41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/09/2024, 00:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Size

1.8MB
MD5

f7bd915047964c6345eee588679d3f6c
SHA1

818772db9065eda9a6ccd20eef06d5256280e17f
SHA256

41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327
SHA512

301ac44daf8b6121b70c3bdf106b6e15af2c8727c91ec81a595186614ad3f1b4cc431d254dd59564ed84abee23883c25bed5e9233b2dc20c6fcb0393e7bb6585
SSDEEP

12288:vj7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7g:fcX

Score

10^/10

discovery evasion persistence spyware stealer

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe

Deletes itself 1 IoCs

pid	Process
1944	cmd.exe

Executes dropped EXE 39 IoCs

pid	Process
2432	Logo1_.exe
3000	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
2772	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
348	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
1812	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
1600	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
2076	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
1320	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
2088	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
2148	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
2076	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
2980	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
2768	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
620	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
2468	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
684	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
2836	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
2808	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
1688	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
868	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
1808	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
2492	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
2144	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
1580	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
1032	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
1944	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
3004	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
2784	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
1656	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
2544	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
2972	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
2912	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
2020	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
1224	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
2996	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
2484	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
2864	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
2800	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
1128	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe

Loads dropped DLL 64 IoCs

pid	Process
1944	cmd.exe
1944	cmd.exe
2212	cmd.exe
2212	cmd.exe
2736	cmd.exe
2736	cmd.exe
1276	cmd.exe
1276	cmd.exe
2000	cmd.exe
2000	cmd.exe
2548	cmd.exe
2548	cmd.exe
2964	cmd.exe
2964	cmd.exe
2184	cmd.exe
2184	cmd.exe
1612	cmd.exe
1612	cmd.exe
2428	cmd.exe
2428	cmd.exe
2960	cmd.exe
2960	cmd.exe
2296	cmd.exe
2296	cmd.exe
2932	cmd.exe
2932	cmd.exe
2576	cmd.exe
2576	cmd.exe
1988	cmd.exe
1988	cmd.exe
1976	cmd.exe
1976	cmd.exe
2592	cmd.exe
2592	cmd.exe
2368	cmd.exe
2368	cmd.exe
1664	cmd.exe
1664	cmd.exe
2364	cmd.exe
2364	cmd.exe
1916	cmd.exe
1916	cmd.exe
1036	cmd.exe
1036	cmd.exe
760	cmd.exe
760	cmd.exe
2416	cmd.exe
2416	cmd.exe
2444	cmd.exe
2444	cmd.exe
3028	cmd.exe
3028	cmd.exe
2424	cmd.exe
2424	cmd.exe
2456	cmd.exe
2456	cmd.exe
2804	cmd.exe
2804	cmd.exe
2540	cmd.exe
2540	cmd.exe
1432	cmd.exe
1432	cmd.exe
772	cmd.exe
772	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TempCom = "C:\\WINDOWS\\FONTS\\67403.com"	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\or_IN\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\security\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sm\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Journal\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUECALM\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RADIAL\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\.data\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightYellow\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Internet Explorer\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Biscay\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lg\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gu\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Biscay\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe

Drops file in Windows directory 43 IoCs

description	ioc	Process
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\rundl132.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File opened for modification	C:\WINDOWS\FONTS\67403.com	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Dll.dll	Logo1_.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\WINDOWS\FONTS\67403.com	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
628	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
628	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
628	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
628	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
628	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
628	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
628	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
628	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
628	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
2432	Logo1_.exe
2432	Logo1_.exe
2432	Logo1_.exe
2432	Logo1_.exe
2432	Logo1_.exe
2432	Logo1_.exe
2432	Logo1_.exe
2432	Logo1_.exe
2432	Logo1_.exe
2432	Logo1_.exe
2432	Logo1_.exe
2432	Logo1_.exe
2432	Logo1_.exe
2432	Logo1_.exe
2432	Logo1_.exe
2432	Logo1_.exe
2432	Logo1_.exe
2432	Logo1_.exe
2432	Logo1_.exe
2432	Logo1_.exe
2432	Logo1_.exe
2432	Logo1_.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1128	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 628 wrote to memory of 1944	628	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	28
PID 628 wrote to memory of 1944	628	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	28
PID 628 wrote to memory of 1944	628	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	28
PID 628 wrote to memory of 1944	628	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	28
PID 628 wrote to memory of 2432	628	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	30
PID 628 wrote to memory of 2432	628	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	30
PID 628 wrote to memory of 2432	628	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	30
PID 628 wrote to memory of 2432	628	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	30
PID 2432 wrote to memory of 2296	2432	Logo1_.exe	65
PID 2432 wrote to memory of 2296	2432	Logo1_.exe	65
PID 2432 wrote to memory of 2296	2432	Logo1_.exe	65
PID 2432 wrote to memory of 2296	2432	Logo1_.exe	65
PID 2296 wrote to memory of 2992	2296	net.exe	34
PID 2296 wrote to memory of 2992	2296	net.exe	34
PID 2296 wrote to memory of 2992	2296	net.exe	34
PID 2296 wrote to memory of 2992	2296	net.exe	34
PID 1944 wrote to memory of 3000	1944	cmd.exe	66
PID 1944 wrote to memory of 3000	1944	cmd.exe	66
PID 1944 wrote to memory of 3000	1944	cmd.exe	66
PID 1944 wrote to memory of 3000	1944	cmd.exe	66
PID 3000 wrote to memory of 2212	3000	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	35
PID 3000 wrote to memory of 2212	3000	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	35
PID 3000 wrote to memory of 2212	3000	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	35
PID 3000 wrote to memory of 2212	3000	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	35
PID 2432 wrote to memory of 1196	2432	Logo1_.exe	21
PID 2432 wrote to memory of 1196	2432	Logo1_.exe	21
PID 2212 wrote to memory of 2772	2212	cmd.exe	37
PID 2212 wrote to memory of 2772	2212	cmd.exe	37
PID 2212 wrote to memory of 2772	2212	cmd.exe	37
PID 2212 wrote to memory of 2772	2212	cmd.exe	37
PID 2772 wrote to memory of 2736	2772	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	38
PID 2772 wrote to memory of 2736	2772	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	38
PID 2772 wrote to memory of 2736	2772	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	38
PID 2772 wrote to memory of 2736	2772	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	38
PID 2736 wrote to memory of 348	2736	cmd.exe	40
PID 2736 wrote to memory of 348	2736	cmd.exe	40
PID 2736 wrote to memory of 348	2736	cmd.exe	40
PID 2736 wrote to memory of 348	2736	cmd.exe	40
PID 348 wrote to memory of 1276	348	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	41
PID 348 wrote to memory of 1276	348	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	41
PID 348 wrote to memory of 1276	348	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	41
PID 348 wrote to memory of 1276	348	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	41
PID 1276 wrote to memory of 1812	1276	cmd.exe	43
PID 1276 wrote to memory of 1812	1276	cmd.exe	43
PID 1276 wrote to memory of 1812	1276	cmd.exe	43
PID 1276 wrote to memory of 1812	1276	cmd.exe	43
PID 1812 wrote to memory of 2000	1812	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	44
PID 1812 wrote to memory of 2000	1812	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	44
PID 1812 wrote to memory of 2000	1812	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	44
PID 1812 wrote to memory of 2000	1812	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	44
PID 2000 wrote to memory of 1600	2000	cmd.exe	46
PID 2000 wrote to memory of 1600	2000	cmd.exe	46
PID 2000 wrote to memory of 1600	2000	cmd.exe	46
PID 2000 wrote to memory of 1600	2000	cmd.exe	46
PID 1600 wrote to memory of 2548	1600	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	111
PID 1600 wrote to memory of 2548	1600	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	111
PID 1600 wrote to memory of 2548	1600	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	111
PID 1600 wrote to memory of 2548	1600	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	111
PID 2548 wrote to memory of 2076	2548	cmd.exe	61
PID 2548 wrote to memory of 2076	2548	cmd.exe	61
PID 2548 wrote to memory of 2076	2548	cmd.exe	61
PID 2548 wrote to memory of 2076	2548	cmd.exe	61
PID 2076 wrote to memory of 2964	2076	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	50
PID 2076 wrote to memory of 2964	2076	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	50

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196
- C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
  "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:628
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a823A.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1944
  - - C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
      "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3000
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a82A7.bat
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2212
      - C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        6⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a89F7.bat
        7⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:348
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a94C1.bat
        9⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        10⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a956C.bat
        11⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        12⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a9685.bat
        13⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        14⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:2076
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a9D49.bat
        15⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        16⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1320
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aA4E7.bat
        17⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        18⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aA87F.bat
        19⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        20⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aABBA.bat
        21⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        22⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2076
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aAEC6.bat
        23⤵
        Loads dropped DLL
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        24⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aB0A9.bat
        25⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        26⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aB22F.bat
        27⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        28⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aB461.bat
        29⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2576
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        30⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aB4CE.bat
        31⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        32⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aB50D.bat
        33⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        34⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aB599.bat
        35⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        36⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aB606.bat
        37⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        38⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aB645.bat
        39⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        40⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aB6C1.bat
        41⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        42⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aB71F.bat
        43⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        44⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aB79C.bat
        45⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1036
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        46⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aB819.bat
        47⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        48⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aB895.bat
        49⤵
        Loads dropped DLL
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        50⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1032
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aB8E3.bat
        51⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        52⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aB951.bat
        53⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        54⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aB99F.bat
        55⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        56⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aBA0C.bat
        57⤵
        Loads dropped DLL
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        58⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aBA69.bat
        59⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        60⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aBAB7.bat
        61⤵
        Loads dropped DLL
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        62⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aBAF6.bat
        63⤵
        Loads dropped DLL
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        64⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aBB63.bat
        65⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:772
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        66⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aBBEF.bat
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        68⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1224
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aBC5D.bat
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        70⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aBD18.bat
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        72⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aBD85.bat
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        74⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aBE50.bat
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        76⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2800
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aBEEC.bat
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        78⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1128
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2432
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2296
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2992

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "7073747461466120010947667689-941359128-162938686-537927431-1603554019386144284"
1⤵
PID:3000

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1153228848-1910020871196698511-67405429617559973161743535443774162753-1486309946"
1⤵
PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$a823A.bat

Filesize
722B

MD5
179c8768fd62d2929c8c860d9d4c8726

SHA1
dfc5f36de8172b6723e7bc05a98d17d601ed1a75

SHA256
88afd506f620389db72566ee79355e6478e8fcb7d52d58b9668bcecb32b4555e

SHA512
16e8ba2340c3f2615a56cb9019edc03710de90be5bb502f15cabe3770d61d6d15657cda7e22980d638cdc33dbe087ddf02ed8ecdda3272148ec7306165fa548d

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a82A7.bat

Filesize
722B

MD5
0f28d6e6a089498b6607f8cfc4d3d461

SHA1
3d7bfaaaf3750b85a091202fc4ae7d0a37f89e25

SHA256
052b4cc8a8d8e5a9b289aa99a43f488c8e87220c773d9941e0f1aae2688fff4f

SHA512
99740057fd1706bf00a1a13bf1fc77c19ab4c897a561f1fc7352b52824635242925bd3c79ef69473e6d9ab14eebc4f229714923924a3151005c9a44d1102a587

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a89F7.bat

Filesize
722B

MD5
e29dc57d35675bb8243408a9c9c76e91

SHA1
cdb6bbc2ba15ae1dce804c968bd038859d98a610

SHA256
35062bd8ab8d0a356e88343410d28c02d9b7f08c5ed8963e65115e3dac2b5360

SHA512
54bab603f5d975bd170e5220a4da4f0ae7a789fd4934d8b39c9bbd52b680e691319fb34982c0e603a6a7bbbada807c4989174d79deec42bd2c155beb0a9f8995

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a94C1.bat

Filesize
722B

MD5
9fdfb30d04da35ad99b1ff9ebccd89da

SHA1
843ca4d98da83ba5448fbb2507c35898427bc436

SHA256
7a6ef6d2affc25e693e07ec6be5e5773796669efa68916314d89d0bcddf424c5

SHA512
81ac6388f0d590cbb61e57dc026cd6a2c6c459a9781a7c71ad0154fa4a377ecfc0973a9ab377b410b2548628a35f35a35c3f8617519e46072ba3951f6d30db72

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a956C.bat

Filesize
722B

MD5
23f989667b7673ae14299a62121d690d

SHA1
11803b0d11622aa1ab77fd5396101afdffa7057a

SHA256
db1e23aababf71fd37ecd405e5d98a42d9661ab92b6b487be4cdc92c0e6557a5

SHA512
d76de523b6f7ceb02f069db68dbddd9b181974ff74a86cb92b487fbf43337192aea2110eeb941594aed27d0d7ef497f82ed55b5402a488404e6cf171f69a6c79

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a9685.bat

Filesize
722B

MD5
9170e3a434afc214dcdbddf888a77563

SHA1
a314c738afbf1f05ce7e295025acd2ebb4ede4a9

SHA256
16b0e9e678669103589d83aed663f1d7274c7d3b45796f322e2113ee2d1ee50b

SHA512
e3316f3868e19493b6ff1077b09edf8a9ed42edfff8c81d86750ded4351c9892a7d394f9d4daa174b4d5d3d1fbc9622d6a221176329c0d3832003774d520229e

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a9D49.bat

Filesize
722B

MD5
cdb684beb4392b84e1037d6cca84aec6

SHA1
5921d800dc62ca1df49ce456ee9aa3ef549bb96a

SHA256
9a7d044418914dc4c12de82db82353aa00f435be821cd4582531c37fb0b9bf33

SHA512
832ca2eb46ebc0fb3c03844c96e51683eb439b805abddeaec949b11edf36133d558aa0152084540638598cbf4e93c571122966996a7ef535e951db25ce15f9cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aA4E7.bat

Filesize
722B

MD5
818209140b2c441fe6923c1bf01fb068

SHA1
845244b70cbe4a9ac8668798519be1236a2bddf3

SHA256
ad25b64f4ac8c86c2adbf2a12106057b70aeb1a2d6acf809044b34ca2626f3dc

SHA512
030a5b2fce456212770eb90a2eb92ed91de31e01670d1f4e52161becc729c934d80b2e273fdf2c069bb9e9a60d17f8c6e3a9573a1e78504046579c2a91506672

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aA87F.bat

Filesize
722B

MD5
db710811047906c68c05c539eb1ee2a8

SHA1
cc419cc651d460b97fc54d037be0ed5037f1957f

SHA256
5586e96c75bbff1d8287fc7d98bef7502d1114ac2f53aac7eca60eeba23a72d6

SHA512
6aae02fa8d8037a37bd6a740a4aaad1df17f17610d538639c6f813f863bbfcd9fceebb539f0d1935656f8c2328543b71ff42033e2e15baec69376ac289f9c6fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aABBA.bat

Filesize
722B

MD5
43f9e2e8feb7f97ef659a643da559689

SHA1
9d837450d369dc364285d260e767dbb352700326

SHA256
1f94a3bc4bb6ec4826f58e8353f10aeef708137c50cc8d0b733820a1a6837e25

SHA512
9e61af290f32d61ecc30eae432d696b90712f4064c732dcf5b42ea752e6be42dbfe48438f247b7f09a6a57d49eb321810023483285d6d72652173432f5d68fab

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aAEC6.bat

Filesize
722B

MD5
04e14091b0510af5b6a44a867b56d167

SHA1
fa9826facdbba9481864d7d692d64401b5777f8a

SHA256
594f33a032c0d8ab3730418803d8b455729a42f8d49441e3ab0a31e81c9f8233

SHA512
81e6d13acce1990450a150ff3e0f1d9b6295daedfdf950a12ab2d4fdbdd8d01c93cc7b9ce2137fe67555e6e90664afb2f9aa1da1e635045b7472db5058435b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aB0A9.bat

Filesize
722B

MD5
a29e86aebf233ac3be92078f337fea15

SHA1
0fb96da3ab5a23f1906e311a3a2bccb67f51fa1d

SHA256
c9fc82175f013fb4dd28ac988bcb2a1a4993082036717d050a69cce08a7740aa

SHA512
47cbaf8ea38a61fd7d034c0dd88d2ac360b0e1a1a962184e4346832cf7e5e343e6ad686cfb53447dbace8b74b16123f57d23807aa770fc385f952af3047aef13

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aB22F.bat

Filesize
722B

MD5
09b35888c80be5b7c9f4641c96df0af8

SHA1
21a1fd6fe01ebf838107a5576f8e5f1e3058c913

SHA256
c66dae1d33af39e09943bdc21698e88a872b85a60595e5110d9aefd3db4de5e6

SHA512
6a7dd002b2ba0ad443583d572c135a71a40d3a28c3586a83eadbf6b1e4d90d73037d0744756e53459e99f3cc9a449d88efc10f5b1ef2708b70b911e428ae4026

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aB461.bat

Filesize
722B

MD5
b77462dc9d8445150a571798f286357e

SHA1
c41d13f7cc178183fc97efbd8271a4f1001e8f14

SHA256
cd52f789880bf87f15bb65196772d67ea320809b7c9d205d422b41bb7563e87a

SHA512
2e580ffd498e8184562dc2d1171af9aca0da66bec4f1f567b3ba39aafbbebe6eec0616a8fac0958a898248110ecda459ff531e97902e5c56ed75bc239dd85e5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aB4CE.bat

Filesize
722B

MD5
e3ca899f7a08c8ad5a20c9527ad6349a

SHA1
6764d0a3bd9dc529c99a996fcf8d2e15308bf97d

SHA256
059117bf40f4493bc941b28bf76ae2270d1c10dd07d2f7546d727f0a5c4b483d

SHA512
da07d65cc4ea0fdd26dc376c8eea01b2efa4fd0573a9459ca5eaf85bbc0715ae2069f92ffbb7dd4cd5f682714ea79f82ad37b20134bdc6c5130ec442d66a20a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aB50D.bat

Filesize
722B

MD5
1ddfd26d532a8705ac55be8e08957798

SHA1
725886f413beb55f9079063289cd25ea0fe937f0

SHA256
086c6f301586c6b54eb7f7a782f293e9afdb446540ce0df46c13356d2d77289c

SHA512
812efb54549eaf6f888508b39dfd59bfa6a215f726f7bb8c3122858e28581b4dc7c101ddfc02f4fa124a72e1c8179fc7312eab544a2b7b186985fc09c16f4273

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aB599.bat

Filesize
722B

MD5
06b2205a717366eba030fcaea575ec34

SHA1
38dd5feaf05510fdfab1854edbcc0dda6d1bb13e

SHA256
f6b3ac66fdeb0df107d5d725becd4086b6e1d685fb7012f827794e8836805efb

SHA512
3d9eabd58a64088c533bffca587c81ac558dd1ebbd6e483ba43557e5ed1201d2434b82ba5aae67cd5f7ecc5eef1153171ce51ea8b7c5ffbc3aaf2055d7f524f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aB606.bat

Filesize
722B

MD5
737345e81d1dfa663c1eb8e5d1b20d2b

SHA1
ef53e42eab8998b826f084a15bdb7335224f68af

SHA256
4333d7b4813aa238056443a5e6c80671f5cde01d798a3527dbdaa1e9821c885a

SHA512
ef28c82bad1af5f1b894b808d6e78941323a628481cd2d3d799e919bc3779f6805b7673e28020a5c576c9a11ccd0d620cf8f533ef9087bce5a2eb479f7af068f

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aB645.bat

Filesize
722B

MD5
e72c3a8224afa109285f6a53bf9e556f

SHA1
8652babcce0e5e16b650da9c9e888a49ec40568c

SHA256
ff55072ffb40b7ab5cffccc63b786a9f031b4e753691828b0d284a2b7f3189ed

SHA512
711f649fc542c7b3ef2e5a817772983c809bee92b4eb34905e7663a624c81b9e6d23fbb8324866c9721566c80332a87cf5446dfb93b8a1c5368a05b8258291ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aB6C1.bat

Filesize
722B

MD5
b3e3b2b0e7e4a1013e45029bafad9d7b

SHA1
d0a6ee07e4edf6b7f82bb72e54d77fa701ac3d1c

SHA256
27ce417afe5608aeec6e9a7bd86f2c4848fbbc2735ded8d06dcd3fb899b7ca52

SHA512
01c66c399c8cb8fee844a6fae67746df3cf9fcc4dc59bf5c584def188bc3ee089d11715910520d4214d2bd6d10ddc79409e5bf3e242317a8396eab348d8660f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aB71F.bat

Filesize
722B

MD5
555167560ed457e6107f382c1ebd95d7

SHA1
2ec2a2084416604dfdc60cbab1ba8358f29b5821

SHA256
3b44072ad7047c28d4f557fae510438454516016aba90a285e97add4f3b4be6f

SHA512
45d1f43443a597410352e06697fa410864ab3584cba6cbba24698d3de99d73fdb4f379377a955c87eaa32ded4e1baefaa278a6bb800633e16b2466a5e8abd80d

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aB79C.bat

Filesize
722B

MD5
8529a6439e7b9a4636a441294ba75b07

SHA1
a42e707feb7cd68cf5bb1a4b2a51d7589d93724d

SHA256
1294b9a77e3ed086aae0af3b794fa19c60ac3a807eb096fc6fe7a378cef057fc

SHA512
ae814ef408f9f68f5df5c2fdbabc117e8bfc8cadb8f2bc07889903ed12d2823a4a734121e098966c5a942d635aa9dabf5f05fd95bb116cb76a79d7985584f75e

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aB819.bat

Filesize
722B

MD5
6c41fa94f7e66fbee4df283688dc0c6c

SHA1
be080c82fd8c3043529ad56cd53384a9d24e0dec

SHA256
6de438140083413202c078c2024683cfee2988a373db42c465694cbd15fd846f

SHA512
ca3aaff01e1e04d766538b01c99c18f17ebc6b080a323a8b463e9b5e503dcd7db8172914a6df871080b683a44a3dea0acd7273a1c45d2b8918040156fe9c3b85

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aB895.bat

Filesize
722B

MD5
f90eb4eb4a4d8f82f293b8228c6d1d46

SHA1
2fbccd07e3c72ecc9c1a519390430249f20423d1

SHA256
5ae81bcc8916ce4ff9d848331294d06dffbf85133bc43de349e1379f0f825fbb

SHA512
873f7d160656ba65b538ec004cb984c54dc7b477806daf854c8b9c1b26a95819f69afad24701f05831c9be3a60bc444193fc919a0653c73601f4faf11b21b4a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aB8E3.bat

Filesize
722B

MD5
f9fc261c564489578d54e78e7cfcbb2a

SHA1
1e32499257f08a6a86aebf49e4bf4ab54be1483c

SHA256
8b4b83511230cf4b685bdf3898f92486c59704fd5611d74ee25f7e655ad25df7

SHA512
82e3a3d6e7ab0ffa2120504155b62682cae28b3462609c66fb4803a9b3706e7148185ac60b2d79db5e0e809cb9dcf2edd8afd7aaaca5a115e3c01a80d578c0a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aB951.bat

Filesize
722B

MD5
ee983915135d67e51dd02c06a009db40

SHA1
e37f50c478702e720ca1b5a181371bbf225a7cfa

SHA256
73db744dbdbcbd92c62b2225bd6ed3a479c6fda512803fa748eee88d4699b2da

SHA512
b0527c5afdc65cc58eacfe59eed8d036c454c77ddff138ef99476b9f90b9e61042183d87f97b917fafc4a6a3577c6a19c1f681dfd1e9dfd6263032f793d06ddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aB99F.bat

Filesize
722B

MD5
3c9b62a451468f8a473590abdf043cf9

SHA1
3c9474d527104130a0a713d89c6464fa8d72d63a

SHA256
214f449addc10bcd20c624e0e0db13b9c58fa430b9b18ab992eabf7bc9154fc6

SHA512
01e2ef89656f959063b6c784a413cab3c33ddc57cea4960fd9836dda4a671e45649e66d56bd4fd7d54f467bc69952bc98b9c0b95f3dc2b71a834679fb1793b91

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aBA0C.bat

Filesize
722B

MD5
21cedad1528ed4af7b0749e750f1e932

SHA1
2cbaadba74bcd7783f699c06858e4f58501aeb6a

SHA256
4ea577b6f3a25ab95b59bed06dcb5b3914964da0ecca322fc46d20bc4dfd0278

SHA512
5fb3fe4cf186fc361acd6f20130fedba826d4d53ea299ffb15f00769ce1d8a55573b71908bbb742d8ea146407cfab9f4e6db3e14dc83aa9a1ba01f554f387f27

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aBA69.bat

Filesize
722B

MD5
71e409ec2601c301507ac00071ab3859

SHA1
75a9ca097ba186ee7c65a51ab0c44f106966a5ef

SHA256
1789c9659572448ba4f550fcd5948b180219652ca74e4bc85da1a132edee0833

SHA512
79a6057db63429eae5babf574825f8b2ae70ac4a942ae5730566d09d12d88989247385a77eef84e5dc9ae0ee0c57cdcfc8be52ae4cfa8fa4b2b425e484b91ad8

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aBAB7.bat

Filesize
722B

MD5
76d0c721f679a4355904171f0716514b

SHA1
35c9c2225e36d7302aba6b8db547c01bf8260514

SHA256
305e77da082f61294fb067f49e802e8d140294b90fde7bf293723b2e94bfd6d7

SHA512
390ee86c0d64eed78ca072b23ac8a23310287ce0a02ccac2e5cb3689e18aca62fc125336470344a905ea83278a1923c2a511fd1a9ad01df0820d2e3ee6fa9e5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aBAF6.bat

Filesize
722B

MD5
abd10e0f9d08e0519bc96dbda0784554

SHA1
cb7b7098f4c6004afeb1ed724469824ff3474d9e

SHA256
f3e91e25ac41add89562e20edf4557aaa3500d007f0851833665d0965d69612f

SHA512
a870fefa8a76110f666524dba28e5757a9ad500bcc54baf7741a9e5cce03f2d6d364edae796256207553fb1c603abeac026f783dfa2809a5ff00261945914eb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aBB63.bat

Filesize
722B

MD5
337fc5d34d39e012621ac03ca188dd3d

SHA1
24cddae2cf1cf0836af8f34e598872248aa5b7a4

SHA256
ba56d5429211891681451726b9af27b84e8e39237eb85b35d05dbd4644c1b8f5

SHA512
8862512d2ad3e45ec0cafdf3e450ea9d46c90546f9b0b3abb3e9a79c2cd21c858d880de8a996efee63a0f1423282c0924bf1124c7773cf434d7c39f436d8e492

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aBBEF.bat

Filesize
722B

MD5
850aafbf2f503f54b568c5fba4cfda7c

SHA1
2c49e05aa9be56463200979319fc2e5e605bb489

SHA256
ad3e326a3bad18cd763ceb646a85f53ad73a3123fdfd8f5fc22ddf6d5b895313

SHA512
7b67d22fe5a2f932ecba2397b49f26feabd180c2e3daabf82ed8e333b0209df554eb63f1bca6fa4a4e6526ea67f3880cecdf9fd4d3aca23ae0ca5d9ddd739aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aBC5D.bat

Filesize
722B

MD5
226f7d1fb3c147a90548e82a2fe33109

SHA1
08950ea78f21964b660aa80f12b68a26d34d27ee

SHA256
83a4175a0edff385b44e8479068e45496db3a1d88a40b8d57cf9aa5f69ebbadf

SHA512
29690e1882b2bf2ad5e67f62dd8a5100515dcb16fa2ef29a9bbe5410699f34669403c4fe6655c9e38dc3e477bffee8bb48f5b5d7bc79791792e635c012037132

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aBD18.bat

Filesize
722B

MD5
5ceb51f7aba10c7371fcd03b6689b8ef

SHA1
8b1e849bbd2c1255afa422354d22258c0ab05195

SHA256
7479829d2eb2a4436192c0a8508dadc6b918fee2eb3d0d1f1863c7afc8608ac3

SHA512
e0aafcf92b5f929f6d0b47bacc8e3eea495d55d15037b800e07a409db9b41cd3d73d2a58e8dac2fbe4440d05ddc6d846bac3b052e19b27b10a300529babe3af0

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aBD85.bat

Filesize
722B

MD5
206616a01308cb6180b0d330295650af

SHA1
a54a5d78d9ee04d6b3c953318c287eb7c00ccc26

SHA256
fc6ed477050c28b375764588a914891070bb89577cdada942437ec26e3b51e9f

SHA512
0ccb88a810b2933fb76190a47efc24d9647bfc46dacc4171269ec156d76f376773fbc40c7d8dab5b82d3cb1e0571b03e26131f26e5f53c2a42bd4abfe4050652

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aBE50.bat

Filesize
722B

MD5
8d67632ec53a8b8674a94e3973986717

SHA1
bf6227b20b67ad6747c26d425c6f0526fce064d3

SHA256
bcc601010c1985c420f34bd5755f3b482e07a4cfe5d3afbc8d754eb133a99aa0

SHA512
fff5b5dbe4f1db0409a3c32892d26228bb44764209dfe5dc9e62bcf9e4b34a77d54ffd61d1b9207ad116f6f605e8b9e93d77e4151e1267b7cbbd7e8992110d2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aBEEC.bat

Filesize
722B

MD5
2fcb4e02fea3e7424fd355c51d805fe8

SHA1
3f43a849fe86b0206640b2c23f0b60bfc2ad3d2a

SHA256
4878806e1f416e4432b35549b676abef86c49e0a5cdfaa80ce28f6a695595bfb

SHA512
fbe1bb66b48fa9895b2f022818aed9f6eabf29701ca0af8271839948b2d07abc517032c8a65cc282967b0a7e685c310a8c80a640ffc00da15d615a7ee4debc78

Download Submit
C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe

Filesize
1.5MB

MD5
8390eee42804fa3972f15313bea91454

SHA1
5f2c563b2a5efed63fea038a31ae8ea4d3d42817

SHA256
54fd5140ca19323d87e8357c792e6f106b9467acbbb56ecd69c9ec2bba68974c

SHA512
a3a351ff1779119e26dd1afaa9d78b2e4e6d70978dce6386379475dc8bcf44f18ee7988b8fedff263b32598c81733f49ed93f79a77e02a0b5ba9b0374f69e232

Download Submit
C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe

Filesize
1.5MB

MD5
ceb672b59ae8aa63de17b91f23eeb781

SHA1
be4d83d3b9706ef528f539013c8f7cc95a4626da

SHA256
915c2b05751586028e879881c01d046d0ae6965e17875b6eddafde3d48d65e3a

SHA512
753cfb61689d712600830665c239ef91f516a670c969759c44996bbce7f8fd36f97c402f09fb701a8affc90aa169e7730b764c577d54ad241f323f492f821545

Download Submit
C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe

Filesize
1.6MB

MD5
82b3daffe88db9c756ad91478ec15fbd

SHA1
fc70b0daa48a76b81271b63c686022ca20a744c8

SHA256
71172527e1cb0a326afde52f1344214a8ad0c1e2f91f95540d58d282017d9c2d

SHA512
f6588d7c4901843690121c897f93b3c363ab336a8b97fcadebe0a8c0e0f47627e8430d826adc1d8782bf7b95ca5c33ded22b4bd3da2e19f2145f29fa3c77f63d

Download Submit
C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe

Filesize
1.6MB

MD5
0758588c903431ca72f83873fed5ee6d

SHA1
04058fc8ca64b3339b3af93ca360661e97dac4a9

SHA256
cf80a37957c28bf6cfb8adc34e96176ed178d2add5fd51c6c5dabb0aa444ac69

SHA512
a14a9ff0399b8254f06b9bcbfe2184487d61487ec6990edb312fedfeb782e1481645dbba33d9bf60489b016d1a77363acf8306495703ac86e145198fd764cf21

Download Submit
C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe.exe

Filesize
1.4MB

MD5
79781d1144eac7e04aa9f4df837425a3

SHA1
2c0a7111f009c06653e45336e8360ed14bf210fd

SHA256
7af58533168028e5b89c0d1f2b9383157a7a68591f8f532acaa6666becbbde2b

SHA512
243382f4305c94f7b75e276cf16138f35062fc5f957128116a6f1f1f7412fe834e772439395c8aa570bdf50a596e203641d0e7f3e5cdf01008bd0b24516b6867

Download Submit
C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe.exe

Filesize
1.5MB

MD5
9b5c76799d9d1a8d9967f302ac3fc1ec

SHA1
1a5cacedc4f22e33ae7870f2e7e190748285e0de

SHA256
0586201a8fd94d3f46ab51e78ef54eae70d8dda96f0c04a28c5d3957455d8cec

SHA512
23da9c5484b617a57e3544d7f331809bd1d0f288bc90efce61361c761fd4191033aa28281fb9785fe7e5f0709f9fb9d5d098f44d4adba185fe9a85171f9243f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe.exe

Filesize
1.3MB

MD5
17c7ace555fe5108801581e0537e1de5

SHA1
261ba39c10e678188d3fbdf28241ea4f5f499684

SHA256
e34c6b05ae4d41c1835566311a6a2b3343665e3a6315ff880fc9e6156a3704b6

SHA512
d5eb4d6c68e2a17df59cd4c15b841f89942140116786cb81a9c064bc769a42b837c0ea65791834bf0f8286703fbd376e180ed2ed07d687e2613e7c35c564f2f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe.exe

Filesize
1.4MB

MD5
6453c16919e8470f1ba2bc5d5a107ba8

SHA1
bd1acacb00564a4d3ef5bce6024f6c0ff57fd06e

SHA256
e32c3ef6c1bd9f6894bd3eb0c725becdc79e384fd1801003b4b1b4d10704701f

SHA512
57fc8cadef16699392ec155c57fe5fa93df00f9d5705ea0a539f0b2820cc43a145963effd961b5309a158673e00f7f1cc83af6a333c117de35a0aaf63c7fa156

Download Submit
C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe.exe

Filesize
1.8MB

MD5
ef5ec16ae976ab4940243d706ab9a235

SHA1
d9c291d767481b73cd38f29d2821a45b886ec05b

SHA256
36c11124fb05c4fbe69e5ee1b57b4bb12438704b3c98f91e482e993806ddcfda

SHA512
271f4f640961dce4b7df29485a41f59c9d1bc78f55e1f252da4ec4814b59fb8a5a55d7dfbe228c074318807078ea94290b5c89c88191d23ac88d8d0ea020eb80

Download Submit
C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe.exe

Filesize
1.7MB

MD5
22ed0526ac6f69992e23505e8d7dc004

SHA1
af3cbe14fc0c4364bc499de1fdc243d252c81d38

SHA256
2bdb0cf8c704fc2c96c7ec9dcf60190f59bec6cb814adfbb430a97dd1391bb53

SHA512
fd7fb5699e48bfc2ec446ec732f993452f831df6567f976ab5ebac40392ce13a038a705a0eafe65104f4c2eeb5a60bd9a0975b6613ddb78d709b1219376ee5a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe.exe

Filesize
1.7MB

MD5
b2b328794fcd97500ae2370f88d93678

SHA1
c58aacfa72f89ac8cd56f700571e82659f6b011f

SHA256
be89a2ccaa2da559e8a58119f8251cc16e8af9de27e7b90fa8480092daafd70f

SHA512
7208abd523b5cc1f0e229709557f50073d360d2e8c01205995e04ab772243798bf9d2c93c7e4112a7714b4321cd39abc0ff1d7845b5977250cb039947c50ad7b

Download Submit
C:\Windows\Logo1_.exe

Filesize
44KB

MD5
6d85a04f5bb329cbba3880c43337ec52

SHA1
8c2e62f730619b2e06a5fb802e115606b664525a

SHA256
ff95e5e3fea6e5f9692d24c81ab36bae1013658a34bc60cdcd9b4c591e7feec1

SHA512
31919b83c1b66e4eb99612c6b23a7dfc1cd107e51e3178bc8fb695c8243d7493f43b05a4ab8d0880763aa584ccbecdb1b61b31f0a66d8a92938884b9ef04daf8

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1488793075-819845221-1497111674-1000\_desktop.ini

Filesize
9B

MD5
5412111268dd2c1fb1cf8697bfab9b6c

SHA1
16d0b289e83c74cb50a004edd7c5750ac706f321

SHA256
f3aa35be7048ddbf11fc581e5f9476745d75bcf097e121ba2915614e360a0cdc

SHA512
13fc5bf11faaf5471fde8a1bafdcc6d27521bad796e5e532c94d9c8232dd70088e70b6d5ac60c4c15d13e59926ac38e9a9e01b4dd4694a77d70bdd1ae7005ccf

Download Submit
\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe

Filesize
1.8MB

MD5
819c835041cf406f61377f3f434672ec

SHA1
6b69fd7f0163e338e26f8548657cd8f02d6bd783

SHA256
d8fd9cab261550edf66e0ada7109a321765e645a1122004f6661f86092ede187

SHA512
81045de8da7a5d12bb8751c1860de2412416b7aebc6bfce5231bdb91b1fa5eb0b7b82e49f1dd1a4208c8f7b9909adee09fb9e7096f49695ae8658189903fdbfd

Download Submit
memory/348-127-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/620-4389-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/628-15-0x0000000000230000-0x000000000027D000-memory.dmp

Filesize
308KB

Download
memory/628-17-0x0000000000230000-0x000000000027D000-memory.dmp

Filesize
308KB

Download
memory/628-18-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/628-0-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/684-4559-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/760-4632-0x0000000000170000-0x00000000001BD000-memory.dmp

Filesize
308KB

Download
memory/868-4600-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1032-4653-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1032-4643-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1036-4621-0x0000000000170000-0x00000000001BD000-memory.dmp

Filesize
308KB

Download
memory/1128-4788-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1128-4793-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1196-43-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/1224-4745-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1276-133-0x0000000000850000-0x000000000089D000-memory.dmp

Filesize
308KB

Download
memory/1320-2962-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1432-4716-0x0000000000170000-0x00000000001BD000-memory.dmp

Filesize
308KB

Download
memory/1580-4641-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1600-161-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1612-3632-0x0000000002660000-0x00000000026AD000-memory.dmp

Filesize
308KB

Download
memory/1656-4694-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1656-4684-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1688-4591-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1808-4610-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1812-143-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1916-4611-0x00000000001B0000-0x00000000001FD000-memory.dmp

Filesize
308KB

Download
memory/1944-4664-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1976-4560-0x0000000000140000-0x000000000018D000-memory.dmp

Filesize
308KB

Download
memory/2020-4736-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2036-4746-0x0000000000280000-0x00000000002CD000-memory.dmp

Filesize
308KB

Download
memory/2076-3659-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2076-1454-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2076-1520-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2088-3290-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2088-3280-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2144-4631-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2148-3642-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2184-3281-0x0000000002620000-0x000000000266D000-memory.dmp

Filesize
308KB

Download
memory/2296-3685-0x00000000001F0000-0x000000000023D000-memory.dmp

Filesize
308KB

Download
memory/2368-4581-0x0000000000170000-0x00000000001BD000-memory.dmp

Filesize
308KB

Download
memory/2416-4642-0x0000000000170000-0x00000000001BD000-memory.dmp

Filesize
308KB

Download
memory/2428-3649-0x0000000000130000-0x000000000017D000-memory.dmp

Filesize
308KB

Download
memory/2428-3648-0x0000000000130000-0x000000000017D000-memory.dmp

Filesize
308KB

Download
memory/2432-20-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2432-115-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2432-3630-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2432-4794-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2444-4654-0x00000000001B0000-0x00000000001FD000-memory.dmp

Filesize
308KB

Download
memory/2468-4548-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2468-4539-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2484-4765-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2492-4620-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2540-4704-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2544-4703-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2548-1453-0x00000000008B0000-0x00000000008FD000-memory.dmp

Filesize
308KB

Download
memory/2576-4538-0x0000000002260000-0x00000000022AD000-memory.dmp

Filesize
308KB

Download
memory/2576-4537-0x0000000002260000-0x00000000022AD000-memory.dmp

Filesize
308KB

Download
memory/2592-4571-0x0000000000230000-0x000000000027D000-memory.dmp

Filesize
308KB

Download
memory/2592-4786-0x0000000000130000-0x000000000014C000-memory.dmp

Filesize
112KB

Download
memory/2592-4787-0x0000000000130000-0x000000000014C000-memory.dmp

Filesize
112KB

Download
memory/2736-117-0x0000000000190000-0x00000000001DD000-memory.dmp

Filesize
308KB

Download
memory/2768-3684-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2768-3695-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2772-60-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2784-4683-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2800-4776-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2800-4785-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2808-4580-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2836-4570-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2864-4775-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2912-4726-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2960-3668-0x0000000000150000-0x000000000019D000-memory.dmp

Filesize
308KB

Download
memory/2964-2868-0x0000000000500000-0x000000000054D000-memory.dmp

Filesize
308KB

Download
memory/2972-4715-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2972-4705-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2980-3678-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2996-4756-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3000-38-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3004-4674-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download