41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327

Analysis

max time kernel
94s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2024, 00:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Size

1.8MB
MD5

f7bd915047964c6345eee588679d3f6c
SHA1

818772db9065eda9a6ccd20eef06d5256280e17f
SHA256

41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327
SHA512

301ac44daf8b6121b70c3bdf106b6e15af2c8727c91ec81a595186614ad3f1b4cc431d254dd59564ed84abee23883c25bed5e9233b2dc20c6fcb0393e7bb6585
SSDEEP

12288:vj7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7g:fcX

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe

Executes dropped EXE 39 IoCs

pid	Process
4768	Logo1_.exe
5024	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
4020	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
4628	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
3208	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
1388	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
2024	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
4592	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
5108	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
4072	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
1948	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
3572	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
2964	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
1840	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
404	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
388	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
3380	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
1284	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
2756	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
3200	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
3972	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
1568	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
1992	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
2516	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
3148	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
3980	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
2280	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
4684	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
2352	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
2644	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
2364	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
404	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
5076	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
3380	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
3912	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
3404	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
2756	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
4880	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
4816	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TempCom = "C:\\WINDOWS\\FONTS\\B4C31.com"	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\gl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\assets\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\plugins\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sv-se\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nl-nl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-si\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\root\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\id\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ja-jp\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\cs-cz\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\it-it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ie\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\da-dk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\en-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sl-si\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\tr-tr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\da-dk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\de-de\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Internet Explorer\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\da-dk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\pt-br\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ja-jp\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\dc-annotations\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\javafx\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\da\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\eu-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Configuration\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nb-no\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ca-es\_desktop.ini	Logo1_.exe

Drops file in Windows directory 43 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File opened for modification	C:\WINDOWS\FONTS\B4C31.com	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\rundl132.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\WINDOWS\FONTS\B4C31.com	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Dll.dll	Logo1_.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
File created	C:\Windows\Logo1_.exe	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1736	4816	WerFault.exe	203
716	4768	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
1400	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
1400	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
1400	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
1400	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
1400	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
1400	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
1400	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
1400	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
1400	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
1400	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
1400	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
1400	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
1400	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
1400	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
1400	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
1400	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
1400	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
1400	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
4768	Logo1_.exe
4768	Logo1_.exe
4768	Logo1_.exe
4768	Logo1_.exe
4768	Logo1_.exe
4768	Logo1_.exe
4768	Logo1_.exe
4768	Logo1_.exe
4768	Logo1_.exe
4768	Logo1_.exe
4768	Logo1_.exe
4768	Logo1_.exe
4768	Logo1_.exe
4768	Logo1_.exe
4768	Logo1_.exe
4768	Logo1_.exe
4768	Logo1_.exe
4768	Logo1_.exe
4768	Logo1_.exe
4768	Logo1_.exe
4768	Logo1_.exe
4768	Logo1_.exe
4768	Logo1_.exe
4768	Logo1_.exe
4768	Logo1_.exe
4768	Logo1_.exe
4768	Logo1_.exe
4768	Logo1_.exe
4768	Logo1_.exe
4768	Logo1_.exe
4768	Logo1_.exe
4768	Logo1_.exe
4768	Logo1_.exe
4768	Logo1_.exe
4768	Logo1_.exe
4768	Logo1_.exe
4768	Logo1_.exe
4768	Logo1_.exe
4768	Logo1_.exe
4768	Logo1_.exe
4768	Logo1_.exe
4768	Logo1_.exe
4768	Logo1_.exe
4768	Logo1_.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4816	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1400 wrote to memory of 1660	1400	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	82
PID 1400 wrote to memory of 1660	1400	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	82
PID 1400 wrote to memory of 1660	1400	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	82
PID 1400 wrote to memory of 4768	1400	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	83
PID 1400 wrote to memory of 4768	1400	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	83
PID 1400 wrote to memory of 4768	1400	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	83
PID 4768 wrote to memory of 5068	4768	Logo1_.exe	85
PID 4768 wrote to memory of 5068	4768	Logo1_.exe	85
PID 4768 wrote to memory of 5068	4768	Logo1_.exe	85
PID 5068 wrote to memory of 2700	5068	net.exe	87
PID 5068 wrote to memory of 2700	5068	net.exe	87
PID 5068 wrote to memory of 2700	5068	net.exe	87
PID 1660 wrote to memory of 5024	1660	cmd.exe	88
PID 1660 wrote to memory of 5024	1660	cmd.exe	88
PID 1660 wrote to memory of 5024	1660	cmd.exe	88
PID 5024 wrote to memory of 4068	5024	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	89
PID 5024 wrote to memory of 4068	5024	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	89
PID 5024 wrote to memory of 4068	5024	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	89
PID 4068 wrote to memory of 4020	4068	cmd.exe	91
PID 4068 wrote to memory of 4020	4068	cmd.exe	91
PID 4068 wrote to memory of 4020	4068	cmd.exe	91
PID 4020 wrote to memory of 4832	4020	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	92
PID 4020 wrote to memory of 4832	4020	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	92
PID 4020 wrote to memory of 4832	4020	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	92
PID 4832 wrote to memory of 4628	4832	cmd.exe	94
PID 4832 wrote to memory of 4628	4832	cmd.exe	94
PID 4832 wrote to memory of 4628	4832	cmd.exe	94
PID 4628 wrote to memory of 3584	4628	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	95
PID 4628 wrote to memory of 3584	4628	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	95
PID 4628 wrote to memory of 3584	4628	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	95
PID 3584 wrote to memory of 3208	3584	cmd.exe	97
PID 3584 wrote to memory of 3208	3584	cmd.exe	97
PID 3584 wrote to memory of 3208	3584	cmd.exe	97
PID 3208 wrote to memory of 3204	3208	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	98
PID 3208 wrote to memory of 3204	3208	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	98
PID 3208 wrote to memory of 3204	3208	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	98
PID 3204 wrote to memory of 1388	3204	cmd.exe	100
PID 3204 wrote to memory of 1388	3204	cmd.exe	100
PID 3204 wrote to memory of 1388	3204	cmd.exe	100
PID 1388 wrote to memory of 2000	1388	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	101
PID 1388 wrote to memory of 2000	1388	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	101
PID 1388 wrote to memory of 2000	1388	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	101
PID 2000 wrote to memory of 2024	2000	cmd.exe	103
PID 2000 wrote to memory of 2024	2000	cmd.exe	103
PID 2000 wrote to memory of 2024	2000	cmd.exe	103
PID 2024 wrote to memory of 4956	2024	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	104
PID 2024 wrote to memory of 4956	2024	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	104
PID 2024 wrote to memory of 4956	2024	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	104
PID 4956 wrote to memory of 4592	4956	cmd.exe	106
PID 4956 wrote to memory of 4592	4956	cmd.exe	106
PID 4956 wrote to memory of 4592	4956	cmd.exe	106
PID 4592 wrote to memory of 4764	4592	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	107
PID 4592 wrote to memory of 4764	4592	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	107
PID 4592 wrote to memory of 4764	4592	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	107
PID 4764 wrote to memory of 5108	4764	cmd.exe	109
PID 4764 wrote to memory of 5108	4764	cmd.exe	109
PID 4764 wrote to memory of 5108	4764	cmd.exe	109
PID 5108 wrote to memory of 3856	5108	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	110
PID 5108 wrote to memory of 3856	5108	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	110
PID 5108 wrote to memory of 3856	5108	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	110
PID 3856 wrote to memory of 4072	3856	cmd.exe	112
PID 3856 wrote to memory of 4072	3856	cmd.exe	112
PID 3856 wrote to memory of 4072	3856	cmd.exe	112
PID 4072 wrote to memory of 3332	4072	41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe	113

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3432
- C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
  "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1400
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7A31.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1660
  - - C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
      "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5024
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7B6A.bat
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4068
      - C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        6⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7C06.bat
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4832
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7D1F.bat
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        10⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7DBB.bat
        11⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3204
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        12⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7E58.bat
        13⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        14⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7EE4.bat
        15⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4956
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        16⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7F61.bat
        17⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4764
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        18⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7FDE.bat
        19⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3856
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        20⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:4072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a804C.bat
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:3332
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        22⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a80C9.bat
        23⤵
        
        PID:4552
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        24⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8155.bat
        25⤵
        
        PID:4720
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        26⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8240.bat
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        28⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a82BD.bat
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:3076
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        30⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8359.bat
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        32⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a83C6.bat
        33⤵
        System Location Discovery: System Language Discovery
        
        PID:4296
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        34⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8443.bat
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:4824
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        36⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a84D0.bat
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        38⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a853D.bat
        39⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        40⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a859B.bat
        41⤵
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        42⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8608.bat
        43⤵
        System Location Discovery: System Language Discovery
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        44⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a86A5.bat
        45⤵
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        46⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8712.bat
        47⤵
        System Location Discovery: System Language Discovery
        
        PID:3452
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        48⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8770.bat
        49⤵
        System Location Discovery: System Language Discovery
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        50⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a87DD.bat
        51⤵
        System Location Discovery: System Language Discovery
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        52⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a885A.bat
        53⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        54⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a88D7.bat
        55⤵
        
        PID:3192
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        56⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8925.bat
        57⤵
        
        PID:3476
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        58⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8954.bat
        59⤵
        System Location Discovery: System Language Discovery
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        60⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8993.bat
        61⤵
        System Location Discovery: System Language Discovery
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        62⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a89D1.bat
        63⤵
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        64⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8A2F.bat
        65⤵
        System Location Discovery: System Language Discovery
        
        PID:3076
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        66⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8A6D.bat
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:232
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        68⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8ABB.bat
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        70⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8B0A.bat
        71⤵
        
        PID:3764
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        72⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8B58.bat
        73⤵
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        74⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8B96.bat
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        76⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8BE4.bat
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe"
        78⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4816
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 184
        79⤵
        Program crash
        
        PID:1736
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4768
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5068
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2700
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 796
      4⤵
      Program crash
      PID:716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4816 -ip 4816
1⤵
PID:4988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4768 -ip 4768
1⤵
PID:3380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$a7A31.bat

Filesize
722B

MD5
ccf40fae61d0af78a62efc9e33caa45b

SHA1
2547375ac974b88c4ec5d1bcf12a3ce501c36d61

SHA256
b9cd3dcbafc35f8c4ae64f2b97fedfe6514d88a6ad55eb71e262d91e54c360a6

SHA512
a5c1b4735b9f7208cf86e5f7fe13b091f384f4e846f127190f98f782aa7aae1c13fbb9c2761f80e114cf9a03724039d5be1fa3d25dd024f1a4577f3e0ff44249

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a7B6A.bat

Filesize
722B

MD5
9e400a667d5f30970c7408d124b182eb

SHA1
31ce65617863cb2ec5333e623c1978e0f3eb792b

SHA256
c94617bdc9ed38df9111ad4b36075239dd0ab7bf4fad577cffb0b8d665a44757

SHA512
99b161e516c5c8b2471bf96c8c017f88ae17177076f1229dd60bdbdbd29d609315aacf4e8951a07194005b3a8545deb94ce0a4453c079f0ee6c03b43d6c2ea60

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a7C06.bat

Filesize
722B

MD5
b8c9dd746a8686f5825af950a876e577

SHA1
1c9b5fd953a51f06668644ffbf216871a135daa3

SHA256
7fd9c93d5ec55be2fc777ef6c164bc1027751112bbe8c6c3193b052adffeda2d

SHA512
3d148c1873fcfe89757feb3bb0328382f0c6b07fb9ca717e47476fa20fcde5583053c4dce74f0fdc26e9e6726fa34541cbcb192fb913969a2a3e157d918bd364

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a7D1F.bat

Filesize
722B

MD5
04ce334839a17371e9c7c28073f2db9c

SHA1
83f217a2861e7e0b96daea0eeb093e4bb8fd93cb

SHA256
9016328a269e690f8d12b77f9c8bc79b457185e4d30a51876c052be08ef953ec

SHA512
67f8d62d29d437de4744fff12fa96992616f3b787f2c0d014a4e12fed2d7d36df74a9b7278e6440bfbd5b66ee5bc19bef5de2482d4a59fce3d2bdcaaf0c615ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a7DBB.bat

Filesize
722B

MD5
86f7b0d010a18de830506d526f6e5897

SHA1
2f4444b74e22f9a6f1b96871db21dfe00a99237c

SHA256
4e3778302bccf8473a10e3e14569e7f54c5dac776dad6abdc4b448fb6e785be0

SHA512
c4114f52680056f087801df28b5073cc923c1e2db2fa01a71c71a0f6f4a8215688120efa88248867fbf3234da3df1fb0c109af323699a1912fc2facf3b38a594

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a7E58.bat

Filesize
722B

MD5
8669864983b71cd3ff1a584be3dbfddd

SHA1
fa3e4164ac94114beff23ca29dc7265ce94bba21

SHA256
46a2333d088f3b7c2995409f8e87dd686d3d5f30a61b5ec59f45bd95e62ec617

SHA512
eaea73720bd325e19f52002dca8f576d2d6965e2bc19df8017402851c9877d8321b50bf78cdf5a3ded0f422cf4fa3b849c208fbcecc00af222f2ebc860a67d2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a7EE4.bat

Filesize
722B

MD5
ed60ad54ad14b20fb1c8b9c47f084b26

SHA1
44d4c89e0e7c2550d5f483ce5d47b0ce27be0439

SHA256
bbeba5a9fd4a015b9b5941497f66cd8c95a8cb70b69e57799efc3367d0bbd585

SHA512
1b889e4976c17009bb6eb6eb293372a561eba313ea331196b3e963dfbdc8bc1ebc94701656b83487a61924e98d3dc1cf16c06342114851ff725944986ad2ee6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a7F61.bat

Filesize
722B

MD5
43381a9cee718953a279939f8345758b

SHA1
c510f19360c8ee986e9b3d5593d165a36b08faed

SHA256
ac4281ed6bd9b66f590c1ffed778c19ceea553f9fdc480bf5ed7f05a1eb4fd14

SHA512
563afc782fdac67e0ee0768dff1e64750586763ef4c2db04da83f8c7a43fe126d70cb6b9f922a2b4c0403563d7d284a2154a3e7bbcb695b15b667036545961e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a7FDE.bat

Filesize
722B

MD5
a5e3ac1516c3fc84ce27dd47c229a0f8

SHA1
5dd4f5235895d16a5eee623f9f1ab1b77f142461

SHA256
317240b6b9590abedc66e4f06dfb909b447f32ae70c6f6130d3b291ee2d21d94

SHA512
7fd7eadcc83b1b6b2ab8e34c058c58ec08e582192d356313f5c5b403c6e0f88c76cd4b63942b19e5e4b5987e6f7329155520b3785e48f01677aad69642b39453

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a804C.bat

Filesize
722B

MD5
c20a8cf7bf7eee8e894fe2e36a287152

SHA1
ac7f3a2b2142cc1f7050395132552e30d98659d2

SHA256
7188275e576282f61aef0c996aeaf117ec35c19090053862fe0595c6e121b34a

SHA512
1585ab43a10b0a01e229e26ec1bbe886a9b9e80fae55abd4fb18824a1c7c3d8b0d03d3b8a24bde9f078256e54bc750f2f0a652fff4194d0ebd24198750a39abb

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a80C9.bat

Filesize
722B

MD5
cedfd488276ae47906a35f2f7d85d533

SHA1
400bc2ff08270ba00345b1d17f4ab4144a1e8a92

SHA256
45710816af5117b944fe6081018fe54778c8c03bcb8ef95ebbb9392320596992

SHA512
9f22554bfb7df51e7a844bd5f517378a78bcd97a40359b00526ac4ae1ccfbe9f11b07fcd1268a3aa32fdcd607185c9eb14e837fad9e3c431ba4fd309c4f1d68f

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a8155.bat

Filesize
722B

MD5
48879b423897099025b9c849eac596a4

SHA1
2d5df08226edf42d25a17e239c58170492e1c2a5

SHA256
e9ba893ff7664ab35bfe288e83fb0006d42bc64e00c3b70b521c048547185060

SHA512
edca6575e8834359672c7fd3bfa2be103015aadbad373a9dbd64f8a947c096f6ae858f025707ded182c7d4ca12dd0f33b002a03eacd942cb2e6d8ee55b74b791

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a8240.bat

Filesize
722B

MD5
122bc63f7308c5b948df10f3471a1bf6

SHA1
ca2031a86d3e7f1649ce8f1d81d45f7734fe3e1a

SHA256
0f28b8400f3e87ca3add1f1d7b4e14a9bfa2a8a262be1d3782e6f9ff251eada1

SHA512
7e6bb4cab8fb795376a29525d17f6862f6ddfcc605831990f08c90f64934fce7bd99657aa9c14ffffe3d320851b48f68957fe6adc419d7904f29a750097501a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a82BD.bat

Filesize
722B

MD5
34777e24887edac35193a53f17c7e39c

SHA1
7d6d310c5861caea3b187145753f519126ebdd9f

SHA256
c975b0e074ade6ba9b879e35c0e89b0b9e081c90f78c29e87f555336dc6ec690

SHA512
3dcbd98905a0084f64609019db204123b7a2201ca3e66581a520a920a7e05419f0d3ae1ec783de4cb1487283c10a536d3145ba675838d57e975cdc1bb820a41b

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a8359.bat

Filesize
722B

MD5
f7529e176f1899568a711aecc6208e5a

SHA1
2dd32949c9172710a8c26096da0885efbf080f45

SHA256
bd560c2d397bbd9d880b054b2e944dadfb35e183169b994fb76e0fc6439e3f11

SHA512
f2bb2316a76be0af10889c5f79ee1da5229700bb626896637669df6b35dc5236fbd00f13aca6ee5457a3b29c57b84d10e18cf67fbcd7c9613a19651084045925

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a83C6.bat

Filesize
722B

MD5
119870f1a795cb4ef13cb00d1a893171

SHA1
298317b1012ee7cde96b23b7c4449c24d89f42ae

SHA256
1d093bbb7ab6d54b5e148f3cc6d9f052e2530112d6406cd2120d6f03f2d51252

SHA512
3df332d8e4faf22353e1678c52f75422dc365e486afcf6dd1ff57ecce483d008d9d75df2e0ad76ee73af25875b16bef9fcbfd15f3c92807149133d6b6e9b008e

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a8443.bat

Filesize
722B

MD5
bd7a41f44c27231fd54807bfe21eb3ee

SHA1
acbbf7185901f59466759134800dff8cb5ddd048

SHA256
9efbe54ac8d747c43c1335aad383a90d7c8488c68bb060be23fab1c3f3ed8b83

SHA512
ba8a388d204b4e801c2c187c09467fac5aea7c34ba0fb88de9fec4a619c7f335f5d31d41eeaeba01b94471ac6108fba741157acc49eae9ebe513212ba384f2c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a84D0.bat

Filesize
722B

MD5
c99234b463e2802a2f24a49b835afd81

SHA1
68f95403eebc16adffcd1da39d7acf50fd1158ca

SHA256
7172f60fce380d35d9d8dfc40ea90636024e7aa34c77806a907a75ea044ba3bb

SHA512
fd0c8cf04401a1222ee78573002152fed651165a2e8fcffa03f68c10b3558cc64bd017bbd33ad36b1b77955380367adeeb340957b535e36621d3c7e4d593d65c

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a853D.bat

Filesize
722B

MD5
f71431851e13c71f56315538e90e66ab

SHA1
5251a45d845229e809173cfecd4aa8a75a67896b

SHA256
1971be772dbef4516d77608f389c11a659d77abe68bf4f6c10c17a7872475aff

SHA512
18b8c43cdbe4dd8d465edbedc1b762d250955f2f719aa5137154ffcca8f453c48f3d2d9d7c727c5d6f7930edd5df028f839c915a4e7bbdc551d3879094f49d79

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a859B.bat

Filesize
722B

MD5
1f02a7a9e22e6713971047e91a949d5f

SHA1
cbe5bff08dc483acacddb8a53d279cd471d582ea

SHA256
9990b0965b3700adca62265281aad02cacd0c40261817578d7d2eca2a37d5c5b

SHA512
cf37fc0a7a0f890b0a220916d76fb2b1f090f099c673280446e32434cf5a357f02eb4e190141fd88f46935abdac9218a95b3088beac3f919b1edebe8df92d29d

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a8608.bat

Filesize
722B

MD5
27b46be0167afd178359b4b74d23f69c

SHA1
8c2c373a082f0dd3bdd58c3159449a107d044db2

SHA256
d78610ea24ceaf4a938b4e995204be3552c065787f7072e2ac34360e613c4e77

SHA512
87c676bddf9fa0cbbea023f40f3e60b483c9103bde83b2d760a178052cc061518631b9a979b0d0595831472a976c1a3dbc3fac9a37dd264c9add1d10a7f6a7a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe.exe

Filesize
1.8MB

MD5
819c835041cf406f61377f3f434672ec

SHA1
6b69fd7f0163e338e26f8548657cd8f02d6bd783

SHA256
d8fd9cab261550edf66e0ada7109a321765e645a1122004f6661f86092ede187

SHA512
81045de8da7a5d12bb8751c1860de2412416b7aebc6bfce5231bdb91b1fa5eb0b7b82e49f1dd1a4208c8f7b9909adee09fb9e7096f49695ae8658189903fdbfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe.exe

Filesize
1.6MB

MD5
0758588c903431ca72f83873fed5ee6d

SHA1
04058fc8ca64b3339b3af93ca360661e97dac4a9

SHA256
cf80a37957c28bf6cfb8adc34e96176ed178d2add5fd51c6c5dabb0aa444ac69

SHA512
a14a9ff0399b8254f06b9bcbfe2184487d61487ec6990edb312fedfeb782e1481645dbba33d9bf60489b016d1a77363acf8306495703ac86e145198fd764cf21

Download Submit
C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe.exe

Filesize
1.8MB

MD5
ef5ec16ae976ab4940243d706ab9a235

SHA1
d9c291d767481b73cd38f29d2821a45b886ec05b

SHA256
36c11124fb05c4fbe69e5ee1b57b4bb12438704b3c98f91e482e993806ddcfda

SHA512
271f4f640961dce4b7df29485a41f59c9d1bc78f55e1f252da4ec4814b59fb8a5a55d7dfbe228c074318807078ea94290b5c89c88191d23ac88d8d0ea020eb80

Download Submit
C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe.exe

Filesize
1.7MB

MD5
22ed0526ac6f69992e23505e8d7dc004

SHA1
af3cbe14fc0c4364bc499de1fdc243d252c81d38

SHA256
2bdb0cf8c704fc2c96c7ec9dcf60190f59bec6cb814adfbb430a97dd1391bb53

SHA512
fd7fb5699e48bfc2ec446ec732f993452f831df6567f976ab5ebac40392ce13a038a705a0eafe65104f4c2eeb5a60bd9a0975b6613ddb78d709b1219376ee5a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe.exe

Filesize
1.4MB

MD5
6453c16919e8470f1ba2bc5d5a107ba8

SHA1
bd1acacb00564a4d3ef5bce6024f6c0ff57fd06e

SHA256
e32c3ef6c1bd9f6894bd3eb0c725becdc79e384fd1801003b4b1b4d10704701f

SHA512
57fc8cadef16699392ec155c57fe5fa93df00f9d5705ea0a539f0b2820cc43a145963effd961b5309a158673e00f7f1cc83af6a333c117de35a0aaf63c7fa156

Download Submit
C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe.exe

Filesize
1.2MB

MD5
55539e0ce83fb90a30929adba4017b85

SHA1
e5306374553b58d1295223e36452689f7fbd56a8

SHA256
e64404e3ae9feb4b080622f702bee11d88c345c1b39623fe945b8667d5734f83

SHA512
1f4b2cad565793b751b2a7c0615f4bc6244e776f2e96ce5d9b26b2a1602f4f270e66d5eafeb7f1f1976af991318cde81a1d56bfa8559d268401ee7203b06db63

Download Submit
C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe.exe

Filesize
1.5MB

MD5
ceb672b59ae8aa63de17b91f23eeb781

SHA1
be4d83d3b9706ef528f539013c8f7cc95a4626da

SHA256
915c2b05751586028e879881c01d046d0ae6965e17875b6eddafde3d48d65e3a

SHA512
753cfb61689d712600830665c239ef91f516a670c969759c44996bbce7f8fd36f97c402f09fb701a8affc90aa169e7730b764c577d54ad241f323f492f821545

Download Submit
C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe.exe

Filesize
1.7MB

MD5
b2b328794fcd97500ae2370f88d93678

SHA1
c58aacfa72f89ac8cd56f700571e82659f6b011f

SHA256
be89a2ccaa2da559e8a58119f8251cc16e8af9de27e7b90fa8480092daafd70f

SHA512
7208abd523b5cc1f0e229709557f50073d360d2e8c01205995e04ab772243798bf9d2c93c7e4112a7714b4321cd39abc0ff1d7845b5977250cb039947c50ad7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe.exe

Filesize
1.3MB

MD5
46a565c71f3275a08a943e75a9630534

SHA1
600479e2363c656b6a797a9e8e29c23eb8b56af6

SHA256
dcff89cbe4178ae735dd747205fd555d55012bb3209f082c49fa422badfb2f51

SHA512
ab0ca82a17fcfbb2695f2d9650ca14ca5a4b69df03c206531426f97d03a1b3273771c9a277b9146431ea7499780870a8d9206c08dfcd37228ed65335693d230a

Download Submit
C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe.exe

Filesize
1.2MB

MD5
87bd0d2582071bda48652f00f8722af1

SHA1
1e8033cac3b89c8a881dd20102a0f8d28568b80e

SHA256
1bb708a8fce7a2ace5c06ac47fe3cbc8f2365812ac7f8995a946b968c4d6e642

SHA512
6b2fa9835be7172cef138cf3289b31f58e0c4cc072a55cafb384a145a85350de5a1ef18adf25f349b3180c49bcccc26ac3229ef75efda21042a8473ed3146145

Download Submit
C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe.exe

Filesize
1.5MB

MD5
9b5c76799d9d1a8d9967f302ac3fc1ec

SHA1
1a5cacedc4f22e33ae7870f2e7e190748285e0de

SHA256
0586201a8fd94d3f46ab51e78ef54eae70d8dda96f0c04a28c5d3957455d8cec

SHA512
23da9c5484b617a57e3544d7f331809bd1d0f288bc90efce61361c761fd4191033aa28281fb9785fe7e5f0709f9fb9d5d098f44d4adba185fe9a85171f9243f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe.exe

Filesize
1.6MB

MD5
82b3daffe88db9c756ad91478ec15fbd

SHA1
fc70b0daa48a76b81271b63c686022ca20a744c8

SHA256
71172527e1cb0a326afde52f1344214a8ad0c1e2f91f95540d58d282017d9c2d

SHA512
f6588d7c4901843690121c897f93b3c363ab336a8b97fcadebe0a8c0e0f47627e8430d826adc1d8782bf7b95ca5c33ded22b4bd3da2e19f2145f29fa3c77f63d

Download Submit
C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe.exe

Filesize
1.2MB

MD5
a64074245477d333dacd4f24d40747b4

SHA1
b5b9a9673bf5f5f30fae61beeb5b229d956fb7df

SHA256
efb10c0efe9d588e8f7e6b645869585869d1a612ecd482164b7bc21072237e6d

SHA512
e07a0189dab47a88602d8cf0540e1629141f4a558103d4aa71d6b8b691a7351883eb0eca89c6899e7bb9fcaeb8d50cc74ed3edb3ab794c5040cf8ba5bc1a44cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe.exe

Filesize
1.1MB

MD5
5341caf61e76d901f66808c6873890bf

SHA1
c03bbad4dc340b1d8f049dd2cf2331389bb1936d

SHA256
8975321ec8fec6cb378f70fd08b433a20dbf1ee51bc93e81054324bc9c06d2a0

SHA512
52d5b4b9b5db994d4ee354ee4cd6788a2efa38c7254bf715d2a6d686501732e7395331b8472dfb0e9b5f739a2c933856910337193815b5c12d6ba566752fc5e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe.exe

Filesize
1.5MB

MD5
8390eee42804fa3972f15313bea91454

SHA1
5f2c563b2a5efed63fea038a31ae8ea4d3d42817

SHA256
54fd5140ca19323d87e8357c792e6f106b9467acbbb56ecd69c9ec2bba68974c

SHA512
a3a351ff1779119e26dd1afaa9d78b2e4e6d70978dce6386379475dc8bcf44f18ee7988b8fedff263b32598c81733f49ed93f79a77e02a0b5ba9b0374f69e232

Download Submit
C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe.exe

Filesize
1.1MB

MD5
4e49fcebb06945f128e6a0d859db04e5

SHA1
8d285dc8a8a56766b3457d2d43f5fc46e241c8bd

SHA256
885a7558106653623010fd415d1ada8a7ac0b1720839f7b0913f4f18cc9c74e1

SHA512
9e95b7de1dea3c745ba22685f0fa7753730d28f7815014ab818ced23a76cd35f240be927be1bf9c62850fd09ea23c3a79c5514bb3261d7d8e3c91ae940d01111

Download Submit
C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe.exe

Filesize
1005KB

MD5
edc1811d0ea8535a3e353d8c899cbdb0

SHA1
d9918b54d361a32ffb22a2169009d6f8d5b2a2b4

SHA256
bb41d52cd9d5a0f5bc55f5f6fcb4c7c4fa8f24a596ace413275b876a76b6b41e

SHA512
41eeeea83a1aed3ce7e919520665a504be51cbd8d57cac59b4d4017102fb12e9f50a5f8bd069f593e1efc40eb7fa93ec9a3096287b971de3bcaf2de5d08b4fb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe.exe

Filesize
1.4MB

MD5
79781d1144eac7e04aa9f4df837425a3

SHA1
2c0a7111f009c06653e45336e8360ed14bf210fd

SHA256
7af58533168028e5b89c0d1f2b9383157a7a68591f8f532acaa6666becbbde2b

SHA512
243382f4305c94f7b75e276cf16138f35062fc5f957128116a6f1f1f7412fe834e772439395c8aa570bdf50a596e203641d0e7f3e5cdf01008bd0b24516b6867

Download Submit
C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe.exe

Filesize
1.0MB

MD5
36f9edc24d01b52655548a13c9a2e414

SHA1
0e1e32e2a04812ed63e3b94adb57462e5afefa2c

SHA256
240a3127e384fa3cfdec86720731ef65f72d74a3f1a324def522aa7d582e8b14

SHA512
7cf6bbc995cb6baf8274d4798960c7fdcaf705344cb8428c9d9cc5a597dde8328245093d315bc09d821b9cffcade124770a914e30f091946ab3971120cfca966

Download Submit
C:\Users\Admin\AppData\Local\Temp\41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327.exe.exe

Filesize
1.3MB

MD5
17c7ace555fe5108801581e0537e1de5

SHA1
261ba39c10e678188d3fbdf28241ea4f5f499684

SHA256
e34c6b05ae4d41c1835566311a6a2b3343665e3a6315ff880fc9e6156a3704b6

SHA512
d5eb4d6c68e2a17df59cd4c15b841f89942140116786cb81a9c064bc769a42b837c0ea65791834bf0f8286703fbd376e180ed2ed07d687e2613e7c35c564f2f5

Download Submit
C:\Windows\Logo1_.exe

Filesize
44KB

MD5
6d85a04f5bb329cbba3880c43337ec52

SHA1
8c2e62f730619b2e06a5fb802e115606b664525a

SHA256
ff95e5e3fea6e5f9692d24c81ab36bae1013658a34bc60cdcd9b4c591e7feec1

SHA512
31919b83c1b66e4eb99612c6b23a7dfc1cd107e51e3178bc8fb695c8243d7493f43b05a4ab8d0880763aa584ccbecdb1b61b31f0a66d8a92938884b9ef04daf8

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-355097885-2402257403-2971294179-1000\_desktop.ini

Filesize
9B

MD5
5412111268dd2c1fb1cf8697bfab9b6c

SHA1
16d0b289e83c74cb50a004edd7c5750ac706f321

SHA256
f3aa35be7048ddbf11fc581e5f9476745d75bcf097e121ba2915614e360a0cdc

SHA512
13fc5bf11faaf5471fde8a1bafdcc6d27521bad796e5e532c94d9c8232dd70088e70b6d5ac60c4c15d13e59926ac38e9a9e01b4dd4694a77d70bdd1ae7005ccf

Download Submit
memory/388-128-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/404-121-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/404-213-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1284-142-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1388-48-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1400-0-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1400-11-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1568-172-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1840-114-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1948-87-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1992-176-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2024-57-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2280-193-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2352-201-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2364-209-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2516-180-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2644-205-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2756-235-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2756-149-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2964-101-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3148-184-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3200-156-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3208-41-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3380-223-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3380-135-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3380-189-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3404-231-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3572-94-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3912-227-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3972-163-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3980-188-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4020-27-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4072-78-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4592-64-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4628-34-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4684-197-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4768-8-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4768-4831-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4768-83-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4816-1978-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4816-241-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4880-240-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4880-236-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/5024-20-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/5076-217-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/5108-71-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download