a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec

Analysis

max time kernel
138s
max time network
151s
platform
windows10_x64
resource
win10v20210408
submitted
11-05-2021 10:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exe
Size

15.5MB
MD5

a6be4e2fbf011eec327a6394b72af75c
SHA1

9b5ed8b2a72aeb978019b2bdf105e083c11be184
SHA256

a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec
SHA512

4f3c9fdd96f877fae22ec31ab6ac7163c9b77eb26f7b1c1829d58f077e9e00b6b164dba3eef67432f049682ca01df5048acfb406049d18a72a769c02feb2185c

Score

8^/10

discovery macro persistence vmprotect

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

e3afed0047b08059d0fada10f400c1e5.exe

description ioc process

File created C:\Windows\System32\drivers\etc\hosts e3afed0047b08059d0fada10f400c1e5.exe

description	ioc	process
File created	C:\Windows\System32\drivers\etc\hosts	e3afed0047b08059d0fada10f400c1e5.exe

Executes dropped EXE 6 IoCs

Processes:

._cache_a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exeSynaptics.exeLogin Menu.exeLogin Menu2.exeLogin Menu.exee3afed0047b08059d0fada10f400c1e5.exe

pid	process
412	._cache_a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exe
3316	Synaptics.exe
1160	Login Menu.exe
3240	Login Menu2.exe
1004	Login Menu.exe
2160	e3afed0047b08059d0fada10f400c1e5.exe

Suspicious Office macro 1 IoCs

Office document equipped with macros.

macro

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\GjSwOnnK.xlsm	office_macros

VMProtect packed file 12 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\._cache_a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\._cache_a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exe	vmprotect
behavioral2/memory/412-118-0x0000000000FB0000-0x0000000000FB1000-memory.dmp	vmprotect
C:\Windows\Fonts\Login Menu.exe	vmprotect
C:\Windows\Fonts\Login Menu.exe	vmprotect
behavioral2/memory/1160-134-0x00000000005C0000-0x00000000005C1000-memory.dmp	vmprotect
C:\Windows\Fonts\Login Menu2.exe	vmprotect
C:\Windows\Fonts\Login Menu2.exe	vmprotect
behavioral2/memory/3240-165-0x0000000000970000-0x0000000000971000-memory.dmp	vmprotect
C:\Windows\Fonts\Login Menu.exe	vmprotect
C:\Windows\Fonts\e3afed0047b08059d0fada10f400c1e5.exe	vmprotect
C:\Windows\Fonts\e3afed0047b08059d0fada10f400c1e5.exe	vmprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation	a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

3164 icacls.exe

pid	process
3164	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exe

Drops file in Windows directory 4 IoCs

Processes:

description	ioc	process
File created	C:\Windows\Fonts\e3afed0047b08059d0fada10f400c1e5.exe	Login Menu.exe
File created	C:\Windows\Fonts\Bunifu_UI_v1.4.dll	._cache_a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exe
File created	C:\Windows\Fonts\Login Menu.exe	._cache_a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exe
File created	C:\Windows\Fonts\Login Menu2.exe	Login Menu.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\e3afed0047b08059d0fada10f400c1e5.exe = "9999"	Login Menu.exe

Modifies registry class 1 IoCs

Processes:

a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2168 PING.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2940 EXCEL.EXE

pid	process
2168	PING.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

._cache_a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exeLogin Menu.exee3afed0047b08059d0fada10f400c1e5.exe

pid	process
412	._cache_a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exe
412	._cache_a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exe
412	._cache_a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exe
1160	Login Menu.exe
1160	Login Menu.exe
1160	Login Menu.exe
2160	e3afed0047b08059d0fada10f400c1e5.exe
2160	e3afed0047b08059d0fada10f400c1e5.exe
2160	e3afed0047b08059d0fada10f400c1e5.exe
2160	e3afed0047b08059d0fada10f400c1e5.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

._cache_a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exeLogin Menu.exeLogin Menu.exee3afed0047b08059d0fada10f400c1e5.exeicacls.exe

description	pid	process
Token: SeDebugPrivilege	412	._cache_a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exe
Token: SeDebugPrivilege	1160	Login Menu.exe
Token: SeDebugPrivilege	1004	Login Menu.exe
Token: SeDebugPrivilege	2160	e3afed0047b08059d0fada10f400c1e5.exe
Token: SeRestorePrivilege	3164	icacls.exe
Token: 33	2160	e3afed0047b08059d0fada10f400c1e5.exe
Token: SeIncBasePriorityPrivilege	2160	e3afed0047b08059d0fada10f400c1e5.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

EXCEL.EXEe3afed0047b08059d0fada10f400c1e5.exe

pid	process
2940	EXCEL.EXE
2940	EXCEL.EXE
2940	EXCEL.EXE
2940	EXCEL.EXE
2160	e3afed0047b08059d0fada10f400c1e5.exe
2160	e3afed0047b08059d0fada10f400c1e5.exe
2940	EXCEL.EXE

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exe._cache_a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exeLogin Menu.execmd.exeLogin Menu2.exeLogin Menu.exee3afed0047b08059d0fada10f400c1e5.exe

description	pid	process	target process
PID 640 wrote to memory of 412	640	a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exe	._cache_a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exe
PID 640 wrote to memory of 412	640	a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exe	._cache_a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exe
PID 640 wrote to memory of 3316	640	a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exe	Synaptics.exe
PID 640 wrote to memory of 3316	640	a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exe	Synaptics.exe
PID 640 wrote to memory of 3316	640	a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exe	Synaptics.exe
PID 412 wrote to memory of 1160	412	._cache_a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exe	Login Menu.exe
PID 412 wrote to memory of 1160	412	._cache_a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exe	Login Menu.exe
PID 1160 wrote to memory of 3240	1160	Login Menu.exe	Login Menu2.exe
PID 1160 wrote to memory of 3240	1160	Login Menu.exe	Login Menu2.exe
PID 1160 wrote to memory of 180	1160	Login Menu.exe	cmd.exe
PID 1160 wrote to memory of 180	1160	Login Menu.exe	cmd.exe
PID 180 wrote to memory of 2168	180	cmd.exe	PING.EXE
PID 180 wrote to memory of 2168	180	cmd.exe	PING.EXE
PID 3240 wrote to memory of 1004	3240	Login Menu2.exe	Login Menu.exe
PID 3240 wrote to memory of 1004	3240	Login Menu2.exe	Login Menu.exe
PID 1004 wrote to memory of 2160	1004	Login Menu.exe	e3afed0047b08059d0fada10f400c1e5.exe
PID 1004 wrote to memory of 2160	1004	Login Menu.exe	e3afed0047b08059d0fada10f400c1e5.exe
PID 2160 wrote to memory of 3164	2160	e3afed0047b08059d0fada10f400c1e5.exe	icacls.exe
PID 2160 wrote to memory of 3164	2160	e3afed0047b08059d0fada10f400c1e5.exe	icacls.exe
PID 2160 wrote to memory of 2280	2160	e3afed0047b08059d0fada10f400c1e5.exe	cacls.exe
PID 2160 wrote to memory of 2280	2160	e3afed0047b08059d0fada10f400c1e5.exe	cacls.exe
PID 2160 wrote to memory of 2108	2160	e3afed0047b08059d0fada10f400c1e5.exe	cacls.exe
PID 2160 wrote to memory of 2108	2160	e3afed0047b08059d0fada10f400c1e5.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exe
"C:\Users\Admin\AppData\Local\Temp\a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:640

C:\Users\Admin\AppData\Local\Temp\._cache_a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exe"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:412

C:\Windows\Fonts\Login Menu.exe
"C:\Windows\Fonts\Login Menu.exe"
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1160

C:\Windows\Fonts\Login Menu2.exe
"C:\Windows\Fonts\Login Menu2.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3240

C:\Windows\Fonts\Login Menu.exe
"C:\Windows\Fonts\Login Menu.exe"
5⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1004

C:\Windows\Fonts\e3afed0047b08059d0fada10f400c1e5.exe
"C:\Windows\Fonts\e3afed0047b08059d0fada10f400c1e5.exe" NjViMTkxOTJmOWRmZjhhYjI0Zjg2YjgyOWFjODVmZDA=Mzg3MDRhMTFlZDRiODM0MzA1YzdkOTJkOWZiZTYzMWE=
6⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2160

C:\Windows\SYSTEM32\icacls.exe
"icacls.exe" C:\Windows\System32\drivers\etc\hosts /setowner SYSTEM
7⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3164

C:\Windows\SYSTEM32\cacls.exe
"cacls.exe" C:\Windows\System32\drivers\etc\hosts /E /P Administrators:R
7⤵
PID:2280

C:\Windows\SYSTEM32\cacls.exe
"cacls.exe" C:\Windows\System32\drivers\etc\hosts /E /P Everyone:R
7⤵
PID:2108

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 2 -w 1000 > Nul & Del "C:\Windows\Fonts\Login Menu.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:180

C:\Windows\system32\PING.EXE
ping 1.1.1.1 -n 2 -w 1000
5⤵
- Runs ping.exe
PID:2168

C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
2⤵
- Executes dropped EXE
PID:3316

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2940

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe
MD5
5b2fb0659bfda91df53b4e1ac14a087d

SHA1
df04fb68c0cb775da8fe9c8a43d561f2932aaa2f

SHA256
ba305f580b127a449688ef03d63e6bcee58e60500036280398456bbfb5f41059

SHA512
0741dd076dcd946c043fec5c730cd7d49551b35e9eb4d0704b152d8aa834f096bb3e012dab17109b17de1d6aae3311c0a1e9ab6c56d45ef59e73326dc4d44e5a

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe
MD5
5b2fb0659bfda91df53b4e1ac14a087d

SHA1
df04fb68c0cb775da8fe9c8a43d561f2932aaa2f

SHA256
ba305f580b127a449688ef03d63e6bcee58e60500036280398456bbfb5f41059

SHA512
0741dd076dcd946c043fec5c730cd7d49551b35e9eb4d0704b152d8aa834f096bb3e012dab17109b17de1d6aae3311c0a1e9ab6c56d45ef59e73326dc4d44e5a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CC197601BE0898B7B0FCC91FA15D8A69_68C2F221357408211AFF57B65CF4559A
MD5
3a406bb2b96f2f25e25c94144b88a34a

SHA1
b4dc4f4cbf644c9cb1db9f9070e1266f44404fbb

SHA256
cb551d29388d3c4221388a59506ebb7bf121152b53d56621cc9fd0c3a91dcb81

SHA512
34e5218551a7de2e08354b002824c38b2a51f5ea126dafbd1eaf30ffbfe02e7214f45a09a962c2c931c7f839e12eea9cdae443cab918ca9cbe5000ee6f948476

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288B
MD5
4f914d6a12b48374677859978d3def97

SHA1
d29a1ff9bc1fbf5c4c0cf3210c9aefe33fc8e5a5

SHA256
eb9ac8c88c0857b9588076073491eec79f4725aa32bc7af00c20ef31095d1d68

SHA512
ab9cc44820d05b5207d1210e189041f3df258346619f05ae1b058de8b358438095a09b0fed26fcf09d7d08caae353f680936ebe24fdc94c18411463d5ecfbe61

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CC197601BE0898B7B0FCC91FA15D8A69_68C2F221357408211AFF57B65CF4559A
MD5
a6c9aafae0bdf88cd83c95aaa35040cd

SHA1
56cd62766588b1017f7b1721a479de348b1aca4d

SHA256
2fd8b8f87de6ea85bc3c72fa19f6f2dc9d307924ece4075edc1e107e2c85d9dd

SHA512
6a252d3bbbbdb30ba1239525f348f70eb8315782ec8dbdf681cc5b362e4361c19728df9bd8bfc1195245c7a28ab3226627318cb7ec865c7cf3bb95371b4d7028

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288B
MD5
b2b2e18eed3aa3c7b615056d3a502250

SHA1
b34a2acf4e7b353b399f1702f78508b5d7c08164

SHA256
0ce0aff6f6ac72214eb4dd8dbcf30a44a6f8c81967be26ee6ea1c56550eac7f4

SHA512
cfd1a510e3295737b2c9120fbbd484584740a25107b280cfd71efb0b7508155edc2b58cd0cb58ce01f42aba4854947d5c40b74c70027bc2cdfd6cfbe4eb9f570

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Login Menu.exe.log
MD5
fa52206ce327d06444eaf2326b3336e1

SHA1
3072fa68e307a69601dda4ea1fb3caf1e25f803e

SHA256
e5f574e7ed6aa33f590a3ca771ac2911b73857bf81b0ec8bac75b460a02d28ec

SHA512
770d0a4cf72c842cdb33f810bc6a3ed17d872790a085982057cdb88c3912bb8ee52b32ca04dce2bc59720629b8500b778132f6f8648208695158079342c8b3fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exe
MD5
45271eb8bd0a6c1ff17bc95c7f5db7d9

SHA1
172434d42d9fbc9e7a7f7e06df36c8e674daf472

SHA256
8af889771de321daf952327fdc173b68ed9560ddc25747894ee2c4596dcf336c

SHA512
2f9d8ac0bec09bc9f388a51eb89a535fade2ff24f767715afe85f1c28d8df3e2445b8e776f67352ba07aba99356b47a2af8ee9d46be7b3a4942389cf09a77761

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exe
MD5
45271eb8bd0a6c1ff17bc95c7f5db7d9

SHA1
172434d42d9fbc9e7a7f7e06df36c8e674daf472

SHA256
8af889771de321daf952327fdc173b68ed9560ddc25747894ee2c4596dcf336c

SHA512
2f9d8ac0bec09bc9f388a51eb89a535fade2ff24f767715afe85f1c28d8df3e2445b8e776f67352ba07aba99356b47a2af8ee9d46be7b3a4942389cf09a77761

Download Submit
C:\Users\Admin\AppData\Local\Temp\GjSwOnnK.xlsm
MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Windows\Fonts\Bunifu_UI_v1.4.dll
MD5
44897233a89b82c11fa5339bd0c4d4bb

SHA1
6517d2868494ac883a421f2bbbc90900544f789c

SHA256
1328161c84ff5e739b610b43051a5eb7fd8f2a6f643c9b3163f2ea6f35fced79

SHA512
6790da1f3b7add625442ed666403f32ee1c39766ed40f191cfecaa1c1503dfc45f5480944277b8ee64241959394296ab93a676f00e89d68721b0e0d932031c85

Download Submit
C:\Windows\Fonts\Login Menu.exe
MD5
643946384a1da7ff4a44b931ffbd6d2a

SHA1
7e43c3e7ca7230cf903e05d7a2079ea8698399ad

SHA256
3661d39d75fdd38085b983d48d38ceff64dbe5f771630926e91a8fee6c915792

SHA512
7242aecf09470e0d7b680327cbf02f5d017c9246287f2feeef4207985479171027578796afe161a3d0dac82934d02862c96f0757df62decda2e2dbc0f4012fc2

Download Submit
C:\Windows\Fonts\Login Menu.exe
MD5
643946384a1da7ff4a44b931ffbd6d2a

SHA1
7e43c3e7ca7230cf903e05d7a2079ea8698399ad

SHA256
3661d39d75fdd38085b983d48d38ceff64dbe5f771630926e91a8fee6c915792

SHA512
7242aecf09470e0d7b680327cbf02f5d017c9246287f2feeef4207985479171027578796afe161a3d0dac82934d02862c96f0757df62decda2e2dbc0f4012fc2

Download Submit
C:\Windows\Fonts\Login Menu.exe
MD5
973d1047d4c5eda675c056863915d96a

SHA1
50829d37a6614c561de6120e3ec8629bb5ef5015

SHA256
910f20fef80124809d18d9430bec5a3f724fd48745ebf56a3b21a8fe81a115d2

SHA512
0cdc956dfa3a8bd68758122c1288321c3e1ab6ede56741a299c9ebd677ce14d130cdbcf2f0dfef614bfa19d8f0f13de57347faf6f182879755e9f25cf7526d71

Download Submit
C:\Windows\Fonts\Login Menu2.exe
MD5
973d1047d4c5eda675c056863915d96a

SHA1
50829d37a6614c561de6120e3ec8629bb5ef5015

SHA256
910f20fef80124809d18d9430bec5a3f724fd48745ebf56a3b21a8fe81a115d2

SHA512
0cdc956dfa3a8bd68758122c1288321c3e1ab6ede56741a299c9ebd677ce14d130cdbcf2f0dfef614bfa19d8f0f13de57347faf6f182879755e9f25cf7526d71

Download Submit
C:\Windows\Fonts\Login Menu2.exe
MD5
973d1047d4c5eda675c056863915d96a

SHA1
50829d37a6614c561de6120e3ec8629bb5ef5015

SHA256
910f20fef80124809d18d9430bec5a3f724fd48745ebf56a3b21a8fe81a115d2

SHA512
0cdc956dfa3a8bd68758122c1288321c3e1ab6ede56741a299c9ebd677ce14d130cdbcf2f0dfef614bfa19d8f0f13de57347faf6f182879755e9f25cf7526d71

Download Submit
C:\Windows\Fonts\e3afed0047b08059d0fada10f400c1e5.exe
MD5
953c3e62e9a6475b197730600df5d284

SHA1
76bfb9c9339d76d88acbd7c83166fd2b9de90bed

SHA256
e5bb433c64dd58447f4238506b9ea9b6b49aaf4884f77bca2006ddb24f17b0fa

SHA512
a909a31e464b5bc06e480aa5437a3b44dc0f3ef1d1858cdccbec61825fd2863e29aeec012016fce95f2ec2e9c2f7fbe15dd74aeb478818f9b52747209c37492e

Download Submit
C:\Windows\Fonts\e3afed0047b08059d0fada10f400c1e5.exe
MD5
953c3e62e9a6475b197730600df5d284

SHA1
76bfb9c9339d76d88acbd7c83166fd2b9de90bed

SHA256
e5bb433c64dd58447f4238506b9ea9b6b49aaf4884f77bca2006ddb24f17b0fa

SHA512
a909a31e464b5bc06e480aa5437a3b44dc0f3ef1d1858cdccbec61825fd2863e29aeec012016fce95f2ec2e9c2f7fbe15dd74aeb478818f9b52747209c37492e

Download Submit
C:\Windows\System32\drivers\etc\hosts
MD5
106fac49d4692fd1f1d12e8d3fc160ba

SHA1
572dc323a0868be14f950b83711c1e235a1c03cb

SHA256
53918197fc57d4b397ce58d58f502953d654462a4ecdd042d8bbe89ef7dc6104

SHA512
bc154b3539230e49f0f798f9d979670ca3f57449c1f9132505cd4569a845186579c921c9da6b933e395f69ff80aebcbf0944a11c473e30c4f547cd290bf907be

Download Submit
memory/180-164-0x0000000000000000-mapping.dmp

Download
memory/412-126-0x00000000045F0000-0x00000000045F2000-memory.dmp

Filesize
8KB

Download
memory/412-118-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

Filesize
4KB

Download
memory/412-130-0x00000000205D0000-0x0000000020D4C000-memory.dmp

Filesize
7.5MB

Download
memory/412-127-0x0000000002BB0000-0x0000000002BB1000-memory.dmp

Filesize
4KB

Download
memory/412-115-0x0000000000000000-mapping.dmp

Download
memory/640-114-0x0000000001630000-0x0000000001631000-memory.dmp

Filesize
4KB

Download
memory/1004-194-0x000000001C592000-0x000000001C594000-memory.dmp

Filesize
8KB

Download
memory/1004-193-0x000000001C594000-0x000000001C595000-memory.dmp

Filesize
4KB

Download
memory/1004-185-0x000000001C590000-0x000000001C592000-memory.dmp

Filesize
8KB

Download
memory/1004-175-0x0000000000000000-mapping.dmp

Download
memory/1160-154-0x000000001BE44000-0x000000001BE45000-memory.dmp

Filesize
4KB

Download
memory/1160-153-0x000000001BE42000-0x000000001BE44000-memory.dmp

Filesize
8KB

Download
memory/1160-144-0x000000001BE40000-0x000000001BE42000-memory.dmp

Filesize
8KB

Download
memory/1160-131-0x0000000000000000-mapping.dmp

Download
memory/1160-149-0x000000001BE00000-0x000000001BE01000-memory.dmp

Filesize
4KB

Download
memory/1160-134-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/2108-237-0x0000000000000000-mapping.dmp

Download
memory/2160-222-0x0000000000000000-mapping.dmp

Download
memory/2160-225-0x000000001BBD0000-0x000000001BBD2000-memory.dmp

Filesize
8KB

Download
memory/2160-233-0x000000001BBD8000-0x000000001BBDA000-memory.dmp

Filesize
8KB

Download
memory/2160-232-0x000000001BBD7000-0x000000001BBD8000-memory.dmp

Filesize
4KB

Download
memory/2160-231-0x000000001BBD5000-0x000000001BBD7000-memory.dmp

Filesize
8KB

Download
memory/2160-230-0x000000001BBD4000-0x000000001BBD5000-memory.dmp

Filesize
4KB

Download
memory/2160-229-0x000000001BBD2000-0x000000001BBD3000-memory.dmp

Filesize
4KB

Download
memory/2168-167-0x0000000000000000-mapping.dmp

Download
memory/2280-236-0x0000000000000000-mapping.dmp

Download
memory/2940-138-0x00007FFAC4B10000-0x00007FFAC4B20000-memory.dmp

Filesize
64KB

Download
memory/2940-139-0x00007FFAC4B10000-0x00007FFAC4B20000-memory.dmp

Filesize
64KB

Download
memory/2940-136-0x00007FFAC4B10000-0x00007FFAC4B20000-memory.dmp

Filesize
64KB

Download
memory/2940-152-0x00007FFADD710000-0x00007FFADF605000-memory.dmp

Filesize
31.0MB

Download
memory/2940-140-0x00007FFAC4B10000-0x00007FFAC4B20000-memory.dmp

Filesize
64KB

Download
memory/2940-151-0x00007FFADF610000-0x00007FFAE06FE000-memory.dmp

Filesize
16.9MB

Download
memory/2940-137-0x00007FFAC4B10000-0x00007FFAC4B20000-memory.dmp

Filesize
64KB

Download
memory/2940-124-0x00007FF60F810000-0x00007FF612DC6000-memory.dmp

Filesize
53.7MB

Download
memory/3164-234-0x0000000000000000-mapping.dmp

Download
memory/3240-169-0x000000001C2E0000-0x000000001C2E2000-memory.dmp

Filesize
8KB

Download
memory/3240-180-0x000000001C2E4000-0x000000001C2E5000-memory.dmp

Filesize
4KB

Download
memory/3240-165-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/3240-181-0x000000001C2E2000-0x000000001C2E4000-memory.dmp

Filesize
8KB

Download
memory/3240-161-0x0000000000000000-mapping.dmp

Download
memory/3316-123-0x00000000020C0000-0x00000000020C1000-memory.dmp

Filesize
4KB

Download
memory/3316-120-0x0000000000000000-mapping.dmp

Download