9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-03-2024 00:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
Size

2.6MB
MD5

df53ad13aff8929fe1a4ba5b42efd2a1
SHA1

8a0fe7e2db23166ac9d9994af28dbf0904f09709
SHA256

9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670
SHA512

61682899ffbcce870aaa0e8bbf6f12d8926010440bf45542f4cc40edac1efb9593394595f05eda22ebbdc8bc3697e726383d6c83367f7b39d73125c109687124
SSDEEP

49152:zkqQV4PlKqAllllKd1LYguqOxTmRXcObG:qV4PlKqpDYgLsObG

Score

7^/10

spyware stealer

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 26 IoCs

pid	Process
2868	Logo1_.exe
5040	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
4920	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
3920	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
4408	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
1684	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
1840	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
5100	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
3852	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
3900	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
4260	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
4392	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
2256	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
4664	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
4580	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
3928	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
636	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
1204	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
1084	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
4012	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
2452	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
4880	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
2204	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
1028	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
3420	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
4124	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\zh-cn\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\zh-Hant\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sv-se\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\plugins\rhp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\de-de\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MEIPreload\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sl-si\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Internet Explorer\uk-UA\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ne\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themes\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\MSBuild\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ja-jp\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\en-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-gb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SPRING\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Media Player\Skins\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\da-dk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ru-ru\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\is\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\en-gb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\1.1.1\Diagnostics\Simple\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\es\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\uz\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\bin\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ug\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\pt-br\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Configuration\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\nb-no\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\sl-si\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\_desktop.ini	Logo1_.exe

Drops file in Windows directory 28 IoCs

description	ioc	Process
File created	C:\Windows\Logo1_.exe	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
File created	C:\Windows\Logo1_.exe	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
File created	C:\Windows\Logo1_.exe	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
File created	C:\Windows\Logo1_.exe	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
File created	C:\Windows\rundl132.exe	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Logo1_.exe	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
File created	C:\Windows\Logo1_.exe	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
File created	C:\Windows\Logo1_.exe	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
File created	C:\Windows\Logo1_.exe	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
File created	C:\Windows\Logo1_.exe	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
File created	C:\Windows\Logo1_.exe	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
File created	C:\Windows\Logo1_.exe	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
File created	C:\Windows\Logo1_.exe	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
File created	C:\Windows\Logo1_.exe	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
File created	C:\Windows\Logo1_.exe	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
File created	C:\Windows\Logo1_.exe	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
File created	C:\Windows\Logo1_.exe	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
File created	C:\Windows\Logo1_.exe	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
File created	C:\Windows\Logo1_.exe	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
File created	C:\Windows\Logo1_.exe	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
File created	C:\Windows\Logo1_.exe	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
File created	C:\Windows\Logo1_.exe	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
File created	C:\Windows\Logo1_.exe	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
File created	C:\Windows\Logo1_.exe	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
File created	C:\Windows\Dll.dll	Logo1_.exe
File created	C:\Windows\Logo1_.exe	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
File created	C:\Windows\Logo1_.exe	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
1784	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
1784	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
1784	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
1784	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
1784	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
1784	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
1784	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
1784	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
1784	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
1784	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
1784	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
1784	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
1784	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
1784	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
1784	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
1784	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
1784	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
1784	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
2868	Logo1_.exe
2868	Logo1_.exe
2868	Logo1_.exe
2868	Logo1_.exe
2868	Logo1_.exe
2868	Logo1_.exe
2868	Logo1_.exe
2868	Logo1_.exe
2868	Logo1_.exe
2868	Logo1_.exe
2868	Logo1_.exe
2868	Logo1_.exe
2868	Logo1_.exe
2868	Logo1_.exe
2868	Logo1_.exe
2868	Logo1_.exe
2868	Logo1_.exe
2868	Logo1_.exe
2868	Logo1_.exe
2868	Logo1_.exe
2868	Logo1_.exe
2868	Logo1_.exe
2868	Logo1_.exe
2868	Logo1_.exe
2868	Logo1_.exe
2868	Logo1_.exe
2868	Logo1_.exe
2868	Logo1_.exe
2868	Logo1_.exe
2868	Logo1_.exe
2868	Logo1_.exe
2868	Logo1_.exe
2868	Logo1_.exe
2868	Logo1_.exe
2868	Logo1_.exe
2868	Logo1_.exe
2868	Logo1_.exe
2868	Logo1_.exe
2868	Logo1_.exe
2868	Logo1_.exe
2868	Logo1_.exe
2868	Logo1_.exe
2868	Logo1_.exe
2868	Logo1_.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1784 wrote to memory of 924	1784	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe	89
PID 1784 wrote to memory of 924	1784	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe	89
PID 1784 wrote to memory of 924	1784	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe	89
PID 1784 wrote to memory of 2868	1784	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe	90
PID 1784 wrote to memory of 2868	1784	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe	90
PID 1784 wrote to memory of 2868	1784	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe	90
PID 2868 wrote to memory of 3200	2868	Logo1_.exe	92
PID 2868 wrote to memory of 3200	2868	Logo1_.exe	92
PID 2868 wrote to memory of 3200	2868	Logo1_.exe	92
PID 3200 wrote to memory of 4168	3200	net.exe	94
PID 3200 wrote to memory of 4168	3200	net.exe	94
PID 3200 wrote to memory of 4168	3200	net.exe	94
PID 924 wrote to memory of 5040	924	cmd.exe	95
PID 924 wrote to memory of 5040	924	cmd.exe	95
PID 924 wrote to memory of 5040	924	cmd.exe	95
PID 5040 wrote to memory of 2040	5040	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe	96
PID 5040 wrote to memory of 2040	5040	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe	96
PID 5040 wrote to memory of 2040	5040	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe	96
PID 2040 wrote to memory of 4920	2040	cmd.exe	98
PID 2040 wrote to memory of 4920	2040	cmd.exe	98
PID 2040 wrote to memory of 4920	2040	cmd.exe	98
PID 4920 wrote to memory of 1728	4920	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe	99
PID 4920 wrote to memory of 1728	4920	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe	99
PID 4920 wrote to memory of 1728	4920	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe	99
PID 1728 wrote to memory of 3920	1728	cmd.exe	102
PID 1728 wrote to memory of 3920	1728	cmd.exe	102
PID 1728 wrote to memory of 3920	1728	cmd.exe	102
PID 3920 wrote to memory of 4684	3920	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe	104
PID 3920 wrote to memory of 4684	3920	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe	104
PID 3920 wrote to memory of 4684	3920	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe	104
PID 4684 wrote to memory of 4408	4684	cmd.exe	107
PID 4684 wrote to memory of 4408	4684	cmd.exe	107
PID 4684 wrote to memory of 4408	4684	cmd.exe	107
PID 4408 wrote to memory of 2236	4408	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe	108
PID 4408 wrote to memory of 2236	4408	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe	108
PID 4408 wrote to memory of 2236	4408	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe	108
PID 2236 wrote to memory of 1684	2236	cmd.exe	110
PID 2236 wrote to memory of 1684	2236	cmd.exe	110
PID 2236 wrote to memory of 1684	2236	cmd.exe	110
PID 1684 wrote to memory of 1604	1684	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe	111
PID 1684 wrote to memory of 1604	1684	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe	111
PID 1684 wrote to memory of 1604	1684	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe	111
PID 2868 wrote to memory of 3368	2868	Logo1_.exe	56
PID 2868 wrote to memory of 3368	2868	Logo1_.exe	56
PID 1604 wrote to memory of 1840	1604	cmd.exe	113
PID 1604 wrote to memory of 1840	1604	cmd.exe	113
PID 1604 wrote to memory of 1840	1604	cmd.exe	113
PID 1840 wrote to memory of 428	1840	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe	114
PID 1840 wrote to memory of 428	1840	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe	114
PID 1840 wrote to memory of 428	1840	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe	114
PID 428 wrote to memory of 5100	428	cmd.exe	147
PID 428 wrote to memory of 5100	428	cmd.exe	147
PID 428 wrote to memory of 5100	428	cmd.exe	147
PID 5100 wrote to memory of 4592	5100	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe	117
PID 5100 wrote to memory of 4592	5100	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe	117
PID 5100 wrote to memory of 4592	5100	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe	117
PID 4592 wrote to memory of 3852	4592	cmd.exe	119
PID 4592 wrote to memory of 3852	4592	cmd.exe	119
PID 4592 wrote to memory of 3852	4592	cmd.exe	119
PID 3852 wrote to memory of 4068	3852	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe	120
PID 3852 wrote to memory of 4068	3852	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe	120
PID 3852 wrote to memory of 4068	3852	9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe	120
PID 4068 wrote to memory of 3900	4068	cmd.exe	122
PID 4068 wrote to memory of 3900	4068	cmd.exe	122

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3368
- C:\Users\Admin\AppData\Local\Temp\9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
  "C:\Users\Admin\AppData\Local\Temp\9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3DC4.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:924
  - - C:\Users\Admin\AppData\Local\Temp\9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
      "C:\Users\Admin\AppData\Local\Temp\9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:5040
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3F7A.bat
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2040
      - C:\Users\Admin\AppData\Local\Temp\9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
        
        "C:\Users\Admin\AppData\Local\Temp\9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe"
        6⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4055.bat
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
        
        "C:\Users\Admin\AppData\Local\Temp\9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe"
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:3920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a415E.bat
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4684
        
        C:\Users\Admin\AppData\Local\Temp\9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
        
        "C:\Users\Admin\AppData\Local\Temp\9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe"
        10⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a42C6.bat
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
        
        "C:\Users\Admin\AppData\Local\Temp\9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe"
        12⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a43DF.bat
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
        
        "C:\Users\Admin\AppData\Local\Temp\9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe"
        14⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a44D9.bat
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:428
        
        C:\Users\Admin\AppData\Local\Temp\9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
        
        "C:\Users\Admin\AppData\Local\Temp\9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe"
        16⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:5100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4611.bat
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
        
        "C:\Users\Admin\AppData\Local\Temp\9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe"
        18⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:3852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a46FC.bat
        19⤵
        Suspicious use of WriteProcessMemory
        
        PID:4068
        
        C:\Users\Admin\AppData\Local\Temp\9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
        
        "C:\Users\Admin\AppData\Local\Temp\9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe"
        20⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4A67.bat
        21⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
        
        "C:\Users\Admin\AppData\Local\Temp\9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe"
        22⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4DC2.bat
        23⤵
        
        PID:3864
        
        C:\Users\Admin\AppData\Local\Temp\9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
        
        "C:\Users\Admin\AppData\Local\Temp\9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe"
        24⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5033.bat
        25⤵
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
        
        "C:\Users\Admin\AppData\Local\Temp\9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe"
        26⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a518B.bat
        27⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
        
        "C:\Users\Admin\AppData\Local\Temp\9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe"
        28⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a52D3.bat
        29⤵
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
        
        "C:\Users\Admin\AppData\Local\Temp\9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe"
        30⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a540B.bat
        31⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
        
        "C:\Users\Admin\AppData\Local\Temp\9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe"
        32⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5525.bat
        33⤵
        
        PID:788
        
        C:\Users\Admin\AppData\Local\Temp\9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
        
        "C:\Users\Admin\AppData\Local\Temp\9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe"
        34⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a565D.bat
        35⤵
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
        
        "C:\Users\Admin\AppData\Local\Temp\9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe"
        36⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5851.bat
        37⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
        
        "C:\Users\Admin\AppData\Local\Temp\9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe"
        38⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5B4F.bat
        39⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
        
        "C:\Users\Admin\AppData\Local\Temp\9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe"
        40⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5BFB.bat
        41⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
        
        "C:\Users\Admin\AppData\Local\Temp\9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe"
        42⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5D04.bat
        43⤵
        
        PID:2972
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        44⤵
        
        PID:4580
        
        C:\Users\Admin\AppData\Local\Temp\9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
        
        "C:\Users\Admin\AppData\Local\Temp\9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe"
        44⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5DFE.bat
        45⤵
        
        PID:4052
        
        C:\Users\Admin\AppData\Local\Temp\9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
        
        "C:\Users\Admin\AppData\Local\Temp\9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe"
        46⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5E7B.bat
        47⤵
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
        
        "C:\Users\Admin\AppData\Local\Temp\9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe"
        48⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5FA4.bat
        49⤵
        
        PID:5112
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        50⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
        
        "C:\Users\Admin\AppData\Local\Temp\9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe"
        50⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a61F6.bat
        51⤵
        
        PID:4692
        
        C:\Users\Admin\AppData\Local\Temp\9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe
        
        "C:\Users\Admin\AppData\Local\Temp\9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe"
        52⤵
        Executes dropped EXE
        
        PID:4124
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2868
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3200
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:4168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$a3DC4.bat

Filesize
722B

MD5
6ee8b7c1516fddf66f24a2f390d33a59

SHA1
530cd04d341f1fbbedd00fa1ad173be48b9dad7f

SHA256
7afd693ada556f0a1a56ebd340c1bcd406db5c0360f8c444ac2e8405d8d0fc26

SHA512
fffd85f5c196789b9ebfc864a2dd56dffed7972c9ba4d05abbc3f89c83867d9638aede8e0930a9474f8b8db3ff019109f3d86d56e8fd534de460fe06e414e81c

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a3F7A.bat

Filesize
722B

MD5
84c664f780084cdf30791d2dd45364a6

SHA1
544f186b05e34e3f6b84c247e5814e5fed185792

SHA256
53b7b5cb5b7968b4fa15be056588652a17e6704b8a8f134fe8437d14d69b2154

SHA512
9533e2ac290f6fd7799cd597d041701fe7b05e5c0d1b91af27145ac3e1457916bdf42b9eb10b3177db73d8875bcc6aa2407f8ff9fc5a35ccbd7ca09424beec9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a4055.bat

Filesize
722B

MD5
ecc26dd29d557a5708da1383296ad415

SHA1
c95d0a49c7f0cd9c1c67141ceabf264a8f90e155

SHA256
3993c65eab5f0ad109fcac9b71d44e8ae04f6387f8fafb850cabaef0ce569946

SHA512
d075d4504e83b442c6de0849b355c84484e0664d22e409999fac189567c7895dc2b36300d8670a17c2a76a2b7cde3c4f8cb732743e0cae723ffeb1c81dab4ee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a415E.bat

Filesize
722B

MD5
063c6237eb60f3f53bfef49c6932a145

SHA1
b53964f0170369ac23a24c157cf33118881599dc

SHA256
af30d56129fb4fb282a991a9f53595fb66dedd75c3a81ad3fda0593b4dea1f21

SHA512
398b2e55792bff90d930b70a4d3678a04afcb2f406a41b76dc73f970ffe00b3664045e45a45902ec527082c79f2be902b6d66befc9579df91c2b3d601b4b2c58

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a42C6.bat

Filesize
722B

MD5
cdec0d96c869bead7e3c28e5157d5de0

SHA1
3335205c297eb0e96d3166b24988f50a5ba680f7

SHA256
97aaf91e6cfd84556c0c1f2994f261e053c8acd1aeca1ba24c2ed60814e226ff

SHA512
dc5fc19f966f31421e92eb9f20d6b6379e5e57bfe64f04ba76a7ad97c9e5583967b8a56200b8b40b9fad226a1148798eb66a5a9221bae315e735089a5467098e

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a43DF.bat

Filesize
722B

MD5
9e9b86aa69354ced24c7a77126946921

SHA1
22555eb7cdf9e6656a5f18fae9e4894d4d7a7727

SHA256
541828085f7b88b680c2fdb33db282c175ff3b54b49aedd64fe69fb7916f6023

SHA512
906f281e6768e0d01713f640a2e73fda08404e0094c136c2f43fa5d5f7b6a75f575f1fa7ae1e5d6f84ccc4e53745449d1e2e777ca0f99ab3782384e071241dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a44D9.bat

Filesize
722B

MD5
a88a11ed996d345ffe7e2699c5b726f2

SHA1
a62d369a4f93cedea1846d27e87c295eb92720e9

SHA256
e95dbfeb53af7971cf35ed52a0da52a30915c170fafd71b2f8180d8ea1798ec2

SHA512
a35554b94c67398aa8f3ecedee9ea9007ccaa6aaad91d8fee498aedd44b3fff03378d72dd64b3216f6a222287065d4ae2f7d64d95742a770cf63954637b606c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a4611.bat

Filesize
722B

MD5
03a38cb51cc07077fe2ef45dc3352885

SHA1
054db7a26cd3f7e75fc2cf0c5df78cdab9015111

SHA256
9018de452f703ce9aae5b390f33d408531e61b0a935ce715225e3cdcd81856d5

SHA512
e0afbb552346703bed220f043f0af918f3f80836098b1a35350e3d8623e9b0f3ec0f9fc83c8e0c4f69a57d19a551de2684c166a2dc4551dc376167fe01ed8079

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a46FC.bat

Filesize
722B

MD5
9c63ea15007364c6ebda311533295848

SHA1
bad5a6a690faaef79daa44cadf8f2e9fd28f2eae

SHA256
3b76fb0a28bdacb0255cfec3b6e0a122bf1bc17fdc70d64078df140950c9801a

SHA512
bfda782027579444b05e666aa3c94bd101c9a3edb234efc95ef357e4d87bd7c06290ea7c5eec867046b00d83fc5922e0ef7437c3f0cbc7ac48543b624c6a9ae4

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a4A67.bat

Filesize
722B

MD5
a5e7ebc13cc8288dd744ef19bbec8d67

SHA1
4f8ccbd2105b8d476d67e1426d65b8c376b908a6

SHA256
9830754b9c9edfde149b988f47dfbd7e743c8a354fceb3a5a01fe02e93194ae3

SHA512
8b32de8ec712636744e89d6a4ede31155c27c8814bb5e5fa42688522f62ae8ed4487b73cc1b5c68706369449ca5dafb895c67a52bbe8ec74e2bf0f164f0aa7ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a4DC2.bat

Filesize
722B

MD5
b83abb1942c2778c8ff14948c525da05

SHA1
b15f28907240001935cc66fde6c37d566bbcdd3b

SHA256
941bbb8b7935fce3b0c1bd0b003022e3394e2c786399595ff2687fa03af175e0

SHA512
b7295333b0adc0af14165a3b3e7868c2042eb25b929cc893da39389e5f5c880b01d51008a34767f11f16838ba790f51c4a879ce0b4a28a8022a4bb25e0dbd6f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a5033.bat

Filesize
722B

MD5
a876fde14edbb7a795b1f560c9352f1b

SHA1
0be124ea504d4f1b28a87ac8cd22287c43ad82d5

SHA256
5e813b72197eaf3bdd06ffe3429f41ae3f349c9ea12e070d29979eb75ad92ff7

SHA512
cd4e9ed06c64b06f4bd73b998cc15aa34a77ac2ddb0131c1fb63e5b4ad32661c03dcd5511f9731320ba6e1d86521981b214c4496cb8d967dfca9783754414c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a518B.bat

Filesize
722B

MD5
aea46e173edf6ee903eb4369db0476cb

SHA1
f394ce3d6d60c35230fc32f5a002e0b1fb38f704

SHA256
da825afd32f274bbcc002904c4ca5e63f21a8054607128fd17b7b83695d25c04

SHA512
e73401f8177892243a314b0efbf55e611a976f2c959b31504ca8b5a8354533d7f1a6ee415921b4e39c8afeb9a31cccbaaf8d07801ddde715a7e78e4605e851c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a52D3.bat

Filesize
722B

MD5
5494ad4fe9c9db061a84d990ab95388b

SHA1
d04c34dc1b6ae757231ce5106f0480f13379d178

SHA256
d65657d0fb23b6cea00ba688b8c4a93fa40a805e4a00f1891ba5e7ca8202aaa2

SHA512
1e250299998fba1cf5421c54e3ab2d4c89c614b02fe9a2a2669c29606ee591ef51ffcecf77dcf46e8e946b0753e073295851479de1d6d1b95e23322e73d7f60a

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a540B.bat

Filesize
722B

MD5
d6bcdd1c53a10c0977fa977ca5aecc6d

SHA1
297921b97e381636b4f1147f990895bc41c787fe

SHA256
3eb68e111a99f73bbc15e9356f0304f90ba3526695fda0ee1f9bc216ac092922

SHA512
a5f8e3efd922627b65c196cf3eb1a092156caa2455c828bbda84023a0c4c8fce4e6c496fc0ada8aa2f98af6339562401fe1e1191bee765934f0ee355a4341dbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a5525.bat

Filesize
722B

MD5
f626258c61c8c3e38b762924d7c952bd

SHA1
6d79a4863a409c9f37a6f171ff8250c3c20cb76a

SHA256
57b25723a736fe9cd4ee15c8c470f2fc77b9b993b18b0798b10389b711c4f799

SHA512
57258e1eb0df361f2747f3c58e571f5dcd68345ec8b96bff4d0b357e52f865de74dba14b6d13583c72ec50beb2c1afff2ebdda7e2e4476b7858bd4e16fbf0d6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a565D.bat

Filesize
722B

MD5
5ceea1e909a23156d97ced8dfe3aaea8

SHA1
a4bc97cdba576e9128519304320892ce811a7735

SHA256
5aea9244f91857a7606fc5e9d0f596a596237ac43af5a97a28c25e874b68771a

SHA512
b2ddcfea69e3f76dc66038e85008529cc1c4da558f049aedf6a640b4e86d57dd36cb281f2d9c3996d4c4094678ea59b8300cc1a74e6438562ebe7222dbfd180d

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a5851.bat

Filesize
722B

MD5
515945a54e741bb4ade244f969f70a72

SHA1
71c05bc9c28810915693f48f352754cfaf965a62

SHA256
dfc09e533f7a830bd8429ffb9338845dabb3725c0cb31cb5edd732f93dc9937f

SHA512
b421c2ad259f4c2a3ffdcc74630bd85efccf3a685a19ab49fa16ecbba0f4a2b5b90a2a6ada8ff5296acb3bef045179d8d0efdaaebea840c45c2a0af7924f308e

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a5B4F.bat

Filesize
722B

MD5
2aa97fbaf721c15feb5f4760ec67dc96

SHA1
64e59334d7591242b7ffff01939ba2a87bf3df1f

SHA256
1605fd5b93cddc23940b53ef43ba389f280fa04caf9eb0fd63b6605451dc99fc

SHA512
30dc6d1e2d8d68dc7d75bf0294036290c37002736adbd9a6a681372fe27c948a87fd6d94f12b3ee6f879f9b5567708798732cf627bdc25200ee2a26fca058534

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a5BFB.bat

Filesize
722B

MD5
0009a87bd928ff55df175fdbed71e5d8

SHA1
dd337dfc1b300e560e1865b3928fb3cfb32b47c8

SHA256
0601afe108008830cb7b6beb649ca7ff95517f3c56a2a3b64120c4b132df9509

SHA512
1a0add6b7fa6585ca6438942266918962f8e9e51c5290267a8c8db578029f5e7ce39b393bbd745a973df0a51a085312cef53407d1acf7bdad49c98af789b18c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a5D04.bat

Filesize
722B

MD5
52d24608d36d6762ffcbae9e486ca743

SHA1
89288350f447b9fc2f31f9e7ca096ad477fdb0bc

SHA256
37970dbc76d46387465463d591fff132e116d0103514df4652aad606ea78444e

SHA512
9d88e48ce862698871b10fbcf5980062adacad7dfc0550c57d6e3342b6c826f94b81c68713e6a404b97b6361f037e99524ed98827a0ee8aee12929b528183505

Download Submit
C:\Users\Admin\AppData\Local\Temp\9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe

Filesize
882KB

MD5
b929088d4bf45fa2a584018289a962e5

SHA1
d6f5016c86b158902d5ee5fe03b0d2d0be06acf8

SHA256
69f6de2eb0a6a293461de7cf7747f7041305c2394c13cebbb3746b6021ac605f

SHA512
1b024e8c14da89606179a31e49c47212d91b579360d5ac2410287f8b9dfc0abe84b5bbbb3da3865472cd26a8c525578ff78fcc8b089817106e68e85f43ba31ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe

Filesize
1.5MB

MD5
99145dbeccf21759ebf949a5225bf3e8

SHA1
01e5d99026f2166fd0a7d0f9881f03231f3e0ea5

SHA256
db353313bce2baba4b840c30eed71e7be599ea1cde1ec0675a4e7fead18a0c0d

SHA512
4d84b325fb796294293e233592b7ab5159c524e32351f70170edc9bc245a177860ee86d0a998147fe5bb340bfad18081e5b0468d319deac569afacede5ddba92

Download Submit
C:\Users\Admin\AppData\Local\Temp\9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe

Filesize
2.3MB

MD5
aeb1de757336a237f24503f26c73099c

SHA1
cfba7e7220183e547d01ecd231655f7d060ab09b

SHA256
883794c75c368e243cff4ccba5cce4f89b69894df0d590a9f3906db97c23b96e

SHA512
b9417a8c3ed365ff5821434c6fd8e1bfcc2765199c5a918bb0b42969e4d6810c3b58ab4d3741c6d55cb1cc4b15d8a6ac26c9149641ab5c4249e8b72f0ec78a3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe

Filesize
2.1MB

MD5
faa7d5785cfb16942ea70a1ee0637213

SHA1
4d49234cb3cf09c68150b490117aca6a2daf690e

SHA256
a3d94b97437754efb419a6b828243e272ad999cac84963610817a98e17aac232

SHA512
dd01b2cafabcbd01de992be570e48a47ae3ff7b102f092a7236c4cd8c585853253315c62960c4f68e1b5846c94ef89272b2e2e59b01e74954e8eaa759f7e8e80

Download Submit
C:\Users\Admin\AppData\Local\Temp\9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe

Filesize
916KB

MD5
91fbaa6bef9c79cd71f2aab060fefd10

SHA1
920cb9eaf8c7fb2e5dd2a6809436cba623c41cc4

SHA256
fa4f5d744339ce45db1426a8fad0b5c1e370244e24f53501448d13ca136dda74

SHA512
9df9fd2312b010b672a49fcaf984c9df829f2dded43d46e40704d91225e4e26d626654c1ad1525c5023c553659fef34df5cf2b52556f7c47ec1d8971a1144f75

Download Submit
C:\Users\Admin\AppData\Local\Temp\9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe.exe

Filesize
1.9MB

MD5
83791e99f477c0e9e90dda904e3cb43c

SHA1
42d1468bb7a527e8e0ee299487d8eef57e2af9cc

SHA256
02e6af8463ab88e9f0c3db1338522878c26f8f50d2add74e49d1b15077572c5e

SHA512
4a73217b811ba21d2044ef5dda311dc7df5bb914feffb27d367df99a57262349bd1f866f4fc10dac47b70daa204175e7e8c17038a9a99dda85aeb73aa5ac6ffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe.exe

Filesize
1.8MB

MD5
6e5f5b1a5f487abf40aea2a567a981ec

SHA1
3cd39217bb1ea1f587e431842f0cdb1b8ef781fc

SHA256
474373394dcf4e0c947ecc6bea61c3c47848d6cd16769fc0ff04da47a181492c

SHA512
8e58d9f576f2836e0b12efbf7e86c3ff3be758712f5ee5898f37fd0b34983c74adcd676e1fe44b20ce29043c130c39e64f4fff835b351ab03982a26775438d80

Download Submit
C:\Users\Admin\AppData\Local\Temp\9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe.exe

Filesize
1.4MB

MD5
900a6ecfeb90580cc1773332f8ed11f2

SHA1
ccf4f89cf54a4634fe1e6d02151d1400ccca4b54

SHA256
26698394a52f14af0ca3ea1e8e643080e34910e4619066180c1ee58f0e9c3084

SHA512
4259cd125b55b8ccd4d854a9c1d46db21bce73abbf3b0243cb68711fe9814bc066254d58320577754b614faab886270c8501af057e7a3c33eb2ebe7dffc6a759

Download Submit
C:\Users\Admin\AppData\Local\Temp\9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe.exe

Filesize
1.8MB

MD5
fa2796e1d63da5cdb9ee60640b42e263

SHA1
5dc54011c1015dd6152b80dbd3fd4d6f2f1b465c

SHA256
43154b36023d43987846733c9d2034fedd0c8c9c735642e7b01f6e5fca3d5113

SHA512
81cd939986c31e714dd7601fec8d8f73ef3970f93687ec2fc637dd98c264b96c428b8c86bc2a79dc889594ca22e22094ec27e47b3a5975d0377d92bea62db73c

Download Submit
C:\Users\Admin\AppData\Local\Temp\9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe.exe

Filesize
1.5MB

MD5
8a781be4cfa7bbbacf299cf35cf97d32

SHA1
76293a46b3031c546bd1a8e45ba740fd147cf236

SHA256
0ad6a0edf4e3445d9a4b331b4a563430d76aa06cf00297ac41014cc662df2ce1

SHA512
020a381e31e51b197674f4ae07247ae9dec031984ec5e7b99bfa58b94a2e3c9df0f4766ceba6e096977af5db5a2d275becaee8237f60e20b4ab03e3957ea92f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe.exe

Filesize
2.5MB

MD5
882ced1c0feb3e0ca7fd742e248ae3ad

SHA1
8b8e3988a1de63e79f06728828c31fc80bf5849a

SHA256
c61572e20416ac16d5681f8f93816593435c9a673c549498ca4ea2fd95d59087

SHA512
b90009c36bb689811fd162b26eb2ec6809bb0e5ce166237fba001248833ffca8d21962b521e94cce69d57ffb9107ddd46a87104a081f436b87e1d039a2309b8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe.exe

Filesize
2.4MB

MD5
edb4b946d39535a15156eb777693fff0

SHA1
bf4ee6f323855bc98d5a91b748abc57473dc5b08

SHA256
153a5cce3e88a09542f135b3f4927f1f239fea8fb193685c247c11eaa3a8d2ab

SHA512
942b2df1c496ee3a20a4b2d190b7fed9d49ff8ff9d4f78c8b5573b38ddcb84da96ccd60c6738744688c6b84f50b05f4b7951f8ad7706f9c36a421154059ded8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe.exe

Filesize
2.6MB

MD5
9662571dc3d8da26d4e5ac5f89b3298c

SHA1
798fcce5109809f37caf931a2774ddec134a61d3

SHA256
31b83becdd1c700d6df8ccddb384d5b460ea18bd90eeb8a4f7157053e9517a83

SHA512
e3a541f33ed5923248b1d217532e405f6bff47955f8f5d7229415af63931713de91b444d61c447540625367550fd7b933e6c40521385637d6df02e4f7dd60f1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe.exe

Filesize
2.4MB

MD5
685bd6d85292dfdfcbcdaff6c5b4f684

SHA1
afedab79bded497ca1247b72543bfe97e65f74b4

SHA256
ee7ccd243b03daf78a707b4de719ad14ae43ebec0f8b50cbba09f3189654d61f

SHA512
88c86f27fb6d97b1866f98a5364d8b23196eade06bfbdf466bfccb28a81cb391bc0c94304284055383b59869d9cc8f7a383c812cc1ccbb974b7ebd6f5844d4a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe.exe

Filesize
2.5MB

MD5
976c902fe1ae2832c8f2c107c6d68f42

SHA1
86b9f55a99bdf56b71521326b1540565c14b2efd

SHA256
9ffd071b0006b29bd839c9d3e636341944d453f62a1912103afccc255db9f38a

SHA512
90baa160124e4b8696bd884fa3380d89e059c685251aa1fe952376413ebf8100828cf9cb9282d1124c692ed616e47e112da07de6a7eeb139c677442c8f3190ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe.exe

Filesize
2.4MB

MD5
d148d5bfce90972db98567fb0817fbbd

SHA1
8d8e928d36e7d09ef29cb4b21f233f6ddaa14203

SHA256
db7ef20a52f681ebffaf76dfa65d3e39bc1f6cf7f323d06911d7c6bcafd8ac0e

SHA512
3e3d936a9e5efdbbdf7143e736249626edf00b31e1018a3222337ef02e8cca03b8e78794d865bc4eaf434af258d6811ad4e00129d6f811d058701a11019954ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe.exe

Filesize
2.2MB

MD5
2dd12a18f60a9d89c7b230c8b44245b7

SHA1
0dad6372d19520ed3b3ca404327317e7d6968d67

SHA256
2a2e4fecad4bd26e5344a53bca9e01a2e7f8ce43569338a9cd5c2511490b401b

SHA512
7c31f462f5219b5d34abca99a29a8097d773cbf4eabcfb7cbe2952b90674db04e62ff41c480cd9471d6c9a1713c32fdd854c976d9296a282c9a74f61e42887d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe.exe

Filesize
1.5MB

MD5
2cba55711d763650f38cd361ec687731

SHA1
795095423d16e467121fd4de2ed8f420e7711b1d

SHA256
b4894bfcd59c4f041fc48c0b1e94058d67df7aef99f9efd6964a3c3948552542

SHA512
8a01db7296233426477d925f65c638cc90429d8821a78d2b340c84cd65da6d539593ed2d73467fed58627caf9cfcec64e7f971be8dc7eec6fa21051ffc594169

Download Submit
C:\Users\Admin\AppData\Local\Temp\9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe.exe

Filesize
2.1MB

MD5
0ae9eea33f049ac8e6414d0867574d06

SHA1
5f3b16f1abc53c0804d695984eb89cafe13b343f

SHA256
558a0f69bdc5ff5ee4edbfd523df8736c02d9c33432cf04c8b720d6dd3309194

SHA512
7567738baa42da846ea41f08a5a5409699cd13222bbc5b2e0b0403ad474f6267f98ca9efcfe2b3c98cce20ffaf0796f24b1ceac59405a46bfb3de8d15c1e0b8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe.exe

Filesize
667KB

MD5
64191a7ecf53cd5bbbb783609b9c0f03

SHA1
9a0e8ea3b92fb0970163c19f903b3306038551f7

SHA256
118a53c57a119d10451abed8b7b22b54b077bf56e28ac45a017394fc3be2b264

SHA512
7888e662ad5a22d5212fea1f6b1e2966d779f3637ea9b38c61a445629ea2c63a9874a8e076a1dcce5f16d0a1b8a113c416309e3a277f7bdc6cbe5c7348d95293

Download Submit
C:\Users\Admin\AppData\Local\Temp\9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe.exe

Filesize
2.0MB

MD5
408a1d3312490b178ced4b51b9b0ba90

SHA1
dc5f1833e8451f33700745accd462aae29cb415e

SHA256
f5f7593d671b0883aa8237dffb2cd5abf8a341e391f3ae2632ec1e3c266cfb63

SHA512
5f441fe8e182cdea4685cd8eefd63a29b65d5b3cd907b36ab0e8f733ded08bee20d7e166be6bf4b5defe71b94ff5ba8ec2328e5de6d04cd54aa7f1890181981d

Download Submit
C:\Users\Admin\AppData\Local\Temp\9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe.exe

Filesize
2.1MB

MD5
11cdc308cc35ef78a14b0bff1f62bbfe

SHA1
6f5fc77b3e3ada468e792d513763f5d67ac71d53

SHA256
27ddb7fb50a34a5f186ccef2e5106b04ae64950024efebc56b59227cc57fbbbc

SHA512
600d75614df72c264fec2d97c0ac62b43f876ddcdb3ddcf9e161ff0c20c2e956f86044b3b2de17a3832873ab02d60951f63b0e04d4eface4d5a148b8f8ea5006

Download Submit
C:\Users\Admin\AppData\Local\Temp\9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe.exe

Filesize
1.9MB

MD5
00faecbf1ec97c5ed7fdc852e0a143ef

SHA1
9c5f1c9923d85cda11e6f15f51bd66860304cd84

SHA256
7d90fac8b10b6f8d6d8f100813e98ca9b167300bdbb3d6f7816eaa7cde6381eb

SHA512
a89c4402bad1337eb10c9588be4ed9b00d94ed240ec257406e70752d5e45ce3b7d12e309dc318b8d040c79b4e0d4d6150bbc599f1f5a8fd516ba77bf00755488

Download Submit
C:\Users\Admin\AppData\Local\Temp\9c832042abf62cb72ffb52d8900c89c37528dcb126d3e6db6726ed51f0b19670.exe.exe

Filesize
2.1MB

MD5
f26fa499b5482505844f79a0ffcab103

SHA1
d91ec12e47c3f64faad1837e0eb8dd967af4bfae

SHA256
65a52e543d6afc2fd6a63241ba1deddfd42c83f7837d54b38fdd8fc54c9419d7

SHA512
7b4090b14c9cff5deafd4561b38b7b2ff7cb2715396e02da70fd6d8d9cb2f8e7c20404f3e352169c27107b7860e935d334603708d068d9c8eb6017d838b65b30

Download Submit
C:\Windows\Logo1_.exe

Filesize
44KB

MD5
c340af03b6fc6879c606337af57dfbb0

SHA1
c3c50e1d66d5239ec39352d1fc2703a484f73ca7

SHA256
424cb3abf9ab63440a69cec3819103e643b46812f6fc382e299ee08d73f6e5c8

SHA512
6d493eb54f8c4bb65474dc929c05071df7202306fac08f5e9338fe728f27c8e44e486abec6cbf0c71ff1bda75972506e11636256f2af44768f662fc4badd9747

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-566096764-1992588923-1249862864-1000\_desktop.ini

Filesize
9B

MD5
ffee50c69ce4733057892ab912ba2f08

SHA1
09ffe94208f4dbeac5a20bad25ffae158e3fc6dc

SHA256
c1b6255859813f192c8648418d3923dc540ce2566fac2a17a736f33014438abc

SHA512
cb68a272d6d7941417a7dddd9988b5b1f2245fbfeb8df4876b59f7b4157e75a8328dc68cbc0b81c3d6386f75d1632a271635eca276bd274c9a5cd54b34e5c72f

Download Submit
memory/636-179-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1028-1937-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1028-2331-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1084-1833-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1204-1072-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1684-52-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1784-8-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1784-0-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1840-60-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2204-1856-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2256-119-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2452-1847-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2868-4457-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2868-8854-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2868-98-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2868-10-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3420-2782-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3420-2536-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3852-78-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3852-82-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3900-93-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3920-36-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3920-32-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3928-142-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4012-1840-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4260-102-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4392-112-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4408-45-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4580-135-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4664-128-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4880-1852-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4920-24-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4920-28-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/5040-16-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/5040-20-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/5100-68-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/5100-64-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download