-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2308-184-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2364-2037-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2372-208-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2468-2535-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2468-5994-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2544-2028-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2552-2020-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2760-2032-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2824-168-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2932-64-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2936-196-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3044-140-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3056-178-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3056-115-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3064-2024-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3172-0-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3172-10-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3264-2041-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3320-1884-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3320-228-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3376-2223-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3444-1420-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3508-177-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3540-122-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3608-551-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3636-216-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4244-101-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4264-34-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4312-2094-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4348-57-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4400-2012-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4432-224-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4468-778-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4484-147-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4544-129-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4548-2008-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4592-50-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4668-1710-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4728-108-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4748-83-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4748-4569-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4748-11-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4748-9216-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4816-84-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4816-88-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4936-161-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4948-204-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/5084-2000-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download