a5dfbb7f1866d2b15adee689cc4bdfcaccdb5f71611903cbf9936a969a528a86

Analysis

max time kernel
157s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28/02/2024, 20:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a5dfbb7f1866d2b15adee689cc4bdfcaccdb5f71611903cbf9936a969a528a86.exe
Size

933KB
MD5

b8f29f83d698c7c053f61e25ead1ce8d
SHA1

7b27c1132ecb426d42058e7e41e6d336c994c2ff
SHA256

a5dfbb7f1866d2b15adee689cc4bdfcaccdb5f71611903cbf9936a969a528a86
SHA512

f49150e31ed34f4d1322bd8676574538ec9292b9e2b75484119bf723a73968410e9cc8fea2f92d9ffffef088997bb519c2cfc070145b7168c60a2e86094b77fa
SSDEEP

24576:2JN9GENWyYHf2T9TWZxyy2bzuRlqxWYdMD:2X9ZWyEIJWmy2vuRlCeD

Score

7^/10

evasion trojan

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Au_.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	a5dfbb7f1866d2b15adee689cc4bdfcaccdb5f71611903cbf9936a969a528a86.exe

Executes dropped EXE 4 IoCs

pid	Process
2892	Logo1_.exe
3592	a5dfbb7f1866d2b15adee689cc4bdfcaccdb5f71611903cbf9936a969a528a86.exe
5080	Au_.exe
1680	Au_.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Au_.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Microsoft.Support.SDK\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fi-fi\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.1813.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\dev\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pl-pl\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ks_IN\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\control\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hu-hu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zh_TW\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-black\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ca-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\de-de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hant\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-white\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\mk-MK\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\node_modules\reactxp-experimental-navigation\NavigationExperimental\assets\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mai\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_~_8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\it-it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sl-SI\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\uk-UA\View3d\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\libs\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\uk-ua\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\gl-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\1.1.1\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Store.Purchase\Resources\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre-1.8\lib\applet\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\text_renderer\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\Fonts\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	a5dfbb7f1866d2b15adee689cc4bdfcaccdb5f71611903cbf9936a969a528a86.exe
File created	C:\Windows\Logo1_.exe	a5dfbb7f1866d2b15adee689cc4bdfcaccdb5f71611903cbf9936a969a528a86.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
2892	Logo1_.exe
2892	Logo1_.exe
2892	Logo1_.exe
2892	Logo1_.exe
2892	Logo1_.exe
2892	Logo1_.exe
2892	Logo1_.exe
2892	Logo1_.exe
2892	Logo1_.exe
2892	Logo1_.exe
2892	Logo1_.exe
2892	Logo1_.exe
3592	a5dfbb7f1866d2b15adee689cc4bdfcaccdb5f71611903cbf9936a969a528a86.exe
3592	a5dfbb7f1866d2b15adee689cc4bdfcaccdb5f71611903cbf9936a969a528a86.exe
3592	a5dfbb7f1866d2b15adee689cc4bdfcaccdb5f71611903cbf9936a969a528a86.exe
3592	a5dfbb7f1866d2b15adee689cc4bdfcaccdb5f71611903cbf9936a969a528a86.exe
2892	Logo1_.exe
2892	Logo1_.exe
2892	Logo1_.exe
2892	Logo1_.exe
2892	Logo1_.exe
2892	Logo1_.exe
2892	Logo1_.exe
2892	Logo1_.exe
5080	Au_.exe
5080	Au_.exe
5080	Au_.exe
5080	Au_.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5080	Au_.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5080	Au_.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 3132	2188	a5dfbb7f1866d2b15adee689cc4bdfcaccdb5f71611903cbf9936a969a528a86.exe	90
PID 2188 wrote to memory of 3132	2188	a5dfbb7f1866d2b15adee689cc4bdfcaccdb5f71611903cbf9936a969a528a86.exe	90
PID 2188 wrote to memory of 3132	2188	a5dfbb7f1866d2b15adee689cc4bdfcaccdb5f71611903cbf9936a969a528a86.exe	90
PID 2188 wrote to memory of 2892	2188	a5dfbb7f1866d2b15adee689cc4bdfcaccdb5f71611903cbf9936a969a528a86.exe	91
PID 2188 wrote to memory of 2892	2188	a5dfbb7f1866d2b15adee689cc4bdfcaccdb5f71611903cbf9936a969a528a86.exe	91
PID 2188 wrote to memory of 2892	2188	a5dfbb7f1866d2b15adee689cc4bdfcaccdb5f71611903cbf9936a969a528a86.exe	91
PID 2892 wrote to memory of 3572	2892	Logo1_.exe	92
PID 2892 wrote to memory of 3572	2892	Logo1_.exe	92
PID 2892 wrote to memory of 3572	2892	Logo1_.exe	92
PID 3572 wrote to memory of 3304	3572	net.exe	94
PID 3572 wrote to memory of 3304	3572	net.exe	94
PID 3572 wrote to memory of 3304	3572	net.exe	94
PID 3132 wrote to memory of 3592	3132	cmd.exe	96
PID 3132 wrote to memory of 3592	3132	cmd.exe	96
PID 3132 wrote to memory of 3592	3132	cmd.exe	96
PID 2892 wrote to memory of 3448	2892	Logo1_.exe	33
PID 2892 wrote to memory of 3448	2892	Logo1_.exe	33
PID 3592 wrote to memory of 5080	3592	a5dfbb7f1866d2b15adee689cc4bdfcaccdb5f71611903cbf9936a969a528a86.exe	97
PID 3592 wrote to memory of 5080	3592	a5dfbb7f1866d2b15adee689cc4bdfcaccdb5f71611903cbf9936a969a528a86.exe	97
PID 3592 wrote to memory of 5080	3592	a5dfbb7f1866d2b15adee689cc4bdfcaccdb5f71611903cbf9936a969a528a86.exe	97
PID 5080 wrote to memory of 1680	5080	Au_.exe	98
PID 5080 wrote to memory of 1680	5080	Au_.exe	98
PID 5080 wrote to memory of 1680	5080	Au_.exe	98

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3448
- C:\Users\Admin\AppData\Local\Temp\a5dfbb7f1866d2b15adee689cc4bdfcaccdb5f71611903cbf9936a969a528a86.exe
  "C:\Users\Admin\AppData\Local\Temp\a5dfbb7f1866d2b15adee689cc4bdfcaccdb5f71611903cbf9936a969a528a86.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBCD8.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3132
  - - C:\Users\Admin\AppData\Local\Temp\a5dfbb7f1866d2b15adee689cc4bdfcaccdb5f71611903cbf9936a969a528a86.exe
      "C:\Users\Admin\AppData\Local\Temp\a5dfbb7f1866d2b15adee689cc4bdfcaccdb5f71611903cbf9936a969a528a86.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3592
    - - C:\Users\Admin\AppData\Local\Temp\wps\~e57c023\Au_.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wps\~e57c023\Au_.exe" /from="cmd.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:5080
      - C:\Users\Admin\AppData\Local\Temp\wps\~e57c023\Au_.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wps\~e57c023\Au_.exe" -downpower /from=cmd.exe -msgwndname=uninstallsend_message_E57C786
        6⤵
        Executes dropped EXE
        
        PID:1680
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2892
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3572
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:3304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.exe

Filesize
570KB

MD5
0a160f7903b686eb61c24ee9e64bee27

SHA1
ce55b20785467bb1db067ffe3a585dce48ffd594

SHA256
0ba367be5f1f4591485d319506d8d59cae56a541e74649bd765ab2df6910c3d4

SHA512
6d233b4472bd351d2d991a28486d7883b2df233769edb451c352fe2bba71b7a97a75d48eab2fee7eb720103b08b14062e6444333a5934893130bf60d1875fb66

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aBCD8.bat

Filesize
722B

MD5
108b3964aa8fbe9bafd3d541f9968e63

SHA1
ef5d2ef07bac7daaadc98ec496b66c97f833b8ea

SHA256
d535a2ddad7f1906b67d0cc6129e080db4857199873408f620f6a21160e558da

SHA512
265343135f0b407f5f6c1b712d2406797eb6a2f8e4329b8355b70fc7f56a887972f2a5470c7d3f91f1f00066d9b40a2017827360a8b33471a630fcf14e12b8ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\a5dfbb7f1866d2b15adee689cc4bdfcaccdb5f71611903cbf9936a969a528a86.exe.exe

Filesize
906KB

MD5
d7b8ea84af8f998b7f344889d2e112d9

SHA1
99b7c68d38ccc7a8c6cee171679100d316bbfcc0

SHA256
d2df31a05e5c1e1b9869270157eac5f475998d17defb961072d9e1dca5cdd70c

SHA512
bf479b26f7752159508090643e38ba99a9f506b59485e961f00befa4dced1cf59b4a00dddf89448caddb30e044258f68ee0253f1cc56b406de99ccd7c25f53b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps\~e57c023\Au_.exe

Filesize
711KB

MD5
ff513c76d27352b3d9b8de6eea1257ca

SHA1
36da43ee3a8d0fa1262647a3f441d3bc5183b853

SHA256
7231178b98e5a13171c823cc531460e5de7f9bfa26d23859bb3481265c7b5793

SHA512
e1adba1606751fa42088487095a0d8f4b6a2843e7a4ecede14c874625d6cde3878c3a91cc27edf176b7edd5f8116aa7d666085f0d5abf034b099dbc30951d729

Download Submit
C:\Users\Admin\AppData\Local\tempuninstall.ini

Filesize
161B

MD5
0820124c60e4f985ccf7798177b8ab12

SHA1
bf9c3dca7e71d60381146e1f71aea41f93e165df

SHA256
daf958fe8a43090d39d07c9d31a0c5c5223cc340e54a1205046524af2703353f

SHA512
22caeeb292197fc94d80f49c5251cc6db2ced8569905a5a5b03dc30ed8c158fbb4aecd340daf896e9c043255d658a9b0b1aef6f56ef3150275c4a7dbb740fb28

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
3030179dc0c4ffbe720135ca0fd6a872

SHA1
dffac6c5ec0d5dc259018febe37645089a808d34

SHA256
f041faf839a587f7ca878c16c03e4ff64d6158e30548196c53cfbc2ad076515b

SHA512
b2017915ff651a5e23a2946cbfa50931725df05a2f6953d7f876cb58619c4be933464c905c0c4c83e1981973181f95d085b2e4ab77c271dab577d71829c4a1e8

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-609813121-2907144057-1731107329-1000\_desktop.ini

Filesize
9B

MD5
20579de1c6702ea14f25df921a00274b

SHA1
fc7299007b5fb0580c7a3ef6ae0efd8aaf80a35f

SHA256
3eb24c26a19e67d7f499ccb30f78fc29bee126bafd13f41470223c1b8f2e1e4e

SHA512
e9a21ede4321b86e5d215d41321741f8db22b9eb92c1325026182c688311d5134041102a194d670abcbd182d2c91d5180ac9b7c9daaf9e41109a3b3d8e3c3d81

Download Submit
memory/1680-39-0x0000000002320000-0x0000000002321000-memory.dmp

Filesize
4KB

Download
memory/2188-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2188-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2892-76-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2892-83-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2892-90-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2892-94-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2892-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2892-99-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2892-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2892-1233-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2892-2148-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2892-2245-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5080-69-0x0000000003770000-0x0000000003771000-memory.dmp

Filesize
4KB

Download
memory/5080-84-0x0000000003770000-0x0000000003771000-memory.dmp

Filesize
4KB

Download