112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
29/08/2023, 06:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe
Size

347KB
MD5

1e21e312130d157e1f33a0edcb817046
SHA1

b65cfd7cc20447a0ec65880394d0e9e77550eb8c
SHA256

112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37
SHA512

7555f508a6933c7f4e3eb9a688496c1044a72e72b6202bd6d8afada2d1b3205efa9394836fdc449eb9b9df00879e0fa7ab53be90b87668bc2e56247c986f932d
SSDEEP

6144:yj94Spj94Spj94Spj94Spj94Spj94Spj94Spj94Spj94S6p:yjiSpjiSpjiSpjiSpjiSpjiSpjiSpjiC

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 10 IoCs

pid	Process
960	Logo1_.exe
4492	112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe
2384	112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe
1644	112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe
4124	112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe
4944	112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe
4736	112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe
5096	112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe
852	112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe
2028	112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f4\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\core\locale\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\Licenses\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\deployed\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\plugin2\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\ext\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\management\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\core\locale\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\dropins\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\applet\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Internet Explorer\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre1.8.0_66\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Internet Explorer\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\_desktop.ini	Logo1_.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\Logo1_.exe	112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe
File created	C:\Windows\Logo1_.exe	112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe
File created	C:\Windows\Logo1_.exe	112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe
File created	C:\Windows\Logo1_.exe	112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe
File created	C:\Windows\Dll.dll	Logo1_.exe
File created	C:\Windows\Logo1_.exe	112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe
File created	C:\Windows\rundl132.exe	112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Logo1_.exe	112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe
File created	C:\Windows\Logo1_.exe	112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe
File created	C:\Windows\Logo1_.exe	112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe
File created	C:\Windows\Logo1_.exe	112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1104	960	WerFault.exe	82
1496	960	WerFault.exe	82

Runs net.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
1536	112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe
1536	112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe
1536	112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe
1536	112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe
1536	112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe
1536	112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe
1536	112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe
1536	112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe
1536	112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe
1536	112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe
1536	112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe
1536	112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe
1536	112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe
1536	112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe
1536	112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe
1536	112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe
1536	112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe
1536	112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe
960	Logo1_.exe
960	Logo1_.exe
960	Logo1_.exe
960	Logo1_.exe
960	Logo1_.exe
960	Logo1_.exe
960	Logo1_.exe
960	Logo1_.exe
960	Logo1_.exe
960	Logo1_.exe
960	Logo1_.exe
960	Logo1_.exe
960	Logo1_.exe
960	Logo1_.exe
960	Logo1_.exe
960	Logo1_.exe
960	Logo1_.exe
960	Logo1_.exe
960	Logo1_.exe
960	Logo1_.exe
960	Logo1_.exe
960	Logo1_.exe
960	Logo1_.exe
960	Logo1_.exe
960	Logo1_.exe
960	Logo1_.exe
960	Logo1_.exe
960	Logo1_.exe
960	Logo1_.exe
960	Logo1_.exe
960	Logo1_.exe
960	Logo1_.exe
960	Logo1_.exe
960	Logo1_.exe
960	Logo1_.exe
960	Logo1_.exe
960	Logo1_.exe
960	Logo1_.exe
960	Logo1_.exe
960	Logo1_.exe
960	Logo1_.exe
960	Logo1_.exe
960	Logo1_.exe
960	Logo1_.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1536 wrote to memory of 4520	1536	112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe	81
PID 1536 wrote to memory of 4520	1536	112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe	81
PID 1536 wrote to memory of 4520	1536	112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe	81
PID 1536 wrote to memory of 960	1536	112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe	82
PID 1536 wrote to memory of 960	1536	112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe	82
PID 1536 wrote to memory of 960	1536	112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe	82
PID 960 wrote to memory of 4160	960	Logo1_.exe	84
PID 960 wrote to memory of 4160	960	Logo1_.exe	84
PID 960 wrote to memory of 4160	960	Logo1_.exe	84
PID 4160 wrote to memory of 1288	4160	net.exe	86
PID 4160 wrote to memory of 1288	4160	net.exe	86
PID 4160 wrote to memory of 1288	4160	net.exe	86
PID 4520 wrote to memory of 4492	4520	cmd.exe	87
PID 4520 wrote to memory of 4492	4520	cmd.exe	87
PID 4520 wrote to memory of 4492	4520	cmd.exe	87
PID 4492 wrote to memory of 2396	4492	112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe	88
PID 4492 wrote to memory of 2396	4492	112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe	88
PID 4492 wrote to memory of 2396	4492	112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe	88
PID 2396 wrote to memory of 2384	2396	cmd.exe	90
PID 2396 wrote to memory of 2384	2396	cmd.exe	90
PID 2396 wrote to memory of 2384	2396	cmd.exe	90
PID 2384 wrote to memory of 2696	2384	112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe	91
PID 2384 wrote to memory of 2696	2384	112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe	91
PID 2384 wrote to memory of 2696	2384	112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe	91
PID 2696 wrote to memory of 1644	2696	cmd.exe	94
PID 2696 wrote to memory of 1644	2696	cmd.exe	94
PID 2696 wrote to memory of 1644	2696	cmd.exe	94
PID 1644 wrote to memory of 2140	1644	112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe	95
PID 1644 wrote to memory of 2140	1644	112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe	95
PID 1644 wrote to memory of 2140	1644	112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe	95
PID 2140 wrote to memory of 4124	2140	cmd.exe	97
PID 2140 wrote to memory of 4124	2140	cmd.exe	97
PID 2140 wrote to memory of 4124	2140	cmd.exe	97
PID 4124 wrote to memory of 3340	4124	112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe	98
PID 4124 wrote to memory of 3340	4124	112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe	98
PID 4124 wrote to memory of 3340	4124	112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe	98
PID 960 wrote to memory of 2784	960	Logo1_.exe	47
PID 960 wrote to memory of 2784	960	Logo1_.exe	47
PID 3340 wrote to memory of 4944	3340	cmd.exe	100
PID 3340 wrote to memory of 4944	3340	cmd.exe	100
PID 3340 wrote to memory of 4944	3340	cmd.exe	100
PID 4944 wrote to memory of 4268	4944	112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe	101
PID 4944 wrote to memory of 4268	4944	112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe	101
PID 4944 wrote to memory of 4268	4944	112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe	101
PID 4268 wrote to memory of 4736	4268	cmd.exe	103
PID 4268 wrote to memory of 4736	4268	cmd.exe	103
PID 4268 wrote to memory of 4736	4268	cmd.exe	103
PID 4736 wrote to memory of 2128	4736	112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe	104
PID 4736 wrote to memory of 2128	4736	112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe	104
PID 4736 wrote to memory of 2128	4736	112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe	104
PID 2128 wrote to memory of 5096	2128	cmd.exe	106
PID 2128 wrote to memory of 5096	2128	cmd.exe	106
PID 2128 wrote to memory of 5096	2128	cmd.exe	106
PID 5096 wrote to memory of 4312	5096	112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe	109
PID 5096 wrote to memory of 4312	5096	112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe	109
PID 5096 wrote to memory of 4312	5096	112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe	109
PID 4312 wrote to memory of 852	4312	cmd.exe	111
PID 4312 wrote to memory of 852	4312	cmd.exe	111
PID 4312 wrote to memory of 852	4312	cmd.exe	111
PID 852 wrote to memory of 3020	852	112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe	112
PID 852 wrote to memory of 3020	852	112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe	112
PID 852 wrote to memory of 3020	852	112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe	112
PID 3020 wrote to memory of 2028	3020	cmd.exe	114
PID 3020 wrote to memory of 2028	3020	cmd.exe	114

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2784
- C:\Users\Admin\AppData\Local\Temp\112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe
  "C:\Users\Admin\AppData\Local\Temp\112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a879F.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4520
  - - C:\Users\Admin\AppData\Local\Temp\112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe
      "C:\Users\Admin\AppData\Local\Temp\112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:4492
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8A9C.bat
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2396
      - C:\Users\Admin\AppData\Local\Temp\112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe
        
        "C:\Users\Admin\AppData\Local\Temp\112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe"
        6⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8B77.bat
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe
        
        "C:\Users\Admin\AppData\Local\Temp\112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe"
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8CCF.bat
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe
        
        "C:\Users\Admin\AppData\Local\Temp\112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe"
        10⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:4124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8E55.bat
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:3340
        
        C:\Users\Admin\AppData\Local\Temp\112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe
        
        "C:\Users\Admin\AppData\Local\Temp\112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe"
        12⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:4944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8F01.bat
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:4268
        
        C:\Users\Admin\AppData\Local\Temp\112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe
        
        "C:\Users\Admin\AppData\Local\Temp\112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe"
        14⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:4736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a902A.bat
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe
        
        "C:\Users\Admin\AppData\Local\Temp\112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe"
        16⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:5096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a91A1.bat
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:4312
        
        C:\Users\Admin\AppData\Local\Temp\112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe
        
        "C:\Users\Admin\AppData\Local\Temp\112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe"
        18⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a928B.bat
        19⤵
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe
        
        "C:\Users\Admin\AppData\Local\Temp\112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe"
        20⤵
        Executes dropped EXE
        
        PID:2028
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:960
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4160
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:1288
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 960 -s 1008
      4⤵
      Program crash
      PID:1104
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 960 -s 1008
      4⤵
      Program crash
      PID:1496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 960 -ip 960
1⤵
PID:4836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 960 -ip 960
1⤵
PID:3096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$a879F.bat

Filesize
722B

MD5
cab000dcb3b8c39f63502b2120d664bc

SHA1
01447add293e3e9ea3ffe04d76eb2ce34e6950ad

SHA256
6182d29fd6c7ae23b67066260333bc3ad9418557e288de0f26f02b744bd0814d

SHA512
4514ac2e365ec310feb79ccec7c3c30ab6ebcaec989db21c5b63aa5b77c420d8bcb6cefc41f2b286c9acade02956a72752e803fd0615e41b9be1a28b861d36b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a8A9C.bat

Filesize
722B

MD5
982f6d27ad7ac74deccb095fc545ca5b

SHA1
ff34abfcca078d1329f10774cfeeac5ea49d790b

SHA256
74d17fa0381e979447199bb17b6ef80585139447f7ae48296dfa6ca76f9081ff

SHA512
9a48894b460ecbc5ffdf293a787fff5c473f231d78fd66787f3a9fc990ed557037acf452c8df76cee027648b97a370ca79488abd58f6621a452cd58abe4e7194

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a8B77.bat

Filesize
722B

MD5
85282b970d36273c2aa81e2d1fae6a98

SHA1
d10ca79a152c1bfee8d94ebafb2d5c3842105bdc

SHA256
2529fa0c2a9a6e3721789f1af2f74f6d54f469e259d202e1b155930841e028dc

SHA512
316e61315a60c6c5f9672c4207be33792df53bca08c06b5b7b16cba3488e47c87ee079722184f745d3b3cd8dda875a994dce9568ccc9c65d89409feb15305c41

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a8CCF.bat

Filesize
722B

MD5
aee6d190ef0c76288dbbce6f5773e61a

SHA1
da4d09b9719a488092992224aeb652ad50e6b98a

SHA256
7ecd09b333fcbcd7eefa2a70c750270287abd5a8323eb3dfaaba61b14030cce4

SHA512
ec96d149c723399fd94e080e0c448c78aae5aa6c2fcd7f4cd8f968fd230fb6303c94528d7f2389c5e0dab95cb7adb0bd5ecab574e8459da5e128c0bf0928a2e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a8E55.bat

Filesize
722B

MD5
31e01593cddcab9d8a60ce3bc3813cc4

SHA1
aa8a59e81af36c75a5de2e54c00848206d26764a

SHA256
4567783e3ae44acb9dbd54155db2cb156a66fd82088a49ef21efd533f1abc80d

SHA512
2f61f195a5b03e6083f5ec3ed9e4c7a886897a577f6acf43d8e547a4152003366feec0f18c0eb8cbaadebfdb5bb22b8257124b920aafe12e3dbe14644469e420

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a8F01.bat

Filesize
722B

MD5
c455327515edd9d446f754d9dabf959c

SHA1
ce16c987aba2bf441d587a393c078c5ce3ec48e2

SHA256
c388d39c5d60976ba70a014bcbcfa1476f7aeb646ee5651161b5252f9cacd275

SHA512
e4c417ab39af6662df772c79f8ae4a10b37a287039ae5ad2e7d774874c2de1feb28f923f5c70f1fa2cbbbc88ec559de257e6e291f0002b9e72e5c6ea0d2d89c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a902A.bat

Filesize
722B

MD5
51fde4db18d71a18e6b1d514b1671518

SHA1
947e250120d2a329dc60033e537cfff7a24e3c91

SHA256
64c8551dc02c7d4488b7749f94587929f0bef05ca88c6c0090ba94859971cda3

SHA512
b1113221b6e8f9cf49eab48a9381480ad02346f1fda3595abb0b9533faae1f55945d9af8c0ecd6ee1d574ab32b4a12c3dd9aac3a438ab2b7e92e17c78c4f4444

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a91A1.bat

Filesize
722B

MD5
c5335917ecd1d0b6adef8016770e7e07

SHA1
f7ae13ddb5a5ddda159642d943ace09c4d18f8b0

SHA256
c211893dfdbff66f92d91073cd3ea9fc145a3e5220868ce57e39b93c38979910

SHA512
fedf60f141bf7fc4f0c212181f410ba31b74246bc9aecc8edb2cfe6b7057b5ecf6dcc102f37a90207401510b3203a762662fe3b70dc6171a4c38e60e2c3f8406

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a928B.bat

Filesize
722B

MD5
7c64864f2e5f730c3ab009fa82a2e96c

SHA1
04e87642ab5a8dc5b69edcda22d28c45d87d396f

SHA256
6ad4134b90cb94a23dc670413553b7b96b2f573dd482eafebf284cf07714e51e

SHA512
0d04381c631971eaf493e398056207da060ee5a0fd6aff4a7e72ac700c184f4f49bd4e31313c70228f28bf54d727fd972abedfafbef17059b2e166ee49b3abe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe

Filesize
315KB

MD5
1c1dc486f35b105cf4f24f3594e2ac91

SHA1
ee66fb9c171933aca3779d216a48e7d3f8ed86b1

SHA256
f11d242a29a53320bc3d09a4a143f019f3c1f23575aa38d4af064d20362c902f

SHA512
20eda269b3bcd0ca7607abc95258dae0b8ebc7f22020e8b906ad60a0c80c8c24312ae743362408fa8e2dc69213f71470715cfb7a8607c40280b4d54fa0624032

Download Submit
C:\Users\Admin\AppData\Local\Temp\112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe

Filesize
282KB

MD5
a2a2054c374044ba61023d94fdd9fd28

SHA1
04c1435959046e1aba1bae1a3067e6371ed36f6b

SHA256
f3b879223f9665d61d6efc5c73e6f7f3218f49f40d81e4dde8c4186cc287c758

SHA512
b5dbc2b8514115845e1bb89e918e8d0cb960f0618893bfb66dfeda6f7f2d2e454d5334b28cbcaaeb825330a35b351fa001d21c97f053148f5d30d76c779629a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe

Filesize
250KB

MD5
ae7b0928b0c21744655abce9f450c039

SHA1
9a5281ac94dd6c88d25ed1e8b9b3e3c79f5bb58f

SHA256
eaa7e35ea53d82676b8bf3cda19be941251168ca675686c8b98052aaf2ad65c4

SHA512
1dbd3fc9d0d90e74b018099519fd89dcf151ae3b22444e30983bdf876709cf760b6cafb70c7dc71a4a083d3dd00128604b54ac55e1d5252657b1ecc683efeef6

Download Submit
C:\Users\Admin\AppData\Local\Temp\112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe

Filesize
217KB

MD5
3cf2e0ec35c4de80d160d8e9152fbcf1

SHA1
a5192745f3927a1b21a312a45c786dc144337693

SHA256
83e974b3821454b65f674c4a036c3c03448efff6b95fbf783ee25061164396ee

SHA512
ce1e04aa88874d75c011a40cadcb344f32770edd613f9d0929c968b4f4f7e448530f3c6ecfa9a8f58e303cd3d2a22819a91dbfb59108ec97d4a020429a81c62f

Download Submit
C:\Users\Admin\AppData\Local\Temp\112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe

Filesize
185KB

MD5
a732aa439d48aa2b8ed3c32604e0f850

SHA1
ad58efc36a8478a06051da288ed50efa32d8e867

SHA256
02d8c52f4fa23847637a15f0487854b0e56540027d08b08dff687417d26a61de

SHA512
5b73c10bb21e625b26fb1b516b02e646b85c109842ce8811fa5a3dec6db96e5c4af2952fb0e774ed28e1c40f5f00aa5173d52335eed08f7dc5da6eb279752a9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe

Filesize
152KB

MD5
946dcc15d6b5376f8dbccc6ea8044ae5

SHA1
baf771d8e6a4e7e83d03007379bb8958a06a5f7f

SHA256
01b5bbe6c245c756877263004a49a9abde2e90c2220a147b33b246913ed475ef

SHA512
7735699b2169b5111146f9b9f0c965215f8dac32b312e7ec43bd16bf1f3a37b8dfbb010ded979ef81ce3b1d31a6184bbf434ac515f03fec07b82332ee4e5f8c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe

Filesize
120KB

MD5
bf873f879d6b5ecdc12ebf42ac0fac41

SHA1
a15955843b604cdd36e02f3ae0c9d0d221c86582

SHA256
7590b5f93c2405a3a4f1cfad0ebdf261aaffde6133bb676d9b4c7945609821a7

SHA512
4bd615ed8ba3596443093ca266e367f9cdd637183c1c3e3771869320de7eeb717902d7fff426dbb54700c3882e04ebf370edd2afc6b1e195ade688a2ecfbe898

Download Submit
C:\Users\Admin\AppData\Local\Temp\112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe

Filesize
87KB

MD5
9580bbc7a303261a212a53105a2b2033

SHA1
20a7d92cb26cec95c1639c24d4489d4324bd087d

SHA256
cf1758500d5e922c6d88e830c8432dfdf3df199c6839e44820861ddd1ccb8ae8

SHA512
b54c2e7d89b87a14c9c914956fdcdda96a29a90fc9b4436e7321b57e2cba347d16ba30488e358f03d21e24c62c7d4c1dd3456e4bf287c09e0fa4961c5472f1ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe

Filesize
55KB

MD5
5418862e9e238ecdc0f45aed373bac52

SHA1
f3776a4b2277965d1cb1bb502abae7c38aaf32a4

SHA256
03707a58db01bf95b455d331bf0e7721759761f100a173cd028f35687183ffce

SHA512
022d6426fd5dffe44d1a7e01fcc635de030757d6b7427a0b66c23dd11acac9854cee351b455959e2bc446e3f2c646a9e524452ee63f43e0963c4e99ab1b9a0cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe.exe

Filesize
315KB

MD5
1c1dc486f35b105cf4f24f3594e2ac91

SHA1
ee66fb9c171933aca3779d216a48e7d3f8ed86b1

SHA256
f11d242a29a53320bc3d09a4a143f019f3c1f23575aa38d4af064d20362c902f

SHA512
20eda269b3bcd0ca7607abc95258dae0b8ebc7f22020e8b906ad60a0c80c8c24312ae743362408fa8e2dc69213f71470715cfb7a8607c40280b4d54fa0624032

Download Submit
C:\Users\Admin\AppData\Local\Temp\112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe.exe

Filesize
282KB

MD5
a2a2054c374044ba61023d94fdd9fd28

SHA1
04c1435959046e1aba1bae1a3067e6371ed36f6b

SHA256
f3b879223f9665d61d6efc5c73e6f7f3218f49f40d81e4dde8c4186cc287c758

SHA512
b5dbc2b8514115845e1bb89e918e8d0cb960f0618893bfb66dfeda6f7f2d2e454d5334b28cbcaaeb825330a35b351fa001d21c97f053148f5d30d76c779629a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe.exe

Filesize
250KB

MD5
ae7b0928b0c21744655abce9f450c039

SHA1
9a5281ac94dd6c88d25ed1e8b9b3e3c79f5bb58f

SHA256
eaa7e35ea53d82676b8bf3cda19be941251168ca675686c8b98052aaf2ad65c4

SHA512
1dbd3fc9d0d90e74b018099519fd89dcf151ae3b22444e30983bdf876709cf760b6cafb70c7dc71a4a083d3dd00128604b54ac55e1d5252657b1ecc683efeef6

Download Submit
C:\Users\Admin\AppData\Local\Temp\112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe.exe

Filesize
217KB

MD5
3cf2e0ec35c4de80d160d8e9152fbcf1

SHA1
a5192745f3927a1b21a312a45c786dc144337693

SHA256
83e974b3821454b65f674c4a036c3c03448efff6b95fbf783ee25061164396ee

SHA512
ce1e04aa88874d75c011a40cadcb344f32770edd613f9d0929c968b4f4f7e448530f3c6ecfa9a8f58e303cd3d2a22819a91dbfb59108ec97d4a020429a81c62f

Download Submit
C:\Users\Admin\AppData\Local\Temp\112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe.exe

Filesize
185KB

MD5
a732aa439d48aa2b8ed3c32604e0f850

SHA1
ad58efc36a8478a06051da288ed50efa32d8e867

SHA256
02d8c52f4fa23847637a15f0487854b0e56540027d08b08dff687417d26a61de

SHA512
5b73c10bb21e625b26fb1b516b02e646b85c109842ce8811fa5a3dec6db96e5c4af2952fb0e774ed28e1c40f5f00aa5173d52335eed08f7dc5da6eb279752a9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe.exe

Filesize
152KB

MD5
946dcc15d6b5376f8dbccc6ea8044ae5

SHA1
baf771d8e6a4e7e83d03007379bb8958a06a5f7f

SHA256
01b5bbe6c245c756877263004a49a9abde2e90c2220a147b33b246913ed475ef

SHA512
7735699b2169b5111146f9b9f0c965215f8dac32b312e7ec43bd16bf1f3a37b8dfbb010ded979ef81ce3b1d31a6184bbf434ac515f03fec07b82332ee4e5f8c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe.exe

Filesize
120KB

MD5
bf873f879d6b5ecdc12ebf42ac0fac41

SHA1
a15955843b604cdd36e02f3ae0c9d0d221c86582

SHA256
7590b5f93c2405a3a4f1cfad0ebdf261aaffde6133bb676d9b4c7945609821a7

SHA512
4bd615ed8ba3596443093ca266e367f9cdd637183c1c3e3771869320de7eeb717902d7fff426dbb54700c3882e04ebf370edd2afc6b1e195ade688a2ecfbe898

Download Submit
C:\Users\Admin\AppData\Local\Temp\112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe.exe

Filesize
87KB

MD5
9580bbc7a303261a212a53105a2b2033

SHA1
20a7d92cb26cec95c1639c24d4489d4324bd087d

SHA256
cf1758500d5e922c6d88e830c8432dfdf3df199c6839e44820861ddd1ccb8ae8

SHA512
b54c2e7d89b87a14c9c914956fdcdda96a29a90fc9b4436e7321b57e2cba347d16ba30488e358f03d21e24c62c7d4c1dd3456e4bf287c09e0fa4961c5472f1ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\112b9c4e266882de1a4d27231f16482f8bb5d6031843c377a95e157fe539ad37.exe.exe

Filesize
55KB

MD5
5418862e9e238ecdc0f45aed373bac52

SHA1
f3776a4b2277965d1cb1bb502abae7c38aaf32a4

SHA256
03707a58db01bf95b455d331bf0e7721759761f100a173cd028f35687183ffce

SHA512
022d6426fd5dffe44d1a7e01fcc635de030757d6b7427a0b66c23dd11acac9854cee351b455959e2bc446e3f2c646a9e524452ee63f43e0963c4e99ab1b9a0cb

Download Submit
C:\Windows\Logo1_.exe

Filesize
32KB

MD5
9e14fac97a01ee7427ae9a97866df2e7

SHA1
6d446c4be97fdd41815670451334a0e2d19160f7

SHA256
413eaf4bbb6b251ff623f9b81184603a2c995da59ef60c58718a1487c5ada387

SHA512
039ef003f657900984c6202fe2b902ae672fe1273465e1d2f62f8d6fe0ee87cabe1fbd93b7c7e5cc7296d445972c45838556f83b722765020b10db1a41b543e1

Download Submit
C:\Windows\Logo1_.exe

Filesize
32KB

MD5
9e14fac97a01ee7427ae9a97866df2e7

SHA1
6d446c4be97fdd41815670451334a0e2d19160f7

SHA256
413eaf4bbb6b251ff623f9b81184603a2c995da59ef60c58718a1487c5ada387

SHA512
039ef003f657900984c6202fe2b902ae672fe1273465e1d2f62f8d6fe0ee87cabe1fbd93b7c7e5cc7296d445972c45838556f83b722765020b10db1a41b543e1

Download Submit
C:\Windows\rundl132.exe

Filesize
32KB

MD5
9e14fac97a01ee7427ae9a97866df2e7

SHA1
6d446c4be97fdd41815670451334a0e2d19160f7

SHA256
413eaf4bbb6b251ff623f9b81184603a2c995da59ef60c58718a1487c5ada387

SHA512
039ef003f657900984c6202fe2b902ae672fe1273465e1d2f62f8d6fe0ee87cabe1fbd93b7c7e5cc7296d445972c45838556f83b722765020b10db1a41b543e1

Download Submit
C:\Windows\rundl132.exe

Filesize
32KB

MD5
9e14fac97a01ee7427ae9a97866df2e7

SHA1
6d446c4be97fdd41815670451334a0e2d19160f7

SHA256
413eaf4bbb6b251ff623f9b81184603a2c995da59ef60c58718a1487c5ada387

SHA512
039ef003f657900984c6202fe2b902ae672fe1273465e1d2f62f8d6fe0ee87cabe1fbd93b7c7e5cc7296d445972c45838556f83b722765020b10db1a41b543e1

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3011986978-2180659500-3669311805-1000\_desktop.ini

Filesize
9B

MD5
2326d479b287193a70f520700dc8d23e

SHA1
afea66d3788a50debd6f5d4c9dd51f68a4477e64

SHA256
95d41561a1467d20977f59108e85da181e0b4dfd3db9e40182ae7378c4a927f8

SHA512
cb971c406ddf7147536a6a1569d4ff49d7219aa52cde5d110be1109874d66daace832d423d7969af9e6bbc9738a65734c7e68e994591b7677aad51fa0f52cf37

Download Submit
memory/852-78-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/852-74-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/960-553-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/960-8-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/960-88-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1536-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1536-10-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1644-35-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2384-26-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4124-42-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4492-19-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4736-57-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4944-50-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5096-70-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download