3a96ec76438d148b5f01e9dbc1b7c72a538cc4e722115ed02532429d11ec92db

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
23-12-2023 22:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a96ec76438d148b5f01e9dbc1b7c72a538cc4e722115ed02532429d11ec92db.exe
Size

1.8MB
MD5

f3f907603e41a2133b2d629b9f98f372
SHA1

82225d5cb4300acfa0a827cb7f40200171ca1c63
SHA256

3a96ec76438d148b5f01e9dbc1b7c72a538cc4e722115ed02532429d11ec92db
SHA512

b69e6b2ca81a329672769db98abb8ca10d15bb1451ee3ef2df5ea29531285c794a4306ed26d13faca77d2e3c83f2136e3727c9d41c11ff1260cb28e1923c7a09
SSDEEP

49152:o7h2DrmHMYyD2hP/MBE7zyZ+ABENWyg+hql:semHGqnM4z0+ABEMyFu

Score

7^/10

bootkit persistence upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	3a96ec76438d148b5f01e9dbc1b7c72a538cc4e722115ed02532429d11ec92db.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	cpuz_x64.exe

Executes dropped EXE 3 IoCs

pid	Process
2080	Logo1_.exe
4404	3a96ec76438d148b5f01e9dbc1b7c72a538cc4e722115ed02532429d11ec92db.exe
1740	cpuz_x64.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000c000000023176-16.dat	upx
behavioral2/memory/4404-18-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral2/memory/4404-83-0x0000000000400000-0x000000000042C000-memory.dmp	upx

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	cpuz_x64.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk-1.8\include\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ja-jp\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Internet Explorer\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\km-KH\View3d\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\Retail\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\root\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\pt-br\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Internet Explorer\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_extractor\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Spacer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\_Resources\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\nb-no\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\plugin2\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\1.1.1\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\eu-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-gb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\da-dk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\themes\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAppRuntime.1.2_2000.802.31.0_x86__8wekyb3d8bbwe\sr-Latn-RS\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-black\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Speech\en-GB\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-tw\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PSReadline\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\cs-cz\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre-1.8\lib\jfr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-black\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\TCUI-App.exe	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\require\2.1.15\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.32530.0_x86__8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Lumia.AppTk.NativeDirect3d.UAP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-gb\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lg\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\de-de\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	3a96ec76438d148b5f01e9dbc1b7c72a538cc4e722115ed02532429d11ec92db.exe
File created	C:\Windows\Logo1_.exe	3a96ec76438d148b5f01e9dbc1b7c72a538cc4e722115ed02532429d11ec92db.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 2 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	cpuz_x64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	cpuz_x64.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings	cpuz_x64.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1716	NOTEPAD.EXE

Runs net.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2080	Logo1_.exe
2080	Logo1_.exe
2080	Logo1_.exe
2080	Logo1_.exe
2080	Logo1_.exe
2080	Logo1_.exe
2080	Logo1_.exe
2080	Logo1_.exe
2080	Logo1_.exe
2080	Logo1_.exe
2080	Logo1_.exe
2080	Logo1_.exe
2080	Logo1_.exe
2080	Logo1_.exe
2080	Logo1_.exe
2080	Logo1_.exe
2080	Logo1_.exe
2080	Logo1_.exe
2080	Logo1_.exe
2080	Logo1_.exe
1740	cpuz_x64.exe
1740	cpuz_x64.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	1740	cpuz_x64.exe
Token: SeLoadDriverPrivilege	1740	cpuz_x64.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1740	cpuz_x64.exe
1740	cpuz_x64.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 1856	2552	3a96ec76438d148b5f01e9dbc1b7c72a538cc4e722115ed02532429d11ec92db.exe	89
PID 2552 wrote to memory of 1856	2552	3a96ec76438d148b5f01e9dbc1b7c72a538cc4e722115ed02532429d11ec92db.exe	89
PID 2552 wrote to memory of 1856	2552	3a96ec76438d148b5f01e9dbc1b7c72a538cc4e722115ed02532429d11ec92db.exe	89
PID 2552 wrote to memory of 2080	2552	3a96ec76438d148b5f01e9dbc1b7c72a538cc4e722115ed02532429d11ec92db.exe	91
PID 2552 wrote to memory of 2080	2552	3a96ec76438d148b5f01e9dbc1b7c72a538cc4e722115ed02532429d11ec92db.exe	91
PID 2552 wrote to memory of 2080	2552	3a96ec76438d148b5f01e9dbc1b7c72a538cc4e722115ed02532429d11ec92db.exe	91
PID 2080 wrote to memory of 3532	2080	Logo1_.exe	92
PID 2080 wrote to memory of 3532	2080	Logo1_.exe	92
PID 2080 wrote to memory of 3532	2080	Logo1_.exe	92
PID 3532 wrote to memory of 4224	3532	net.exe	94
PID 3532 wrote to memory of 4224	3532	net.exe	94
PID 3532 wrote to memory of 4224	3532	net.exe	94
PID 1856 wrote to memory of 4404	1856	cmd.exe	95
PID 1856 wrote to memory of 4404	1856	cmd.exe	95
PID 1856 wrote to memory of 4404	1856	cmd.exe	95
PID 4404 wrote to memory of 1740	4404	3a96ec76438d148b5f01e9dbc1b7c72a538cc4e722115ed02532429d11ec92db.exe	99
PID 4404 wrote to memory of 1740	4404	3a96ec76438d148b5f01e9dbc1b7c72a538cc4e722115ed02532429d11ec92db.exe	99
PID 2080 wrote to memory of 3456	2080	Logo1_.exe	51
PID 2080 wrote to memory of 3456	2080	Logo1_.exe	51
PID 1740 wrote to memory of 1716	1740	cpuz_x64.exe	104
PID 1740 wrote to memory of 1716	1740	cpuz_x64.exe	104

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3456
- C:\Users\Admin\AppData\Local\Temp\3a96ec76438d148b5f01e9dbc1b7c72a538cc4e722115ed02532429d11ec92db.exe
  "C:\Users\Admin\AppData\Local\Temp\3a96ec76438d148b5f01e9dbc1b7c72a538cc4e722115ed02532429d11ec92db.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a468E.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1856
  - - C:\Users\Admin\AppData\Local\Temp\3a96ec76438d148b5f01e9dbc1b7c72a538cc4e722115ed02532429d11ec92db.exe
      "C:\Users\Admin\AppData\Local\Temp\3a96ec76438d148b5f01e9dbc1b7c72a538cc4e722115ed02532429d11ec92db.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4404
    - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CPU-Z\cpuz_x64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CPU-Z\cpuz_x64.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Checks SCSI registry key(s)
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1740
      - C:\Windows\system32\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Windows\temp\cpuz_driver_1740.log
        6⤵
        Opens file in notepad (likely ransom note)
        
        PID:1716
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2080
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3532
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:4224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
0c5e863b4f42e3666a8c10967ff5a592

SHA1
b1f368bc31b28fe047ba65ff7f15646e853cccc9

SHA256
0e47e74aeff65c1fc274fcb519c595232df39a52534e72616fbc2efdf67bfeba

SHA512
c21bb24395feea23bd40a91a20cfdae809727c199f25654bcd47c3522c3bbc3cd8574700a1c233083608bd028304b5ef656d0869f0b322bf4d84ccbcb66b38ef

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
570KB

MD5
73cfb732f08a005af2339180540e5ad0

SHA1
56854432e6898e594b5b5923f909649756010097

SHA256
01903b8f69d6f83a229c87d41a85ee136dc5db4da67a6c5efd2de926170d6a80

SHA512
986c793c0e84327921548cd1a70f4e98df663e5f0cba6cd2852810d9e5a25af9fb30da0af66f6fe321fcf87fd0f3736584d2a62bf39b7daf0af2a0dd4311f9b1

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

Filesize
481KB

MD5
1db5b390daa2d070657fbdb4f5d2cc55

SHA1
77e633e49df484b827080753514cc376749b0ceb

SHA256
d5fbaf5c0d8e313d4dad23b28cac4256c5dbed6ab3b0d797e2971f30c5e095ad

SHA512
68aa0152f5aae79a146c1813915fd16ec5454b285bd1781370923f97d6c147d53684192f7f4161e5c1a340959ec432ecaac127b0abe7d08f70c387e08ee4f617

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a468E.bat

Filesize
722B

MD5
d52baecab52332312c9cfd91c1c93b4a

SHA1
4ef7579234b84ca39916db09e963fd357825ed3a

SHA256
a921103c13fba602bff1ebba84c068571cc241a7ddeed5c449e3feb39cdfc546

SHA512
39959c66eadae716e6ab6f8b9aad9622839f722eb60807e30241dd06021e52bfe3d28efb1f09a486e3f4bcdcba3dc70a369b27e3005227288a82a439af28978d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3a96ec76438d148b5f01e9dbc1b7c72a538cc4e722115ed02532429d11ec92db.exe.exe

Filesize
1.8MB

MD5
8df415c002de30c5503e10bebd90e589

SHA1
ab9424620ea16ea65c031f10962eeb43d3477427

SHA256
7f79d589c3847081988a697fc39a32bda2ef0646070d8a6bc3b0a033f9de46cd

SHA512
68065a84ca612721483143c88c6143ba80ad3404f82313f3f5971840ae83e611dc62e6a7868031008eb1730316c87ce80a0f79209ace5e38b75800bf323eb1a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CPU-Z\cpuz.ini

Filesize
610B

MD5
b1525c1c4a65d3d12038a94de6110f2e

SHA1
93cf4da290212076e338631082fe95d03cec1051

SHA256
72cdd3d39db6165e2c21dab00dc54dec61d26893d04f555c6a18547f0478b916

SHA512
afa790e7661e7a9e121695040ba5eda8903ac58883ea5af216cfb01516979633d36a12febea16edac7d20cfbd6ad62bc16a40896efad139c17ae7806bad91609

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CPU-Z\cpuz_x64.exe

Filesize
1024KB

MD5
20ec46b2159ac4fc3e9bed18f34f4484

SHA1
2d11657068d2d44e79574ee3bd20219cf11167f5

SHA256
f3d775e7a7558bcc0a3af23ae2fbf2d6d0693982cd1df0b9b73b32dcd42b6805

SHA512
7200fcaeb85dc568d496c81f2dbcfe05cbffb6250d7044e0f6404934f35cdb4cbfbe4969030c08286d98d4672c1241a8771b39e999d2a10228a14606d078448c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CPU-Z\cpuz_x64.exe

Filesize
722KB

MD5
6e8a5a78cc799128941c55320f0c5614

SHA1
e7b650ed7ae4d0c9c4c94bdde0fefd50f4f1df31

SHA256
4d3bff8ad5b5c8aba8c09fa3ef81ec1c2c07e79d3328d1ba1cc49ffef5966a20

SHA512
d3ed9caf4277599cb16aab29b478398741cf1f24cafd7aeea5d9cb844a2d4770da5cb05df7b2df237d3f7ce902efd49059d1b9ff4339a4cbeaf5d4cdee3e0b2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CPU-Z\cpuz_x64.exe

Filesize
880KB

MD5
e2a120c385c2a4eebf3bc4cc36316878

SHA1
563e73e4b46fb14a6285d60df2c0d6a52e4efd27

SHA256
5e068f88a6fb2f3a3a4a52619c56f76f037d72dde07ce45fe4650cf8eb8438b5

SHA512
d038fd83ab608332706ace4d5caa4a2035e662e7d4f67156a6faed7996f009990d6038602795907b2a4294371ba6adf9e6bfcc80956ce2733db7140c019672f7

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
fb93094f20bbc5dcb79268d23f38361c

SHA1
516b8b78319dc3f2adbe7e4de6a4e3fba41ae76a

SHA256
cf70d1c51b86031f36294c54caa11f02cd09e2b82fcd286240809891c7a82eff

SHA512
ceeb1988199292d7792ebff568e7bb89f49b628e5df409432b2263752de9142f00101f2bfe1bfc44321ed7934e70a1bf02f9823be43a1ee0e7ea52c504ab3d0f

Download Submit
C:\Windows\temp\cpuz_driver_1740.log

Filesize
2KB

MD5
0d0332a76c5e522cfdfc593c4b48971c

SHA1
718fed21b637f915cbae66e78ddde8ba567a89ad

SHA256
2f67a87914f494e0f96675e31b3550ddb2c891ff0886232bdf727fe83039f285

SHA512
fcc5d3d81a1e86b97a4fdb2a2282d010c176385026ef85ddd901288bd154fd359184ffb579fd0915a5726228b76cfbf0d77e4aa2e07a3438fa7343231db2c1c2

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1232405761-1209240240-3206092754-1000\_desktop.ini

Filesize
10B

MD5
7ffaa74dcf5b57082a43c17464e10782

SHA1
c6cf002ebb82e54cb14553d044f6c61463b369a6

SHA256
b3bfda52765f0ec02320ef68e5fca5e0d4bb61e1ec6f062430a5711a41c1be65

SHA512
35ef0f681e44781b5dc20e179918be9dad7be2029093f9537cfe30bff888bc875ad32e6bbb59294dc36779829bab7aa6ebfac9e93c6a1ef5e4e7ddde85bb6de8

Download Submit
memory/2080-1074-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2080-82-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2080-4793-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2080-90-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2080-98-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2080-105-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2080-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2080-1238-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2080-10-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2552-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2552-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4404-18-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4404-83-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download