cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094

Analysis

max time kernel
152s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 00:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe
Size

272KB
MD5

555f54e8f462a161e327996503e31735
SHA1

486dd61f4d9adc110b32806ebadc73bcfbf262e5
SHA256

cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094
SHA512

3caa845e16dda17a5a3b1587f4e1f489078aa371371c3f7b0554d1b857d2b7586f1ced38c4d9c570a155043d12be2d97e798c846d151b0ad4706f1dd1635c12e
SSDEEP

6144:0j94Szj94Szj94Szj94Szj94Szj94Szj94Szj94Szj9q:0jiSzjiSzjiSzjiSzjiSzjiSzjiSzjiL

Score

8^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 8 IoCs

Processes:

Logo1_.execd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.execd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.execd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.execd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.execd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.execd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.execd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe

pid	process
4492	Logo1_.exe
1140	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe
4688	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe
1584	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe
4180	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe
3100	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe
5064	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe
3876	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation cmd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	cmd.exe

Drops startup file 2 IoCs

Processes:

Logo1_.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Logo1_.exe

description	ioc	process
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\F:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

Processes:

Logo1_.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\Diagnostics\Simple\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\da-dk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\en-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ca-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\eu-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\root\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-gb\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ca-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\en-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\eu-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\eu-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sl-si\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows NT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ko-kr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f14\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\it-it\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sv-se\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ff\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-si\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-gb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft.NET\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\Validator\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Sigma\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft.NET\ADOMD.NET\130\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\nb-no\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\.data\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\es-es\_desktop.ini	Logo1_.exe

Drops file in Windows directory 11 IoCs

Processes:

cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.execd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.execd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exeLogo1_.execd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.execd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.execd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.execd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.execd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe

description	ioc	process
File created	C:\Windows\Logo1_.exe	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe
File created	C:\Windows\Logo1_.exe	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe
File created	C:\Windows\Logo1_.exe	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe
File created	C:\Windows\Dll.dll	Logo1_.exe
File created	C:\Windows\Logo1_.exe	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe
File created	C:\Windows\rundl132.exe	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Logo1_.exe	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe
File created	C:\Windows\Logo1_.exe	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe
File created	C:\Windows\Logo1_.exe	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe
File created	C:\Windows\Logo1_.exe	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exeLogo1_.exe

pid	process
4708	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe
4708	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe
4708	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe
4708	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe
4708	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe
4708	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe
4708	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe
4708	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe
4708	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe
4708	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe
4708	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe
4708	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe
4708	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe
4708	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe
4708	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe
4708	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe
4708	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe
4708	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe
4492	Logo1_.exe
4492	Logo1_.exe
4492	Logo1_.exe
4492	Logo1_.exe
4492	Logo1_.exe
4492	Logo1_.exe
4492	Logo1_.exe
4492	Logo1_.exe
4492	Logo1_.exe
4492	Logo1_.exe
4492	Logo1_.exe
4492	Logo1_.exe
4492	Logo1_.exe
4492	Logo1_.exe
4492	Logo1_.exe
4492	Logo1_.exe
4492	Logo1_.exe
4492	Logo1_.exe
4492	Logo1_.exe
4492	Logo1_.exe
4492	Logo1_.exe
4492	Logo1_.exe
4492	Logo1_.exe
4492	Logo1_.exe
4492	Logo1_.exe
4492	Logo1_.exe
4492	Logo1_.exe
4492	Logo1_.exe
4492	Logo1_.exe
4492	Logo1_.exe
4492	Logo1_.exe
4492	Logo1_.exe
4492	Logo1_.exe
4492	Logo1_.exe
4492	Logo1_.exe
4492	Logo1_.exe
4492	Logo1_.exe
4492	Logo1_.exe
4492	Logo1_.exe
4492	Logo1_.exe
4492	Logo1_.exe
4492	Logo1_.exe
4492	Logo1_.exe
4492	Logo1_.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

cmd.exe

pid process

3328 cmd.exe

pid	process
3328	cmd.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exeLogo1_.exenet.execmd.execd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.execmd.execd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.execmd.execd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.execmd.execd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.execmd.execd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.execmd.execd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.execmd.execd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe

description	pid	process	target process
PID 4708 wrote to memory of 2068	4708	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe	cmd.exe
PID 4708 wrote to memory of 2068	4708	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe	cmd.exe
PID 4708 wrote to memory of 2068	4708	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe	cmd.exe
PID 4708 wrote to memory of 4492	4708	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe	Logo1_.exe
PID 4708 wrote to memory of 4492	4708	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe	Logo1_.exe
PID 4708 wrote to memory of 4492	4708	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe	Logo1_.exe
PID 4492 wrote to memory of 3276	4492	Logo1_.exe	net.exe
PID 4492 wrote to memory of 3276	4492	Logo1_.exe	net.exe
PID 4492 wrote to memory of 3276	4492	Logo1_.exe	net.exe
PID 3276 wrote to memory of 456	3276	net.exe	net1.exe
PID 3276 wrote to memory of 456	3276	net.exe	net1.exe
PID 3276 wrote to memory of 456	3276	net.exe	net1.exe
PID 2068 wrote to memory of 1140	2068	cmd.exe	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe
PID 2068 wrote to memory of 1140	2068	cmd.exe	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe
PID 2068 wrote to memory of 1140	2068	cmd.exe	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe
PID 1140 wrote to memory of 4784	1140	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe	cmd.exe
PID 1140 wrote to memory of 4784	1140	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe	cmd.exe
PID 1140 wrote to memory of 4784	1140	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe	cmd.exe
PID 4784 wrote to memory of 4688	4784	cmd.exe	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe
PID 4784 wrote to memory of 4688	4784	cmd.exe	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe
PID 4784 wrote to memory of 4688	4784	cmd.exe	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe
PID 4688 wrote to memory of 4336	4688	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe	cmd.exe
PID 4688 wrote to memory of 4336	4688	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe	cmd.exe
PID 4688 wrote to memory of 4336	4688	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe	cmd.exe
PID 4336 wrote to memory of 1584	4336	cmd.exe	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe
PID 4336 wrote to memory of 1584	4336	cmd.exe	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe
PID 4336 wrote to memory of 1584	4336	cmd.exe	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe
PID 1584 wrote to memory of 1360	1584	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe	cmd.exe
PID 1584 wrote to memory of 1360	1584	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe	cmd.exe
PID 1584 wrote to memory of 1360	1584	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe	cmd.exe
PID 1360 wrote to memory of 4180	1360	cmd.exe	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe
PID 1360 wrote to memory of 4180	1360	cmd.exe	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe
PID 1360 wrote to memory of 4180	1360	cmd.exe	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe
PID 4180 wrote to memory of 4672	4180	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe	cmd.exe
PID 4180 wrote to memory of 4672	4180	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe	cmd.exe
PID 4180 wrote to memory of 4672	4180	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe	cmd.exe
PID 4672 wrote to memory of 3100	4672	cmd.exe	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe
PID 4672 wrote to memory of 3100	4672	cmd.exe	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe
PID 4672 wrote to memory of 3100	4672	cmd.exe	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe
PID 3100 wrote to memory of 3420	3100	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe	cmd.exe
PID 3100 wrote to memory of 3420	3100	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe	cmd.exe
PID 3100 wrote to memory of 3420	3100	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe	cmd.exe
PID 4492 wrote to memory of 2932	4492	Logo1_.exe	Explorer.EXE
PID 4492 wrote to memory of 2932	4492	Logo1_.exe	Explorer.EXE
PID 3420 wrote to memory of 5064	3420	cmd.exe	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe
PID 3420 wrote to memory of 5064	3420	cmd.exe	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe
PID 3420 wrote to memory of 5064	3420	cmd.exe	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe
PID 5064 wrote to memory of 5092	5064	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe	cmd.exe
PID 5064 wrote to memory of 5092	5064	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe	cmd.exe
PID 5064 wrote to memory of 5092	5064	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe	cmd.exe
PID 5092 wrote to memory of 3876	5092	cmd.exe	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe
PID 5092 wrote to memory of 3876	5092	cmd.exe	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe
PID 5092 wrote to memory of 3876	5092	cmd.exe	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe
PID 3876 wrote to memory of 3328	3876	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe	cmd.exe
PID 3876 wrote to memory of 3328	3876	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe	cmd.exe
PID 3876 wrote to memory of 3328	3876	cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2932

C:\Users\Admin\AppData\Local\Temp\cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe
"C:\Users\Admin\AppData\Local\Temp\cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe"
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aEDD0.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:2068

C:\Users\Admin\AppData\Local\Temp\cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe
"C:\Users\Admin\AppData\Local\Temp\cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe"
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aF012.bat
5⤵
- Suspicious use of WriteProcessMemory
PID:4784

C:\Users\Admin\AppData\Local\Temp\cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe
"C:\Users\Admin\AppData\Local\Temp\cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe"
6⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aF179.bat
7⤵
- Suspicious use of WriteProcessMemory
PID:4336

C:\Users\Admin\AppData\Local\Temp\cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe
"C:\Users\Admin\AppData\Local\Temp\cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe"
8⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aF2B2.bat
9⤵
- Suspicious use of WriteProcessMemory
PID:1360

C:\Users\Admin\AppData\Local\Temp\cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe
"C:\Users\Admin\AppData\Local\Temp\cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe"
10⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aF39C.bat
11⤵
- Suspicious use of WriteProcessMemory
PID:4672

C:\Users\Admin\AppData\Local\Temp\cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe
"C:\Users\Admin\AppData\Local\Temp\cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe"
12⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aF486.bat
13⤵
- Suspicious use of WriteProcessMemory
PID:3420

C:\Users\Admin\AppData\Local\Temp\cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe
"C:\Users\Admin\AppData\Local\Temp\cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe"
14⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aF590.bat
15⤵
- Suspicious use of WriteProcessMemory
PID:5092

C:\Users\Admin\AppData\Local\Temp\cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe
"C:\Users\Admin\AppData\Local\Temp\cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe"
16⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aF67A.bat
17⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:3328

C:\Windows\Logo1_.exe
C:\Windows\Logo1_.exe
3⤵
- Executes dropped EXE
- Drops startup file
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4492

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:3276

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:456

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$aEDD0.bat

Filesize
722B

MD5
35afc0d9f02874d90d78e25241b285ce

SHA1
f9ebe9944533cd4773ceca0992a350b7e4c79f23

SHA256
de03cd97c8f1374cfd3f06b2ae76afc269b0d43aa3141124d0b34bec715a673e

SHA512
a60f75b379efdaf13a9de2d60eb9728da28b7dcad7d3ec3c9126e94d72cbdbab16d02076396b77275889e4312acd27db8dc8c53eec0da90dfb66488fcca9e041

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aF012.bat

Filesize
722B

MD5
554c0d499aadd579807437e2d68db962

SHA1
668a33c3a5848c4e386fdf6bf3a25a0cd17ef294

SHA256
a68b50661ff915a28bc7b1dbffaf8713b3d28db69854fc44d36976cd2e86d6ea

SHA512
0e6741b83d3e1cd3f8e2450f1a000bc6344b8ad7aa25c1aa5c0397499e2a171dd662aac1cfaf1cff556f25c2cf2996c8458b19c09ed945f15ba45e3847e27910

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aF179.bat

Filesize
722B

MD5
a9d48e9967af974339880680e8bab619

SHA1
ea006f5632d76ff5e51968e68bdf0d6300423138

SHA256
d4586bc5b2dcd5ba6799cd2a8c9efa47b02695cbb21e4e3341c6cc009ec66752

SHA512
39aa655440b8595450a52c2bfcb11e134feb7ab3be9bf9294aefb0b5d246f48f17e412636635b56f5bce6c8aa7b1b0ae7dbdaba4d0ac255023591e44f0671a1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aF2B2.bat

Filesize
722B

MD5
3ab605641bb660335ab6e3d734294bfc

SHA1
35f8314e7db36dfda32b432c02a3330b209b6fae

SHA256
519ada6629cbd947b30f5b65d0d5c5f032fdeb0588203123c8173c7840c53cbb

SHA512
05459054ad5a48def4820361d9193d7e9a778e99d324ceb116d5cf3a88d33288cb7d637eac13e8b895225af610569042c9b9c65da32e544eb69c08face56d1a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aF39C.bat

Filesize
722B

MD5
4878f19ef1da95fb4bc7f6a2c0695777

SHA1
896476fa06a8b30601be5e0c5c1879b57d7766a9

SHA256
7d5fe748620594a933ecd46ffd260269455ea3ac2f245ddadf6a21c439d25b97

SHA512
e9d65e30e8c6f9b288a7b5491812018ffaf1796e946f9e9a0233ae000fda9579b265626886b6ebbdbef176e85f589f2d233787a3408ddf9e85b2537729fd0bc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aF486.bat

Filesize
722B

MD5
38eab0f52343bdb62e954a8c90228b9d

SHA1
7bf2a3b9af7aa1fea5e71ea38d0e7bd7c149dab0

SHA256
ebb15ac1d2bdfb709e948af08b575ed767fced24cfc3251660b6572ee2cb2957

SHA512
ebf6fb8b5329e7f8e8d19c20fd7a712403a9d582d9f68f9c87a3c867b309f8cf78ce678c60b24a68051979e3acc422915433dd8e54cada3e59646e74b6657947

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aF590.bat

Filesize
722B

MD5
c04fc5da28bb6b53ed97a212224025e8

SHA1
d5c120dddcd53f6b05d53cda5ae483428daef666

SHA256
6822a3957b74ddd49bfb1e5d00badd0b33e45fae4a00af36193cd87b21460c9c

SHA512
2a0222ff715b71acacf0a188b0f7248fc5183629a5bd3a35744de9302ed54886b4a93b0168fd5714d37872b2a61262ea8b2838790f7bb7d49625a5ecd1179e4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aF67A.bat

Filesize
722B

MD5
4d371d9a68bc285ff526490cd20663f0

SHA1
08976b4b82435c806613ea18320a12e9b58fe8a0

SHA256
ae0b4521184a1bfed06c7e25b029b550f4a4546f11a2744a1c47265230b80e4e

SHA512
b1651e133d6a16e2c32f32f56e35fcd29e2d9a1be3c7e0a938e79b92e7214c9ea737e06be6175557ca7cb504d8866d71107d8d4770b8dcc1de91865eb9de30fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe

Filesize
239KB

MD5
506e0b1599be0bd6e1437d9b7387a89f

SHA1
8b1d70710f012d5bae0e38f0e364e964ff8cb9d5

SHA256
b9e7551f78118817dcfd237fc6afe0da88a77139a99431537ab74adb34b6d12f

SHA512
4f5884c503184fe415c5501b514372c07e1bf88222fb6f9b85b61ba471430967f6a8522b4b85dcd4c45f405cea5367658c46ebd10a0935d438d748c86b8ec9b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe

Filesize
174KB

MD5
7a723a9440db2ff5291000555b073057

SHA1
0f5b13d8738682b3ed0d914bfc54bb446cd0279c

SHA256
4217d6650caff5042093e8ad53db4e7b699566320a5308679bbee415cb862d34

SHA512
c79fae828b29f3fd150ff825a831d1a2ce3f1dfc0548d1bf12c300f9e2a21a64c5d2cae31933e011c8a2a0309586eb995e6e2e9f4e9c0606611369236526dca4

Download Submit
C:\Users\Admin\AppData\Local\Temp\cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe

Filesize
207KB

MD5
646748afd49012efa4f7397830f3503e

SHA1
32e7fc98fc1710b5532be14a0ac6b731bf518671

SHA256
f93c5a60098bb74aa3926dff737831b56f8447c0f783cd24b529a09f2ad82748

SHA512
db582ca2c96525d88618514682c987bf8bbdc133318809618002df08c68b1fd356aad884e84bcd4f21656c0ac77916a5531650688d23aea201ca8db1ec4949dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe

Filesize
109KB

MD5
8e5d873a5852f0799b41d5832be2b6d8

SHA1
ecc557edec7a729cbfb94ced0cd2d6cf043f7fb4

SHA256
5983c24fbf3a16417749dd860a8c6f00e5c4c03f8dc53575573e0101feffc40c

SHA512
ee51074eadaa9d3eb25aeb1b2255a5f82dbcc64ccc295289e7a15df308998fe9a15095396bfc0ede18d76070f94d0ae8ef55c2c324928b69dff8f8ef6e458b29

Download Submit
C:\Users\Admin\AppData\Local\Temp\cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe

Filesize
142KB

MD5
bf1032e1eb6e5a4e22ccd764d4c51dc2

SHA1
f5b4f5e1f399f109602f87ca509b43b9b0385886

SHA256
18218b896ab7c7ba2252d4e30d39418cedaee1288f7f4eca46e476ff2d239e0f

SHA512
7c554565281810b740331d2080354aa340e55792f83c53ac1c020753ea40967b7091016610851308063a200cf83620e3969231e53ff8f6af7b583a1ab89cbf41

Download Submit
C:\Users\Admin\AppData\Local\Temp\cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe

Filesize
44KB

MD5
075f4f4df936dc55acf0d7d0ea210273

SHA1
955df51795b6b1876e3fd0dac7f0972ef030fae7

SHA256
1fd0e129c886a5bc3c0c00ac0a222367a0304391d575d31485a0e01028df884c

SHA512
9ebd7524d376fa76e7869c2849e79ff6611c6170e240c1833b5e3dd661b4b21a0943abf06e089aad68d675364c1b4bdf5ab8aef4b051b60a7b37fcad8952587e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe

Filesize
77KB

MD5
f6a3cdd9af5e5b78e1848a40b741d27c

SHA1
eeeee8d1eb2e22b1b8abfa56ac3615deea378975

SHA256
623059cebaf78533ccdb1d555d6ec3c1dbb56242be50f14b4a40b09e71075a07

SHA512
4f5a3ce0df6cb3f04bc0d2aaaf83a9ca6898fc7ba99cc11a6bb4af5c655fe13c7158d5bd0ca606c2ead448b82a1fae8fb8cbb8d16080ba266a8565b0b49149f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe.exe

Filesize
239KB

MD5
506e0b1599be0bd6e1437d9b7387a89f

SHA1
8b1d70710f012d5bae0e38f0e364e964ff8cb9d5

SHA256
b9e7551f78118817dcfd237fc6afe0da88a77139a99431537ab74adb34b6d12f

SHA512
4f5884c503184fe415c5501b514372c07e1bf88222fb6f9b85b61ba471430967f6a8522b4b85dcd4c45f405cea5367658c46ebd10a0935d438d748c86b8ec9b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe.exe

Filesize
174KB

MD5
7a723a9440db2ff5291000555b073057

SHA1
0f5b13d8738682b3ed0d914bfc54bb446cd0279c

SHA256
4217d6650caff5042093e8ad53db4e7b699566320a5308679bbee415cb862d34

SHA512
c79fae828b29f3fd150ff825a831d1a2ce3f1dfc0548d1bf12c300f9e2a21a64c5d2cae31933e011c8a2a0309586eb995e6e2e9f4e9c0606611369236526dca4

Download Submit
C:\Users\Admin\AppData\Local\Temp\cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe.exe

Filesize
207KB

MD5
646748afd49012efa4f7397830f3503e

SHA1
32e7fc98fc1710b5532be14a0ac6b731bf518671

SHA256
f93c5a60098bb74aa3926dff737831b56f8447c0f783cd24b529a09f2ad82748

SHA512
db582ca2c96525d88618514682c987bf8bbdc133318809618002df08c68b1fd356aad884e84bcd4f21656c0ac77916a5531650688d23aea201ca8db1ec4949dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe.exe

Filesize
109KB

MD5
8e5d873a5852f0799b41d5832be2b6d8

SHA1
ecc557edec7a729cbfb94ced0cd2d6cf043f7fb4

SHA256
5983c24fbf3a16417749dd860a8c6f00e5c4c03f8dc53575573e0101feffc40c

SHA512
ee51074eadaa9d3eb25aeb1b2255a5f82dbcc64ccc295289e7a15df308998fe9a15095396bfc0ede18d76070f94d0ae8ef55c2c324928b69dff8f8ef6e458b29

Download Submit
C:\Users\Admin\AppData\Local\Temp\cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe.exe

Filesize
142KB

MD5
bf1032e1eb6e5a4e22ccd764d4c51dc2

SHA1
f5b4f5e1f399f109602f87ca509b43b9b0385886

SHA256
18218b896ab7c7ba2252d4e30d39418cedaee1288f7f4eca46e476ff2d239e0f

SHA512
7c554565281810b740331d2080354aa340e55792f83c53ac1c020753ea40967b7091016610851308063a200cf83620e3969231e53ff8f6af7b583a1ab89cbf41

Download Submit
C:\Users\Admin\AppData\Local\Temp\cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe.exe

Filesize
44KB

MD5
075f4f4df936dc55acf0d7d0ea210273

SHA1
955df51795b6b1876e3fd0dac7f0972ef030fae7

SHA256
1fd0e129c886a5bc3c0c00ac0a222367a0304391d575d31485a0e01028df884c

SHA512
9ebd7524d376fa76e7869c2849e79ff6611c6170e240c1833b5e3dd661b4b21a0943abf06e089aad68d675364c1b4bdf5ab8aef4b051b60a7b37fcad8952587e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe.exe

Filesize
77KB

MD5
f6a3cdd9af5e5b78e1848a40b741d27c

SHA1
eeeee8d1eb2e22b1b8abfa56ac3615deea378975

SHA256
623059cebaf78533ccdb1d555d6ec3c1dbb56242be50f14b4a40b09e71075a07

SHA512
4f5a3ce0df6cb3f04bc0d2aaaf83a9ca6898fc7ba99cc11a6bb4af5c655fe13c7158d5bd0ca606c2ead448b82a1fae8fb8cbb8d16080ba266a8565b0b49149f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\cd132aaa8038961ebd255fbc6f982944e98f889a00d1c5966c8dffca0e2f4094.exe.exe

Filesize
12KB

MD5
3f624c4470fcc43ea32a3185ac40b039

SHA1
68223d2579aa849bf9098c8930d3af2ababadd6a

SHA256
d09a3f3528cc837dd43cf26f6c6c6b94969f63016b84d3bcf05b396508fe7694

SHA512
18461bce18c09cd0449f0df9ea584b97c9ae18cf63076188fd4b458d0e2199af4d3ac104207eed0ec663517768d78bf8f91dd4dc9e7197689e0d36a26da3f2c0

Download Submit
C:\Windows\Logo1_.exe

Filesize
32KB

MD5
6accfee33d3b8fe43fbba7811415ba5f

SHA1
664a962d1f045cc423b549595f5f9bc4b8a5b2b6

SHA256
3cb1954dc30b3c929f5f32f518aa0644d603727ea995b7fce56c532448cf54a9

SHA512
339226aec74724259556b014fb730026fd3127d05fbd75b9f810c5513ef07a02f9ad0cca8cfdc2e52527fe98b5a768464348e4d39198cea290a1d87517c9c5d8

Download Submit
C:\Windows\Logo1_.exe

Filesize
32KB

MD5
6accfee33d3b8fe43fbba7811415ba5f

SHA1
664a962d1f045cc423b549595f5f9bc4b8a5b2b6

SHA256
3cb1954dc30b3c929f5f32f518aa0644d603727ea995b7fce56c532448cf54a9

SHA512
339226aec74724259556b014fb730026fd3127d05fbd75b9f810c5513ef07a02f9ad0cca8cfdc2e52527fe98b5a768464348e4d39198cea290a1d87517c9c5d8

Download Submit
C:\Windows\rundl132.exe

Filesize
32KB

MD5
6accfee33d3b8fe43fbba7811415ba5f

SHA1
664a962d1f045cc423b549595f5f9bc4b8a5b2b6

SHA256
3cb1954dc30b3c929f5f32f518aa0644d603727ea995b7fce56c532448cf54a9

SHA512
339226aec74724259556b014fb730026fd3127d05fbd75b9f810c5513ef07a02f9ad0cca8cfdc2e52527fe98b5a768464348e4d39198cea290a1d87517c9c5d8

Download Submit
memory/456-142-0x0000000000000000-mapping.dmp

Download
memory/1140-146-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1140-143-0x0000000000000000-mapping.dmp

Download
memory/1360-158-0x0000000000000000-mapping.dmp

Download
memory/1584-156-0x0000000000000000-mapping.dmp

Download
memory/1584-159-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2068-133-0x0000000000000000-mapping.dmp

Download
memory/3100-171-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3100-168-0x0000000000000000-mapping.dmp

Download
memory/3276-139-0x0000000000000000-mapping.dmp

Download
memory/3328-182-0x0000000000000000-mapping.dmp

Download
memory/3420-170-0x0000000000000000-mapping.dmp

Download
memory/3876-180-0x0000000000000000-mapping.dmp

Download
memory/3876-183-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4180-162-0x0000000000000000-mapping.dmp

Download
memory/4180-165-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4336-152-0x0000000000000000-mapping.dmp

Download
memory/4492-149-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4492-186-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4492-134-0x0000000000000000-mapping.dmp

Download
memory/4672-164-0x0000000000000000-mapping.dmp

Download
memory/4688-150-0x0000000000000000-mapping.dmp

Download
memory/4688-153-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4708-132-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4708-137-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4784-145-0x0000000000000000-mapping.dmp

Download
memory/5064-177-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5064-174-0x0000000000000000-mapping.dmp

Download
memory/5092-176-0x0000000000000000-mapping.dmp

Download