e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
14-06-2024 05:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
Size

4.3MB
MD5

592e0269f05bb63944acab1ca2da05c2
SHA1

a5543b8512d14c1266ac12fe52e1c120eec87e44
SHA256

e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3
SHA512

df1fd83e51c2d3df39436daf96d477bfa7511ec31d52dbf70a7fd98f89776544bae6adb48f0541050e33048a9d2fe68eb80110e9787c31b16e4c505aac8a1340
SSDEEP

49152:oM9jWx/KmK3KTaHGZpaEQHv8FJ9AE7BhvoNBPNpfqreSCUnD0DEWdCz4qI:LWx/KmKLGZpaNuAElhSD3gY4q

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 35 IoCs

pid	Process
1104	Logo1_.exe
4320	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
3096	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
3672	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
2648	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
1360	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
548	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
748	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
1444	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
3132	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
3832	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
3180	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
760	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
1180	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
2888	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
3192	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
4336	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
4940	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
1628	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
664	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
2788	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
4244	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
2632	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
1636	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
1684	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
3932	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
1000	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
2316	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
2560	Logo1_.exe
768	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
3880	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
852	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
2936	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
3980	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
1668	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\default_apps\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre-1.8\lib\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Extensions\_desktop.ini	Logo1_.exe
File created	C:\Program Files\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\VisualElements\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre-1.8\lib\management\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\host\fxr\7.0.16\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\swidtag\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\deploy\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\javafx\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Internet Explorer\uk-UA\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\server\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\security\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre-1.8\lib\cmm\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\WidevineCdm\_platform_specific\win_x64\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Internet Explorer\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Internet Explorer\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre-1.8\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre-1.8\lib\applet\_desktop.ini	Logo1_.exe

Drops file in Windows directory 39 IoCs

description	ioc	Process
File created	C:\Windows\Logo1_.exe	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
File created	C:\Windows\Logo1_.exe	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
File created	C:\Windows\Logo1_.exe	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
File created	C:\Windows\Logo1_.exe	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
File created	C:\Windows\Logo1_.exe	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
File created	C:\Windows\Logo1_.exe	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
File created	C:\Windows\Dll.dll	Logo1_.exe
File created	C:\Windows\Logo1_.exe	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
File created	C:\Windows\Logo1_.exe	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
File created	C:\Windows\Logo1_.exe	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
File created	C:\Windows\Logo1_.exe	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
File created	C:\Windows\Logo1_.exe	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
File created	C:\Windows\Logo1_.exe	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
File created	C:\Windows\Logo1_.exe	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
File created	C:\Windows\Logo1_.exe	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
File created	C:\Windows\Logo1_.exe	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
File created	C:\Windows\Logo1_.exe	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
File opened for modification	C:\Windows\Logo1_.exe	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
File created	C:\Windows\Dll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
File created	C:\Windows\Logo1_.exe	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
File created	C:\Windows\Logo1_.exe	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
File created	C:\Windows\Logo1_.exe	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Logo1_.exe	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
File created	C:\Windows\Logo1_.exe	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
File created	C:\Windows\Logo1_.exe	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
File opened for modification	C:\Windows\rundl132.exe	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
File created	C:\Windows\Logo1_.exe	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
File created	C:\Windows\Logo1_.exe	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
File created	C:\Windows\Logo1_.exe	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
File created	C:\Windows\Logo1_.exe	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
File created	C:\Windows\Logo1_.exe	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
File created	C:\Windows\Logo1_.exe	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
File created	C:\Windows\Logo1_.exe	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
File created	C:\Windows\Logo1_.exe	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
File created	C:\Windows\Logo1_.exe	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
File created	C:\Windows\Logo1_.exe	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2240	1104	WerFault.exe	82

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4456	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
4456	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
4456	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
4456	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
4456	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
4456	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
4456	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
4456	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
4456	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
4456	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
4456	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
4456	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
4456	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
4456	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
4456	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
4456	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
4456	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
4456	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
1104	Logo1_.exe
1104	Logo1_.exe
1104	Logo1_.exe
1104	Logo1_.exe
1104	Logo1_.exe
1104	Logo1_.exe
1104	Logo1_.exe
1104	Logo1_.exe
1104	Logo1_.exe
1104	Logo1_.exe
1104	Logo1_.exe
1104	Logo1_.exe
1104	Logo1_.exe
1104	Logo1_.exe
1104	Logo1_.exe
1104	Logo1_.exe
1104	Logo1_.exe
1104	Logo1_.exe
1104	Logo1_.exe
1104	Logo1_.exe
1104	Logo1_.exe
1104	Logo1_.exe
1104	Logo1_.exe
1104	Logo1_.exe
1104	Logo1_.exe
1104	Logo1_.exe
1104	Logo1_.exe
1104	Logo1_.exe
1104	Logo1_.exe
1104	Logo1_.exe
1104	Logo1_.exe
1104	Logo1_.exe
1104	Logo1_.exe
1104	Logo1_.exe
1104	Logo1_.exe
1104	Logo1_.exe
1104	Logo1_.exe
1104	Logo1_.exe
1104	Logo1_.exe
1104	Logo1_.exe
1104	Logo1_.exe
1104	Logo1_.exe
1104	Logo1_.exe
1104	Logo1_.exe
2316	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
2316	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4456 wrote to memory of 2892	4456	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe	81
PID 4456 wrote to memory of 2892	4456	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe	81
PID 4456 wrote to memory of 2892	4456	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe	81
PID 4456 wrote to memory of 1104	4456	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe	82
PID 4456 wrote to memory of 1104	4456	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe	82
PID 4456 wrote to memory of 1104	4456	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe	82
PID 1104 wrote to memory of 4596	1104	Logo1_.exe	84
PID 1104 wrote to memory of 4596	1104	Logo1_.exe	84
PID 1104 wrote to memory of 4596	1104	Logo1_.exe	84
PID 4596 wrote to memory of 5060	4596	net.exe	86
PID 4596 wrote to memory of 5060	4596	net.exe	86
PID 4596 wrote to memory of 5060	4596	net.exe	86
PID 2892 wrote to memory of 4320	2892	cmd.exe	87
PID 2892 wrote to memory of 4320	2892	cmd.exe	87
PID 2892 wrote to memory of 4320	2892	cmd.exe	87
PID 4320 wrote to memory of 4624	4320	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe	88
PID 4320 wrote to memory of 4624	4320	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe	88
PID 4320 wrote to memory of 4624	4320	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe	88
PID 4624 wrote to memory of 3096	4624	cmd.exe	90
PID 4624 wrote to memory of 3096	4624	cmd.exe	90
PID 4624 wrote to memory of 3096	4624	cmd.exe	90
PID 3096 wrote to memory of 4852	3096	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe	91
PID 3096 wrote to memory of 4852	3096	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe	91
PID 3096 wrote to memory of 4852	3096	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe	91
PID 4852 wrote to memory of 3672	4852	cmd.exe	93
PID 4852 wrote to memory of 3672	4852	cmd.exe	93
PID 4852 wrote to memory of 3672	4852	cmd.exe	93
PID 3672 wrote to memory of 1916	3672	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe	94
PID 3672 wrote to memory of 1916	3672	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe	94
PID 3672 wrote to memory of 1916	3672	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe	94
PID 1916 wrote to memory of 2648	1916	cmd.exe	97
PID 1916 wrote to memory of 2648	1916	cmd.exe	97
PID 1916 wrote to memory of 2648	1916	cmd.exe	97
PID 2648 wrote to memory of 4304	2648	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe	99
PID 2648 wrote to memory of 4304	2648	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe	99
PID 2648 wrote to memory of 4304	2648	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe	99
PID 4304 wrote to memory of 1360	4304	cmd.exe	101
PID 4304 wrote to memory of 1360	4304	cmd.exe	101
PID 4304 wrote to memory of 1360	4304	cmd.exe	101
PID 1360 wrote to memory of 2640	1360	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe	102
PID 1360 wrote to memory of 2640	1360	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe	102
PID 1360 wrote to memory of 2640	1360	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe	102
PID 1104 wrote to memory of 3468	1104	Logo1_.exe	55
PID 1104 wrote to memory of 3468	1104	Logo1_.exe	55
PID 2640 wrote to memory of 548	2640	cmd.exe	105
PID 2640 wrote to memory of 548	2640	cmd.exe	105
PID 2640 wrote to memory of 548	2640	cmd.exe	105
PID 548 wrote to memory of 4760	548	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe	106
PID 548 wrote to memory of 4760	548	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe	106
PID 548 wrote to memory of 4760	548	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe	106
PID 4760 wrote to memory of 748	4760	cmd.exe	108
PID 4760 wrote to memory of 748	4760	cmd.exe	108
PID 4760 wrote to memory of 748	4760	cmd.exe	108
PID 748 wrote to memory of 560	748	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe	109
PID 748 wrote to memory of 560	748	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe	109
PID 748 wrote to memory of 560	748	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe	109
PID 560 wrote to memory of 1444	560	cmd.exe	111
PID 560 wrote to memory of 1444	560	cmd.exe	111
PID 560 wrote to memory of 1444	560	cmd.exe	111
PID 1444 wrote to memory of 4592	1444	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe	112
PID 1444 wrote to memory of 4592	1444	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe	112
PID 1444 wrote to memory of 4592	1444	e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe	112
PID 4592 wrote to memory of 3132	4592	cmd.exe	114
PID 4592 wrote to memory of 3132	4592	cmd.exe	114

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3468
- C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
  "C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a347D.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2892
  - - C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
      "C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:4320
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a35E5.bat
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4624
      - C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"
        6⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:3096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a373C.bat
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:3672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a38B3.bat
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"
        10⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a39BD.bat
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4304
        
        C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"
        12⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:1360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3AF6.bat
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"
        14⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3C3E.bat
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"
        16⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3D28.bat
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:560
        
        C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"
        18⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3E80.bat
        19⤵
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"
        20⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3F6A.bat
        21⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"
        22⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4093.bat
        23⤵
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"
        24⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a416E.bat
        25⤵
        
        PID:3776
        
        C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"
        26⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a42F4.bat
        27⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"
        28⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a43C0.bat
        29⤵
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"
        30⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a44C9.bat
        31⤵
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"
        32⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a45A4.bat
        33⤵
        
        PID:4256
        
        C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"
        34⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a46BD.bat
        35⤵
        
        PID:3096
        
        C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"
        36⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4798.bat
        37⤵
        
        PID:4528
        
        C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"
        38⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4873.bat
        39⤵
        
        PID:4832
        
        C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"
        40⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4A19.bat
        41⤵
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"
        42⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4AB5.bat
        43⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"
        44⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4C0D.bat
        45⤵
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"
        46⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4CB8.bat
        47⤵
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"
        48⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4D74.bat
        49⤵
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"
        50⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4E10.bat
        51⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"
        52⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4EFB.bat
        53⤵
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"
        54⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4F78.bat
        55⤵
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"
        56⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4FD5.bat
        57⤵
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"
        58⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a50B0.bat
        59⤵
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"
        60⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a510E.bat
        61⤵
        
        PID:4312
        
        C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"
        62⤵
        Executes dropped EXE
        
        PID:852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a517B.bat
        63⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"
        64⤵
        Drops file in Windows directory
        
        PID:2436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a51C9.bat
        65⤵
        
        PID:512
        
        C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"
        66⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5217.bat
        67⤵
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"
        68⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5266.bat
        69⤵
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe"
        70⤵
        Executes dropped EXE
        
        PID:1668
        
        C:\Windows\Logo1_.exe
        
        C:\Windows\Logo1_.exe
        57⤵
        Executes dropped EXE
        Enumerates connected drives
        Drops file in Windows directory
        
        PID:2560
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "Kingsoft AntiVirus Service"
        58⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        59⤵
        
        PID:3596
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1104
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4596
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:5060
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1104 -s 984
      4⤵
      Program crash
      PID:2240

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:1628
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1104 -ip 1104
  2⤵
  PID:836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$a347D.bat

Filesize
722B

MD5
291e9f95e54344c90e089c10a39bec86

SHA1
91249b11242e7ae73ad19fc4c09ea35423b494bb

SHA256
2c96ffac3504377cb437cd8e1b32e4be9f0bd4b7ef1186218502c8d5db3a4d91

SHA512
3f0b9b5df48d93b24b5a92881441adaac28c17bb24a93330382a8227dd21a5551a388625d2022c2e4fdba3ee194a1e9845cc9e970da0cc41ea58c056f63ee941

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a35E5.bat

Filesize
722B

MD5
ce4ee6378638dd335d049e2b7fa3a5dc

SHA1
d62508b150acea4dbb8a235d4abf55fd5b58e76e

SHA256
876b2239a8cbddd830335aace3580eb94d46083a6407a8a158fb41782bd2bc71

SHA512
5e65a69bd0c99250b27da49d0d9c25e8a9a366d1f1deb0a9a1611e24f6b30df92e0e897f55815094c86c6178495602639ec583774bf3b96c4f7abd3e7f2bbd7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a373C.bat

Filesize
722B

MD5
175ab80b235565020b470d97f407fab9

SHA1
9e0367eadcd721a004ad85aa0a8a72a38013a7ea

SHA256
eb099f95c64c26c3fed3c54ea9fe4119440d88f5249fd44148065c390f2fea28

SHA512
59257ef97471a88d830767255cc6ecea0e0a9e26f08539b43f1ad78164c7f765b99b198c68133f01e9a6049dec15a425b0662fbfbc45b61ac007dcc5cbf71754

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a38B3.bat

Filesize
722B

MD5
234814137609b9486048de64d61ff0ac

SHA1
0d62e2b7ab58bd783abb95ee00c5b05b46270264

SHA256
479afbb699a5611863b1d0d19f7ffa2b9ed5ded6a5eceb704c70abfe579f2fc0

SHA512
578aaa298d12be6bc03050474e4eec7cb0334d431c74b71f2e2775b46410c289255f4be5aff996d5053025ebce851e5cf7a4366c4c7c926b1bf0f613c5bd5491

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a39BD.bat

Filesize
722B

MD5
952cd02f795c2ea7426c769d1fa773fe

SHA1
fb4840c30d722347894b8374d335863f19d6266c

SHA256
cfe47d63f59f0a05c34e06c3e44299276102acda0f7c2bfe011816b9c7d51345

SHA512
2dff491bfb28afba5c2e240bec7b99dd3fafd980c71cfe3b83286dc8a22203da76a2b6f321e82cfddfe6c5e4c5dd8018b14f81169472fed0923b2f27a5d5d9ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a3AF6.bat

Filesize
722B

MD5
1c8f03f1f044fee4adc2ecc25239d059

SHA1
da97fe6e0a620168c5dcb757625b44b51379fcf3

SHA256
fcbe27371b850521017b0766aa1ab7252a871b527b6dbd0efa689d96fd6a51d9

SHA512
efa0b79878c99bebd2557caa8124a35258338553fcfc357c52100b7650dc39907c2f3b75ce43d3a78b80b8f3dab111d41a3aaf5e0c871873297ab9b7315b1878

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a3C3E.bat

Filesize
722B

MD5
6f8345ec9559d73da9cba358a0f36c52

SHA1
22bb14a1e314a3abf7585948e635cce00fd15f96

SHA256
f2abfaa83fabb4f4e01fd9399f1aa30fbdb7369963000ff6a29c3a315a3a99ee

SHA512
c0f30c0c9bad244551b3833833b041045cd847549cdd64f559fb3adac6286731801ede851eb816ff7607ad34c662337f0f4a5b1b69d510ebcba8a835f30fa696

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a3D28.bat

Filesize
722B

MD5
45839bd5dd2dfa90205c9c52776c06b2

SHA1
4d4f91437b90f2ad78c4e051c71f16e25fb8c518

SHA256
e9646a40af29fd0f8c1799197920361a1ef622ec1084f4c90090d668b38d3a35

SHA512
2e9e6536dcc2fe39c25f2e18c3cc24622a9ffefa676dab93756a430a7963b018799be061c553ffe83dec4feb08d92ac785d552370ad7d7355202ff46b213000f

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a3E80.bat

Filesize
722B

MD5
de1736d377b2501f2a7ce152722f9fff

SHA1
3b6bde2e71eef9757bd048113fcb0fb2a4877784

SHA256
56240fbf5c6ef92657182cc499678403d3bfa314223fcc6d12b86716efd4d990

SHA512
b27980de8a0499c5d104750edbadadc5d68137aec5345971b11c06c11997e947f2549d8b1258344201b7685c1c508cde87234fb646d2a81bbd29682233f6440d

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a3F6A.bat

Filesize
722B

MD5
b93f1a84bc6c28e95d809c4e785b276c

SHA1
815eaf6ae765f47d25def401a85ef7e37a04c01c

SHA256
519294eaeb0bb9102405382b1db1f88264752df273f023e69680cf0f5928df7d

SHA512
f16772478ccff68c2bee39070a099a470e8e8e38b645a1c54ec6f8fed0a240ab9a6252a7ab84987b5b5c0cf6053a9fb2187925b789f2d1f9f10cdd0ebacb51a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a4093.bat

Filesize
722B

MD5
93ca7a4932e3f16e966d09d4b104f215

SHA1
ba64cc57c59e0314570e07a2ef4e3776bf5d7e67

SHA256
bad47a74338937409ac15535551fbc8e05ce28376e6f7dd3e7d045188a617ba8

SHA512
a0e0bdeff41f01742486acc61274564df18cb7edcffcea54fc323314f82289f933c23684746c9fb26f996be343cce1d73f600b43b4b02200b277c56df473b127

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a416E.bat

Filesize
722B

MD5
741cc668a2f222bd7862f138981aa216

SHA1
3e406e58e3a3678ee3fa3683da11e7960b03b55f

SHA256
4bf51fcda557b88189af79c4097098a18554969c2060abb034f5abf0c1f8ad04

SHA512
b7d98362c712755af51aca5be1e1ebc3ba0977058f9565af1b0cb9a721202ba9777f87bfe40ddcba89a2bf75154efc80da05ee4f366a8a000278cacd82b09caf

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a42F4.bat

Filesize
722B

MD5
ca4582b7087313bed1da93194c571e55

SHA1
3ec6f150dc084d8cb98e6b8dd74cd71766f68d95

SHA256
36c2e1b268b656cc9c7831cef77314744ddd44de784c1890cddb23380240bd65

SHA512
3bbdea6d606f28999c1afa9cb511177148666b16bed44701e1aa866cf9df9868bfe3f452ee8c1abeb76e0d230b0dcc03316047de9be304b5347d7b27dbcc17f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a43C0.bat

Filesize
722B

MD5
a985dc3c876cc1a4db9b769394605a3b

SHA1
2983b8485d5e3e81ff3810b6de5ba3d7be9b3515

SHA256
0587cf6bd2e222ef9bcbf1ab99c89382bc886117600a2f808b43ae2bc45cd79a

SHA512
141e7aaa42ea89c64cb11af26662e7dce8979420c2211d9238f6641668978b1bd6f13a115433fdca6fd965420703c6a3f1d3156861d926267c2641e62b3dc1cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a44C9.bat

Filesize
722B

MD5
5963cb738cee9f3946bd6f1b51f99c59

SHA1
aaeaacdd6fb565dd608139c01934d3f7b984e652

SHA256
316a7da3d6218ab3f563bcc1348bbd694bdf345bd401cc0774f0439de12d5a55

SHA512
6a39a0137ef613e10fadff7d54d3e04bba986e810f024b52fd6142949c2e3d230cf89ae0e67dc241716fc4b91ae2d9564ca0b834587c9f6588133f754c53a186

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a45A4.bat

Filesize
722B

MD5
88fffae85d7aebc8c728df74d227e1da

SHA1
54921367d36aeea1ceae6d1db4daf90e5ada4d7a

SHA256
8b21d76fc9e56ce0d0e5a849d8641a514a248f57b551d75f365a61fd254bf4f0

SHA512
02a0bdeffee12c1c9e677868aec4c9098a8221476c11832c3ae65a89e2271ad7a10c981a84067819294a1a45bebc95a18cf3d98445c2d851b60960371bf859ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a46BD.bat

Filesize
722B

MD5
67ec8ced025364cd4ce0e5d422b3bc93

SHA1
d9cc60290255f05e2751e701be8cf06f411d7594

SHA256
3ff10c06c236758ce43edd5149e9bf76c742747de45708e21c24c2b4e99e1d5f

SHA512
34fbc2ce88835afb28681cf5d192765cbf76ba35b0372c42ddb4fbb6cd9fb1fd5c8d48ca8d2cdd5f9538a93e36e8dab28cfd08054ab0d04f4dd3cde714d4b1d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a4798.bat

Filesize
722B

MD5
54d6e9955d7a235623efc136e7cef4db

SHA1
8d701ae57d20b28724ed22724033ddf89e60f10c

SHA256
b6959b11ac0afb0949ea406e73495cc354a17228e3ae6a9bb0fe298ee7925e22

SHA512
4a4a432953def4217a1d39a9ced6ff670393dd5c9b1eb5c8a326d8eb30fcde72438301ec921f6f674acfbf2906dab0a495add3975836b7b00a3341462d84519a

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a4873.bat

Filesize
722B

MD5
5c179dcbe10cf97a171067f8c1742eee

SHA1
3c97a4a360542bede3dc52d54b26ea77b5249791

SHA256
33959723c9a6f2b6c3802dbc4c631656504d75cf0c35ffee2bf39909e24fdb37

SHA512
514a06a448e399f9ffc166fd7065a549e72581c1b993e9e89fff59b108d033551abfeff5e83244231e84180c97cce8d6a045931908f09dae4d087a55049f642b

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a4A19.bat

Filesize
722B

MD5
2de18e8a4029f1b8b4db1339c3e83982

SHA1
b43c080d302ff9e864c0112b44093d04609480a0

SHA256
95328145f130314555cc52e9584b2fae1e0f517eba2cb15b4646e532b7daa9b8

SHA512
a673274a56def7b6aac93f41ecb0b6baf7ea345e46565bedac1048061a761308634076b04129665ad84f13116f0814ab4852160e5d6097369408535de7c34bf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a4AB5.bat

Filesize
722B

MD5
bfadc6b5fa81462d9462e612b24933a4

SHA1
04fc2abb9af0b3ca0b19ce78dd61ba2bf148b8b2

SHA256
3e34c6e3dc9189bc32bdaff6548c5c5a80550d7d958abdbfb28ba40760c5481d

SHA512
9f6ded820f2289591e986df72bedd3bf9c47091c44bd753d2295d25931e0059e31b690c6067db924c1e75b7783c88d5869c58da50fbdc2d97121af4e371b3f9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_is52F7.tmp

Filesize
1KB

MD5
5453343afefb32307659574a4da803bf

SHA1
b01072bdcc799391c510054447a6a8cbab71abd3

SHA256
02eedbc35423bf428545f27b5575528ee996e75a0cf8157f47cf3e302547d508

SHA512
99c4d5731ebba9ea659d30956d60beb6c1be5e9872ee027eb7174ba08e7fa2ad8bd9d91c82313a27577f3e9c5eb49b46b8929c7f29491d0db15d3e1cd803eafa

Download Submit
C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe.exe

Filesize
3.8MB

MD5
9c750c4af543bee211e93b57e99bec7c

SHA1
b975eaf950c2677761dea3d849da372579801156

SHA256
a0ab3788218682f7494c0a84e43ed1aaa58a84e96b50680a365da1fba6c1e9d2

SHA512
a14aaa21c6032a436ab16ff821dc7b8e8dd3795787964dc36691c9bad26ff07be28bc23c626dab782c733e6877050d1f817c2b2d653da7eacb82eccd0c353e5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe.exe

Filesize
3.5MB

MD5
a1efe2405eb43a47d76fd20cd72ef766

SHA1
af8a9492855d430a8fcc9ab58249c3c097a981ac

SHA256
6f658213093ba204e684cf00e67e85751a3d3135d0188101f49dcd0184a1c33e

SHA512
58097f0de64f86d03d9bc61ecbef5c9c1377f86979857f431a2b47eefa39059102a6ee39d6f40e4ae84a7e3c607d64977b11785acfd5d11d69c7fea481e0d676

Download Submit
C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe.exe

Filesize
4.3MB

MD5
3df9284a7a827e96c982aa7dbb0a3449

SHA1
2364b9dfdf30587617efdecedf30752aaf1f2c72

SHA256
91998a5238603af52e99cf9ebfb764599efacda3dc4373682b7705659888cdf4

SHA512
f90a6a0ed4973f63dbc467c8d954b559cd297873899d98468e88b13d3bf4b922303ebafb732cd532178ca17b192831e5629480382e23add180c2345a4b4f17d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe.exe

Filesize
4.2MB

MD5
960bdf3af50b67e8949e51fef440063c

SHA1
2601eeddc1104f9a03264dc5775c26bd3e5c67ee

SHA256
9a62439938a78c883a7339dd331f2a6968be4d587109597f998030f35c44c0e9

SHA512
7f6d050122b3262a47494e28d7ac8419f834351ad90c6d2695da1b0601eae91d367ed81d4fe1ce8c32a4a76c8054009ead94e0df61d336d7e3d9047fd309d05b

Download Submit
C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe.exe

Filesize
4.2MB

MD5
f2c91ec5a712982aa22be52f8d7f2755

SHA1
716c4feb2523cbdf1ede42ca0f2cbd1318d79d24

SHA256
91a00511132f54629ff39f85651dff382d09572f5270060f1d11da33489279fc

SHA512
d0434ddfc8dc21019db99c423eda22f5aae3e3a377d9b719fb57ad77aa7c81c4eae734213d6665f2b828ebe12fe1c5b945e758b99395c97f103fc0276abe672a

Download Submit
C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe.exe

Filesize
3.7MB

MD5
e196371c438d6228c3bdf7c8dbe6a1a8

SHA1
60d1812736b5a5e3faed09d2042b92fda1b088b2

SHA256
3716ed2493356a69a594f0a1c527d143abc862fd4ffc12c874c189847c97831b

SHA512
711d2e6e6aca20ebf767549cee4b594a0354aba602f6def3f5e9d741ed93b98aa1571734a57e8a8839cfe1a431a5e1c51b4f2dd664b171ea76197fd89b8fd874

Download Submit
C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe.exe

Filesize
4.2MB

MD5
e0a2a952b40cd65b09b9687e6c38d4d6

SHA1
729e185aa0d874f30f53cd6887b6b07d657ba403

SHA256
c41b1a583ee13a59c30ba021535121768346236b30d600a9fa425c861c64c80b

SHA512
5eca4c4fc005d57620d67a175db3705f52e344b3bfdbbb1b1e6c23c21cca2d0866332b361dca4f9cc5b7c3a917aee28147a759e800700b1ff99109316f410297

Download Submit
C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe.exe

Filesize
4.1MB

MD5
15d42442c0ad97c6db1af59024293e36

SHA1
912a692291d0c4eda041f1c423978739c5380585

SHA256
6ca7a0c9f3e9383ff5512a05422eab5b740b5b02f65a79df177aa8658557f371

SHA512
fa83623a4472e94edf6602310265906634f2b6d6cedf76840d830d82403a7af4f6de351df08abf1adfb162374e9b8ef28c2d03eb8ff54d53afd937411d019378

Download Submit
C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe.exe

Filesize
3.6MB

MD5
0f7b190e259ba553527ed9fb4e70061b

SHA1
2257157880ac52fe6e0eb2fc7de2c752468dfa9b

SHA256
9ea905825aaa08dddcbf76ebc691a15390a56426d9642a4cbf5373d133042059

SHA512
0ba911f992f1cd55507959ba4a8da0d263667baace0deb6086382adbae9d05513cb832df5d7d0a64503565b79b4a024e88d431bc852e755580d8f1bd913e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe.exe

Filesize
4.1MB

MD5
70682aa162f988242c6c43dc229440a4

SHA1
7340d30a395f6d8972ead90822e871cc9ab98e63

SHA256
ab1cc4d7870bcbdc6596c3a3a74459c85c7ded14732a7fe989cc0540957861ab

SHA512
9eb94dad31f6bad53e95e9420002253b5d6893a85ae59639a952d9b51a2c6ca30d858231224b4df017d04b036cc7d0a36d29c5c34e75377b6e14bb2430603eaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe.exe

Filesize
4.0MB

MD5
3678d22d597811c8c241c18ae51d826a

SHA1
5b68eb3ea0db72cca60f09321e8592c3d1b01107

SHA256
8f59ab94c1cca3315f84864afabe9d348bc7ec79ce7723d3e195e5140d1f98ec

SHA512
9a0f2d50cfc58613439d7f5ad80390a112f5f9e160e356f911cd89f32bedb52d8543e6d4849dd61c036342cf98f96cdd497c9104a5b50c945d7ec3f855e3bfda

Download Submit
C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe.exe

Filesize
3.6MB

MD5
7eeaca39dd4fa393458297e323eaf2ff

SHA1
1513685d3b5f4766eb8f31c8ba82e0f5139220f7

SHA256
2e05fa5661c2d4eddd4ce6779fc8865d140c7638fbbe32e7eb4c60b49c63d5db

SHA512
c3e4171e120b0fbf7564369cb36613bdfdf7b12af7d0e339a6a82753caa3d8018b5117e5636bb7b07e582133c032cc704bbb0e446bc023e5e67518ef2a69913b

Download Submit
C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe.exe

Filesize
4.0MB

MD5
8a23794c3ca60b8647fd9bc6d1c0ec95

SHA1
1746dbd9a43ab61cd8c1bf882a864a42a86436a0

SHA256
01cb843f82dbdc3d1caf47c3a41fd01dc0dc4ac028cbcb7050c7020e73542b53

SHA512
b3ecb49ced0984140734afe14cc7887c865386454c8891be1f14f0ae21690379da7fdbebe6ba6f45f43c2b7d6d934c9bf384bc5bab733bd8b1a40d3d9117a554

Download Submit
C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe.exe

Filesize
3.9MB

MD5
c7f6fb6839fe5c06d91f7b24bd1d3099

SHA1
fd7c2ca06bb0cdf05786ebdd1a6ed2dd41bb5ab0

SHA256
2192d2448c01035c4ceb65155662b2d7cc2676533cf911f5fbb913109b8f52aa

SHA512
c3e72b304fccddf7cb1efd7594860d0df58cea591b110cad11187b0d02e3adc522971a8716bbec9d107badb5d962a4277e03e27a1e2db53ee49630a661b9d40b

Download Submit
C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe.exe

Filesize
3.9MB

MD5
e1742b7f3dcc8ff7142d041edab0c33d

SHA1
d3c738b7723a34c56b557dbe0b596e174619bc72

SHA256
cd36cf506835c5b3f7f79364e66fa077843d0335639236bd6322a17f456fd43c

SHA512
8c3f7ed952d576957e65a99af3ccbf532ddf3465e426ac851178777220dbe279546dac7499c2c60624f324031a5b36adddc665ed24233f537b852010f1b14464

Download Submit
C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe.exe

Filesize
3.9MB

MD5
1db37b80d69fb40b0df0269245159f9a

SHA1
416a3299e061acef6e3e73ea6ebb038dff1e695c

SHA256
7d8a946c3b4aceb222ba6399d21ddfaca7f878572c468c50a40758d95e2161ad

SHA512
f2f2aa9de278a1b0dff1dbf18f2044d48332006c29fce72a1446d5a0b00714197fc04c070b61aefd8267b790815a3732e40fd5b319bf73102611b651867e4348

Download Submit
C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe.exe

Filesize
3.8MB

MD5
080b508382f4e2a62d3aa72debd7cf36

SHA1
3a741bc765be25edafc2e8866e08a0c31768359c

SHA256
233a945f3a8884504d35d6f0cc2a7f38989f3c3e4cfa8e4ad392e319720e15b4

SHA512
3455ddca2882006ebd0243044e5952e610d7bd358deecb80a83c935a2ca2d1f3bb660152f4e6e64d040f540b75ac9fe34ab052b714f9c1f7d2b660c0cd94107c

Download Submit
C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe.exe

Filesize
3.7MB

MD5
408b20e16a98e43459906847e0191efa

SHA1
1f9dbbe3475b4c93cf66c1da7db556405da0c101

SHA256
cac256071bc6666638ee6622bc7376710fb6077718c058c1a1615915eaf4f0e8

SHA512
c1546e7bf15917ed434d45bf2a9dff5c8f43b0f93211b82fb4f43ce5191ae6ede1d6381c8fc9325c7f3134085d1a4ecef1c46eec78abdd206e167e22734f6aa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe.exe

Filesize
3.6MB

MD5
9a6ee4318ea0c32484f2d650ba80ce7e

SHA1
e6ebce53915a6c291d21740b29126675eaacc76b

SHA256
9d59bec06ad62dce146eff3a7d334f0625ce06bdd065f12ba58beaf63d8d4426

SHA512
f07c33831b89835f8957a093833b93ec35881760b6e21bf7ad5ef567df3a3b5c92af2317a1e6a94ea154930f991c8ec3541a314f66040ce548d2b8e8527350ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\e3b476915bc9ac0424303c2badea4fb41c93dd7812ae04d6a51db1eaccbe0fb3.exe.exe

Filesize
3.5MB

MD5
77ea4ac4f8ad8c6a6cc1e11fcbef1cee

SHA1
9a7b042d75d4dc836de7390046f15907baffe828

SHA256
69814cc92ae1d7f046a22b76d4bc6711e16b8b42871606beffa47ce720a365e7

SHA512
d19620e01a7562cd49e0a43c4c272d3f2efeed9143afb4d64cc37d92849a4c7fdce6973322e1f101d4a5b946974760298cec83ea55a74053c7f809afd2662edc

Download Submit
C:\Users\Admin\AppData\Local\Temp\{D1BE5726-C3B0-4891-8026-062B3B080FE4}\0x0409.ini

Filesize
21KB

MD5
be345d0260ae12c5f2f337b17e07c217

SHA1
0976ba0982fe34f1c35a0974f6178e15c238ed7b

SHA256
e994689a13b9448c074f9b471edeec9b524890a0d82925e98ab90b658016d8f3

SHA512
77040dbee29be6b136a83b9e444d8b4f71ff739f7157e451778fb4fccb939a67ff881a70483de16bcb6ae1fea64a89e00711a33ec26f4d3eea8e16c9e9553eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\{D1BE5726-C3B0-4891-8026-062B3B080FE4}\_ISMSIDEL.INI

Filesize
20B

MD5
db9af7503f195df96593ac42d5519075

SHA1
1b487531bad10f77750b8a50aca48593379e5f56

SHA256
0a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13

SHA512
6839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~52F4.tmp

Filesize
5KB

MD5
1533ce34575752aaf9a3020599c131ba

SHA1
24c1e2313276a40de717fc556240e4199701b19a

SHA256
25675678c980d33a1db21fee21bb8ba75354f3403f26c2a25e8c5c3ce37da0ba

SHA512
46c22e96abd4a8b03acb05a8e0aba5ba42ab026707dccb80538e50c8f4ad625a01b6808840f1801912b4bc8ff33f00d8354283d3b0dfc9591c8279fd9de4e1a1

Download Submit
C:\Windows\Logo1_.exe

Filesize
44KB

MD5
4db33aca198f9e9afcc012cd7ea077e1

SHA1
6b4b21442dd5091b5d3f586dbf860e0d674f60f9

SHA256
c1d47f6a5ba1a75b76b8826c21596cc74e342b014b7b559e9d20a403d2bbe1d9

SHA512
9a6f36bc295d81e866ac2c2105efff604d1ff065f5bd86e361d1f7538fdba5b32ae6faf671f1b6aff13b112aa7bc8011bca842d554e1091b1aa073c58f3d3a78

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2080292272-204036150-2159171770-1000\_desktop.ini

Filesize
9B

MD5
03c36dbecb7f35761f80ba5fc5566da6

SHA1
159b7733006187467bda251a1bbb278c141dceb6

SHA256
85a53f5b976fb1c26ce14c31e93c1f68997d2d8b09ab9aa2b7e0d32b8e50ec3b

SHA512
fe573085d2abef34adcede2f89b1c2810875ab00ef9ba27a1d95ed1dbe93e182fc53d981901a0b8048dd4eb5fdc852b8f0e0c3a0e1a404cbbe70e13a7a14104a

Download Submit
memory/548-61-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/664-270-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/748-75-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/760-119-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/760-115-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/768-493-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/768-497-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/852-504-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/852-503-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1000-476-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1000-482-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1104-10-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1104-478-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1104-95-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1180-126-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1360-53-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1444-83-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1628-165-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1636-466-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1684-471-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1684-467-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2316-491-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2316-483-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2436-505-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2436-509-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2560-580-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2560-490-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2560-578-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2560-579-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2632-462-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2648-44-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2788-314-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2888-133-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2936-514-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2936-510-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3096-26-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3132-91-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3132-87-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3180-111-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3192-143-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3672-31-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3672-35-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3832-96-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3832-100-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3880-502-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3880-498-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3932-475-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3980-515-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3980-519-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4244-380-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4244-406-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4320-19-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4336-151-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4456-0-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4456-8-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4940-158-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download