4cd0348c4c23253f592ec6c6eb763cf531ab6f7f647089842d3d3b467492b978

Analysis

max time kernel
150s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2022, 14:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4cd0348c4c23253f592ec6c6eb763cf531ab6f7f647089842d3d3b467492b978.exe
Size

149KB
MD5

2a812e6a820cf6e5d0c1d9fc91960f20
SHA1

7c6dbd6c940ea237354b59ee958e18363c2e7374
SHA256

4cd0348c4c23253f592ec6c6eb763cf531ab6f7f647089842d3d3b467492b978
SHA512

28b7a1ef166dd55c5ba9da66e07791d739bf1f6dd2cb5a27e5920e0a5857a0e315e48ea512ae8c8de6a8fc172b2395f69e1ff9c56e399b11f9efdfa383e92ecf
SSDEEP

3072:1JMGaWXa0+9na0FF53uywafvR6rEy4u1HWWsxayVB9:v7bXZ+9a0FFcPa3R6riu1HWWsoIB9

Score

8^/10

persistence spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	4cd0348c4c23253f592ec6c6eb763cf531ab6f7f647089842d3d3b467492b978.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Logo1_.exe

Executes dropped EXE 2 IoCs

pid	Process
2712	Logo1_.exe
216	4cd0348c4c23253f592ec6c6eb763cf531ab6f7f647089842d3d3b467492b978.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\load = "C:\\Windows\\uninstall\\rundl132.exe"	Logo1_.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	4cd0348c4c23253f592ec6c6eb763cf531ab6f7f647089842d3d3b467492b978.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\load = "C:\\Windows\\uninstall\\rundl132.exe"	4cd0348c4c23253f592ec6c6eb763cf531ab6f7f647089842d3d3b467492b978.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Logo1_.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\F:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsimport.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javacpl.exe.Exe	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe.Exe	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmprph.exe	Logo1_.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\javacpl.exe.Exe	Logo1_.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\servertool.exe.Exe	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\SmartTagInstall.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteshare.exe	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe.Exe	Logo1_.exe
File created	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.167.21\MicrosoftEdgeUpdate.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.167.21\MicrosoftEdgeUpdateSetup_X86_1.3.167.21.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ktab.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE.Exe	Logo1_.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe.Exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdate.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdate.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\unpack200.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\SmartTagInstall.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\ktab.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\native2ascii.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\cookie_exporter.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\servertool.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Weather.exe	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe.Exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe.Exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\rmid.exe.Exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaws.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\orbd.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe.Exe	Logo1_.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\ktab.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmic.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge_pwa_launcher.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxCalendarAppImm.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\serialver.exe	Logo1_.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\java-rmi.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\fmui\fmui.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe.Exe	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe.Exe	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\uninstall\rundl132.exe	4cd0348c4c23253f592ec6c6eb763cf531ab6f7f647089842d3d3b467492b978.exe
File created	C:\Windows\Logo1_.exe	4cd0348c4c23253f592ec6c6eb763cf531ab6f7f647089842d3d3b467492b978.exe
File opened for modification	C:\Windows\uninstall\rundl132.exe	Logo1_.exe
File created	C:\Windows\RichDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4196	4cd0348c4c23253f592ec6c6eb763cf531ab6f7f647089842d3d3b467492b978.exe
4196	4cd0348c4c23253f592ec6c6eb763cf531ab6f7f647089842d3d3b467492b978.exe
4196	4cd0348c4c23253f592ec6c6eb763cf531ab6f7f647089842d3d3b467492b978.exe
4196	4cd0348c4c23253f592ec6c6eb763cf531ab6f7f647089842d3d3b467492b978.exe
4196	4cd0348c4c23253f592ec6c6eb763cf531ab6f7f647089842d3d3b467492b978.exe
4196	4cd0348c4c23253f592ec6c6eb763cf531ab6f7f647089842d3d3b467492b978.exe
4196	4cd0348c4c23253f592ec6c6eb763cf531ab6f7f647089842d3d3b467492b978.exe
4196	4cd0348c4c23253f592ec6c6eb763cf531ab6f7f647089842d3d3b467492b978.exe
4196	4cd0348c4c23253f592ec6c6eb763cf531ab6f7f647089842d3d3b467492b978.exe
4196	4cd0348c4c23253f592ec6c6eb763cf531ab6f7f647089842d3d3b467492b978.exe
4196	4cd0348c4c23253f592ec6c6eb763cf531ab6f7f647089842d3d3b467492b978.exe
4196	4cd0348c4c23253f592ec6c6eb763cf531ab6f7f647089842d3d3b467492b978.exe
4196	4cd0348c4c23253f592ec6c6eb763cf531ab6f7f647089842d3d3b467492b978.exe
4196	4cd0348c4c23253f592ec6c6eb763cf531ab6f7f647089842d3d3b467492b978.exe
4196	4cd0348c4c23253f592ec6c6eb763cf531ab6f7f647089842d3d3b467492b978.exe
4196	4cd0348c4c23253f592ec6c6eb763cf531ab6f7f647089842d3d3b467492b978.exe
4196	4cd0348c4c23253f592ec6c6eb763cf531ab6f7f647089842d3d3b467492b978.exe
4196	4cd0348c4c23253f592ec6c6eb763cf531ab6f7f647089842d3d3b467492b978.exe
4196	4cd0348c4c23253f592ec6c6eb763cf531ab6f7f647089842d3d3b467492b978.exe
4196	4cd0348c4c23253f592ec6c6eb763cf531ab6f7f647089842d3d3b467492b978.exe
4196	4cd0348c4c23253f592ec6c6eb763cf531ab6f7f647089842d3d3b467492b978.exe
4196	4cd0348c4c23253f592ec6c6eb763cf531ab6f7f647089842d3d3b467492b978.exe
4196	4cd0348c4c23253f592ec6c6eb763cf531ab6f7f647089842d3d3b467492b978.exe
4196	4cd0348c4c23253f592ec6c6eb763cf531ab6f7f647089842d3d3b467492b978.exe
4196	4cd0348c4c23253f592ec6c6eb763cf531ab6f7f647089842d3d3b467492b978.exe
4196	4cd0348c4c23253f592ec6c6eb763cf531ab6f7f647089842d3d3b467492b978.exe
2712	Logo1_.exe
2712	Logo1_.exe
2712	Logo1_.exe
2712	Logo1_.exe
2712	Logo1_.exe
2712	Logo1_.exe
2712	Logo1_.exe
2712	Logo1_.exe
2712	Logo1_.exe
2712	Logo1_.exe
2712	Logo1_.exe
2712	Logo1_.exe
2712	Logo1_.exe
2712	Logo1_.exe
2712	Logo1_.exe
2712	Logo1_.exe
2712	Logo1_.exe
2712	Logo1_.exe
2712	Logo1_.exe
2712	Logo1_.exe
2712	Logo1_.exe
2712	Logo1_.exe
2712	Logo1_.exe
2712	Logo1_.exe
2712	Logo1_.exe
2712	Logo1_.exe
2712	Logo1_.exe
2712	Logo1_.exe
2712	Logo1_.exe
2712	Logo1_.exe
2712	Logo1_.exe
2712	Logo1_.exe
2712	Logo1_.exe
2712	Logo1_.exe
2712	Logo1_.exe
2712	Logo1_.exe
2712	Logo1_.exe
2712	Logo1_.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4196 wrote to memory of 1644	4196	4cd0348c4c23253f592ec6c6eb763cf531ab6f7f647089842d3d3b467492b978.exe	85
PID 4196 wrote to memory of 1644	4196	4cd0348c4c23253f592ec6c6eb763cf531ab6f7f647089842d3d3b467492b978.exe	85
PID 4196 wrote to memory of 1644	4196	4cd0348c4c23253f592ec6c6eb763cf531ab6f7f647089842d3d3b467492b978.exe	85
PID 1644 wrote to memory of 4380	1644	net.exe	87
PID 1644 wrote to memory of 4380	1644	net.exe	87
PID 1644 wrote to memory of 4380	1644	net.exe	87
PID 4196 wrote to memory of 1676	4196	4cd0348c4c23253f592ec6c6eb763cf531ab6f7f647089842d3d3b467492b978.exe	88
PID 4196 wrote to memory of 1676	4196	4cd0348c4c23253f592ec6c6eb763cf531ab6f7f647089842d3d3b467492b978.exe	88
PID 4196 wrote to memory of 1676	4196	4cd0348c4c23253f592ec6c6eb763cf531ab6f7f647089842d3d3b467492b978.exe	88
PID 4196 wrote to memory of 2712	4196	4cd0348c4c23253f592ec6c6eb763cf531ab6f7f647089842d3d3b467492b978.exe	90
PID 4196 wrote to memory of 2712	4196	4cd0348c4c23253f592ec6c6eb763cf531ab6f7f647089842d3d3b467492b978.exe	90
PID 4196 wrote to memory of 2712	4196	4cd0348c4c23253f592ec6c6eb763cf531ab6f7f647089842d3d3b467492b978.exe	90
PID 1676 wrote to memory of 216	1676	cmd.exe	91
PID 1676 wrote to memory of 216	1676	cmd.exe	91
PID 1676 wrote to memory of 216	1676	cmd.exe	91
PID 2712 wrote to memory of 3104	2712	Logo1_.exe	92
PID 2712 wrote to memory of 3104	2712	Logo1_.exe	92
PID 2712 wrote to memory of 3104	2712	Logo1_.exe	92
PID 3104 wrote to memory of 5024	3104	net.exe	94
PID 3104 wrote to memory of 5024	3104	net.exe	94
PID 3104 wrote to memory of 5024	3104	net.exe	94
PID 2712 wrote to memory of 4496	2712	Logo1_.exe	95
PID 2712 wrote to memory of 4496	2712	Logo1_.exe	95
PID 2712 wrote to memory of 4496	2712	Logo1_.exe	95
PID 4496 wrote to memory of 2788	4496	net.exe	97
PID 4496 wrote to memory of 2788	4496	net.exe	97
PID 4496 wrote to memory of 2788	4496	net.exe	97
PID 2712 wrote to memory of 3092	2712	Logo1_.exe	38
PID 2712 wrote to memory of 3092	2712	Logo1_.exe	38

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3092
- C:\Users\Admin\AppData\Local\Temp\4cd0348c4c23253f592ec6c6eb763cf531ab6f7f647089842d3d3b467492b978.exe
  "C:\Users\Admin\AppData\Local\Temp\4cd0348c4c23253f592ec6c6eb763cf531ab6f7f647089842d3d3b467492b978.exe"
  2⤵
  - Drops file in Drivers directory
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4196
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1644
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:4380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBD4A.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1676
  - - C:\Users\Admin\AppData\Local\Temp\4cd0348c4c23253f592ec6c6eb763cf531ab6f7f647089842d3d3b467492b978.exe
      "C:\Users\Admin\AppData\Local\Temp\4cd0348c4c23253f592ec6c6eb763cf531ab6f7f647089842d3d3b467492b978.exe"
      4⤵
      Executes dropped EXE
      PID:216
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Adds Run key to start application
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3104
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:5024
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4496
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2788

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$aBD4A.bat

Filesize
722B

MD5
b1b84feb201882bf464c75842cc824d7

SHA1
36443e90b8a2d64b291d0333aa89d2ea6dd9cb33

SHA256
78d14c0f22271e6cf71f2fe61d4e4a2ee5e4bee5d691db366ef6971f3fb28a48

SHA512
8369b4d7b216cd2d9ca8c64a71e11229ccd6da80706051b046a0aafb0e854a97e76e4fa54437840cefedbce6f4a8a025b0d4a73635c87630073127da91d23bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\4cd0348c4c23253f592ec6c6eb763cf531ab6f7f647089842d3d3b467492b978.exe

Filesize
79KB

MD5
b4e1cf72f0ee559f01b4e69a0657b4d6

SHA1
7f6aff0f71e72dc528b6e705a8c2a7a58aad4366

SHA256
7b14c6aac6e451836b0757e43ab7d5df8b6c31496df182a02719f9fe16e13b36

SHA512
2d08d2b68b792dccff293fdfa253a8cf0b81ab8327745b0260434801417d36cf53655e39467b27f23b36ec6f6b32b30b4acc84652564d6c3ece493097a1cec3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\4cd0348c4c23253f592ec6c6eb763cf531ab6f7f647089842d3d3b467492b978.exe.exe

Filesize
79KB

MD5
b4e1cf72f0ee559f01b4e69a0657b4d6

SHA1
7f6aff0f71e72dc528b6e705a8c2a7a58aad4366

SHA256
7b14c6aac6e451836b0757e43ab7d5df8b6c31496df182a02719f9fe16e13b36

SHA512
2d08d2b68b792dccff293fdfa253a8cf0b81ab8327745b0260434801417d36cf53655e39467b27f23b36ec6f6b32b30b4acc84652564d6c3ece493097a1cec3b

Download Submit
C:\Windows\Logo1_.exe

Filesize
69KB

MD5
da79cc012e1b885a2e5f124c1555e2b0

SHA1
ae73909e579e5e08cef224201f110acf76e7b3de

SHA256
1e36b5c0b0205de3ddfe6582239ef752c71f871a525cd817f8088a388db6d43c

SHA512
5ab8c0b46cf962c70bf2a51db9d4eb023427fec2322059606088f91d3ee10686407612c22520e78b322ed31b9fe7632bc2fa38dc0410f86df32c517aeb7494fc

Download Submit
C:\Windows\Logo1_.exe

Filesize
69KB

MD5
da79cc012e1b885a2e5f124c1555e2b0

SHA1
ae73909e579e5e08cef224201f110acf76e7b3de

SHA256
1e36b5c0b0205de3ddfe6582239ef752c71f871a525cd817f8088a388db6d43c

SHA512
5ab8c0b46cf962c70bf2a51db9d4eb023427fec2322059606088f91d3ee10686407612c22520e78b322ed31b9fe7632bc2fa38dc0410f86df32c517aeb7494fc

Download Submit
C:\Windows\uninstall\rundl132.exe

Filesize
69KB

MD5
da79cc012e1b885a2e5f124c1555e2b0

SHA1
ae73909e579e5e08cef224201f110acf76e7b3de

SHA256
1e36b5c0b0205de3ddfe6582239ef752c71f871a525cd817f8088a388db6d43c

SHA512
5ab8c0b46cf962c70bf2a51db9d4eb023427fec2322059606088f91d3ee10686407612c22520e78b322ed31b9fe7632bc2fa38dc0410f86df32c517aeb7494fc

Download Submit
memory/2712-147-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2712-148-0x00000000001E0000-0x0000000000200000-memory.dmp

Filesize
128KB

Download
memory/2712-152-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2712-153-0x00000000001E0000-0x0000000000200000-memory.dmp

Filesize
128KB

Download
memory/4196-140-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4196-132-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4196-133-0x00000000001E0000-0x0000000000200000-memory.dmp

Filesize
128KB

Download