Malware Analysis Report

2025-01-22 12:40

Sample ID 240622-x1rnksvfkq
Target 1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093
SHA256 1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093
Tags
aspackv2
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093

Threat Level: Known bad

The file 1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093 was found to be: Known bad.

Malicious Activity Summary

aspackv2

Detects executables packed with ASPack

Detects executables packed with ASPack

ASPack v2.12-2.42

Deletes itself

Executes dropped EXE

Checks computer location settings

Enumerates connected drives

Unsigned PE

Enumerates physical storage devices

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-22 19:19

Signatures

Detects executables packed with ASPack

Description Indicator Process Target
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-22 19:19

Reported

2024-06-22 19:22

Platform

win7-20240220-en

Max time kernel

146s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093.exe"

Signatures

Detects executables packed with ASPack

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930.exe N/A
File opened (read-only) \??\O: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930000.exe N/A
File opened (read-only) \??\V: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930000.exe N/A
File opened (read-only) \??\B: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930.exe N/A
File opened (read-only) \??\P: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300.exe N/A
File opened (read-only) \??\H: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300000.exe N/A
File opened (read-only) \??\H: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000000.exe N/A
File opened (read-only) \??\V: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000000.exe N/A
File opened (read-only) \??\A: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300.exe N/A
File opened (read-only) \??\T: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000.exe N/A
File opened (read-only) \??\H: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930000.exe N/A
File opened (read-only) \??\E: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300000.exe N/A
File opened (read-only) \??\J: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300000.exe N/A
File opened (read-only) \??\O: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093.exe N/A
File opened (read-only) \??\N: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300.exe N/A
File opened (read-only) \??\T: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300.exe N/A
File opened (read-only) \??\L: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300000.exe N/A
File opened (read-only) \??\N: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000000.exe N/A
File opened (read-only) \??\Y: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093.exe N/A
File opened (read-only) \??\T: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930.exe N/A
File opened (read-only) \??\J: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930000.exe N/A
File opened (read-only) \??\B: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300000.exe N/A
File opened (read-only) \??\Z: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000000.exe N/A
File opened (read-only) \??\I: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000000.exe N/A
File opened (read-only) \??\L: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300.exe N/A
File opened (read-only) \??\B: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000.exe N/A
File opened (read-only) \??\N: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000.exe N/A
File opened (read-only) \??\R: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930000.exe N/A
File opened (read-only) \??\Y: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930000.exe N/A
File opened (read-only) \??\J: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930.exe N/A
File opened (read-only) \??\J: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000.exe N/A
File opened (read-only) \??\O: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300000.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093.exe N/A
File opened (read-only) \??\B: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093.exe N/A
File opened (read-only) \??\P: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093.exe N/A
File opened (read-only) \??\Z: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093.exe N/A
File opened (read-only) \??\R: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300000.exe N/A
File opened (read-only) \??\T: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300000.exe N/A
File opened (read-only) \??\G: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000000.exe N/A
File opened (read-only) \??\R: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000000.exe N/A
File opened (read-only) \??\P: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300000.exe N/A
File opened (read-only) \??\K: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000000.exe N/A
File opened (read-only) \??\U: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000000.exe N/A
File opened (read-only) \??\M: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093.exe N/A
File opened (read-only) \??\M: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930.exe N/A
File opened (read-only) \??\J: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300.exe N/A
File opened (read-only) \??\S: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930000.exe N/A
File opened (read-only) \??\I: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300000.exe N/A
File opened (read-only) \??\V: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093.exe N/A
File opened (read-only) \??\V: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930.exe N/A
File opened (read-only) \??\Z: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930.exe N/A
File opened (read-only) \??\A: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300000.exe N/A
File opened (read-only) \??\P: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000.exe N/A
File opened (read-only) \??\A: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000000.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093.exe N/A
File opened (read-only) \??\Y: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930.exe N/A
File opened (read-only) \??\B: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300.exe N/A
File opened (read-only) \??\O: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300.exe N/A
File opened (read-only) \??\L: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000.exe N/A
File opened (read-only) \??\S: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000000.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093.exe N/A
File opened (read-only) \??\H: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093.exe N/A
File opened (read-only) \??\P: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930.exe N/A

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093.exe N/A
N/A N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093.exe N/A
N/A N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093.exe N/A
N/A N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930.exe N/A
N/A N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930.exe N/A
N/A N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300.exe N/A
N/A N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300.exe N/A
N/A N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000.exe N/A
N/A N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000.exe N/A
N/A N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930000.exe N/A
N/A N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930000.exe N/A
N/A N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300000.exe N/A
N/A N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300000.exe N/A
N/A N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000000.exe N/A
N/A N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000000.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2916 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093.exe C:\Windows\SysWOW64\cmd.exe
PID 2916 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093.exe C:\Windows\SysWOW64\cmd.exe
PID 2916 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093.exe C:\Windows\SysWOW64\cmd.exe
PID 2916 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2588 N/A C:\Windows\SysWOW64\cmd.exe C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093.exe
PID 2776 wrote to memory of 2588 N/A C:\Windows\SysWOW64\cmd.exe C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093.exe
PID 2776 wrote to memory of 2588 N/A C:\Windows\SysWOW64\cmd.exe C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093.exe
PID 2776 wrote to memory of 2588 N/A C:\Windows\SysWOW64\cmd.exe C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093.exe
PID 2588 wrote to memory of 2868 N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093.exe C:\Windows\SysWOW64\cmd.exe
PID 2588 wrote to memory of 2868 N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093.exe C:\Windows\SysWOW64\cmd.exe
PID 2588 wrote to memory of 2868 N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093.exe C:\Windows\SysWOW64\cmd.exe
PID 2588 wrote to memory of 2868 N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 1588 N/A C:\Windows\SysWOW64\cmd.exe C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930.exe
PID 2868 wrote to memory of 1588 N/A C:\Windows\SysWOW64\cmd.exe C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930.exe
PID 2868 wrote to memory of 1588 N/A C:\Windows\SysWOW64\cmd.exe C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930.exe
PID 2868 wrote to memory of 1588 N/A C:\Windows\SysWOW64\cmd.exe C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930.exe
PID 1588 wrote to memory of 1944 N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930.exe C:\Windows\SysWOW64\cmd.exe
PID 1588 wrote to memory of 1944 N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930.exe C:\Windows\SysWOW64\cmd.exe
PID 1588 wrote to memory of 1944 N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930.exe C:\Windows\SysWOW64\cmd.exe
PID 1588 wrote to memory of 1944 N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930.exe C:\Windows\SysWOW64\cmd.exe
PID 1944 wrote to memory of 1960 N/A C:\Windows\SysWOW64\cmd.exe C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300.exe
PID 1944 wrote to memory of 1960 N/A C:\Windows\SysWOW64\cmd.exe C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300.exe
PID 1944 wrote to memory of 1960 N/A C:\Windows\SysWOW64\cmd.exe C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300.exe
PID 1944 wrote to memory of 1960 N/A C:\Windows\SysWOW64\cmd.exe C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300.exe
PID 1960 wrote to memory of 1232 N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300.exe C:\Windows\SysWOW64\cmd.exe
PID 1960 wrote to memory of 1232 N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300.exe C:\Windows\SysWOW64\cmd.exe
PID 1960 wrote to memory of 1232 N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300.exe C:\Windows\SysWOW64\cmd.exe
PID 1960 wrote to memory of 1232 N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300.exe C:\Windows\SysWOW64\cmd.exe
PID 1232 wrote to memory of 2948 N/A C:\Windows\SysWOW64\cmd.exe C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000.exe
PID 1232 wrote to memory of 2948 N/A C:\Windows\SysWOW64\cmd.exe C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000.exe
PID 1232 wrote to memory of 2948 N/A C:\Windows\SysWOW64\cmd.exe C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000.exe
PID 1232 wrote to memory of 2948 N/A C:\Windows\SysWOW64\cmd.exe C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000.exe
PID 2948 wrote to memory of 2088 N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000.exe C:\Windows\SysWOW64\cmd.exe
PID 2948 wrote to memory of 2088 N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000.exe C:\Windows\SysWOW64\cmd.exe
PID 2948 wrote to memory of 2088 N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000.exe C:\Windows\SysWOW64\cmd.exe
PID 2948 wrote to memory of 2088 N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000.exe C:\Windows\SysWOW64\cmd.exe
PID 2088 wrote to memory of 1276 N/A C:\Windows\SysWOW64\cmd.exe C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930000.exe
PID 2088 wrote to memory of 1276 N/A C:\Windows\SysWOW64\cmd.exe C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930000.exe
PID 2088 wrote to memory of 1276 N/A C:\Windows\SysWOW64\cmd.exe C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930000.exe
PID 2088 wrote to memory of 1276 N/A C:\Windows\SysWOW64\cmd.exe C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930000.exe
PID 1276 wrote to memory of 2552 N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930000.exe C:\Windows\SysWOW64\cmd.exe
PID 1276 wrote to memory of 2552 N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930000.exe C:\Windows\SysWOW64\cmd.exe
PID 1276 wrote to memory of 2552 N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930000.exe C:\Windows\SysWOW64\cmd.exe
PID 1276 wrote to memory of 2552 N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930000.exe C:\Windows\SysWOW64\cmd.exe
PID 2552 wrote to memory of 2652 N/A C:\Windows\SysWOW64\cmd.exe C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300000.exe
PID 2552 wrote to memory of 2652 N/A C:\Windows\SysWOW64\cmd.exe C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300000.exe
PID 2552 wrote to memory of 2652 N/A C:\Windows\SysWOW64\cmd.exe C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300000.exe
PID 2552 wrote to memory of 2652 N/A C:\Windows\SysWOW64\cmd.exe C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300000.exe
PID 2652 wrote to memory of 2764 N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300000.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 2764 N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300000.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 2764 N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300000.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 2764 N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300000.exe C:\Windows\SysWOW64\cmd.exe
PID 2764 wrote to memory of 1260 N/A C:\Windows\SysWOW64\cmd.exe C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000000.exe
PID 2764 wrote to memory of 1260 N/A C:\Windows\SysWOW64\cmd.exe C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000000.exe
PID 2764 wrote to memory of 1260 N/A C:\Windows\SysWOW64\cmd.exe C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000000.exe
PID 2764 wrote to memory of 1260 N/A C:\Windows\SysWOW64\cmd.exe C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000000.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093.exe

"C:\Users\Admin\AppData\Local\Temp\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gameofmir.bat" "

C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093.exe

"\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\gameofmir.bat" "

C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930.exe

"\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\gameofmir.bat" "

C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300.exe

"\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\gameofmir.bat" "

C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000.exe

"\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\gameofmir.bat" "

C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930000.exe

"\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930000.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\gameofmir.bat" "

C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300000.exe

"\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300000.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\gameofmir.bat" "

C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000000.exe

"\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000000.exe"

Network

N/A

Files

memory/2916-0-0x00000000003A0000-0x00000000003A1000-memory.dmp

memory/2916-1-0x0000000000442000-0x0000000000443000-memory.dmp

memory/2916-4-0x0000000000400000-0x000000000099F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gameofmir.bat

MD5 e7ea1b2c58fad2c825a7829bb45aba97
SHA1 10cbda7b09abe7c56f9329298152c4fa8a495c92
SHA256 d2964700baf4262b1a4791e837de1373aa4d8b61a2fb755dbef7c6dddd364792
SHA512 e65dbdcb2a04776722f550a11bc088df5e4b301cd989c1649cbe08a21f4a7cb4dd5969aba63a75e69e5d38e6077c3305b2adb0901c75d7a459a3fedf36f0d00b

memory/2916-16-0x0000000000400000-0x000000000099F000-memory.dmp

C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093.exe

MD5 ef8f6471ebd9c98a36aefbadc3e88755
SHA1 f335e8f343413d814f2e640bd01afedcca43629d
SHA256 1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093
SHA512 f43ed0eed193ccaa188509df1f3c8fe4cc4ba0ff90efdd1b261f4efa4ac72ea063fda0e360c0fa5284b1501c35d138ad4b7f00480926e8f3acf2157ce49c22b4

C:\Users\Admin\AppData\Local\Temp\GameLogin_Debug.txt

MD5 778281ada8cbd0da8bdafb3aa385a606
SHA1 017d05c87a4307238272dcd2c031fb4ce6f1009c
SHA256 e124eeba5b7855277adb4261d77a60f51731d1ea5ceca208b5f797a719a428c1
SHA512 f56baf460728ff5a15befa72540232aa6681449fc8bf150aef98244d546a7b3fcf2abd663d945d31f6c6e0fcd0a1ea3facdfc301d985478ee49b0cf3b821bb68

C:\LoginTemp.ini

MD5 072418f231e0bf022453501d596b6b89
SHA1 c8e473298746f00c4f88013768417388dc202edc
SHA256 02498df477a6df1e5fb0e320e05b5554350e53c48178ab4fdac8a8c19b3ccda0
SHA512 0547c2f3c9da08ad230cd4910d04a24908dcd030ebbe499a7158f2c2bff4420946b71f91371a2345468378c90dfad804626d814f6b8031172a0ae998fe8fd8c1

C:\Users\Admin\Desktop\2015Ô­°æ½­ºþÇéÔµ.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2588-26-0x0000000000400000-0x000000000099F000-memory.dmp

C:\gameofmir.bat

MD5 4ce55cae36264db969790a6a0f7841ae
SHA1 92d436993d32ee8721b3cd0ab2ef61366e59d403
SHA256 6a2b0f6a570f295472d68edec1c14a0e92e433130190b18de62c85ba34f381c0
SHA512 2f7d66245841df0ca49759dd6bed68ab271a1f763658122cc60b37271aed547fe2bcfab5530b8fe582c5bcf66e74abd77602932aa0c169459f97f0d0ab0f1492

memory/2588-38-0x0000000000400000-0x000000000099F000-memory.dmp

C:\LoginTemp.ini

MD5 9b2456363290ba7d3b58b22d66ce6a18
SHA1 43f3a27739354d6a21dab842e5910205eb7ebe6b
SHA256 95b5335823c05e3acf512d08169bf4cc9925d70e96b72e83b472cb55b094e218
SHA512 3eceb636eb660bf20d558a396a0ac186902974e9737354577b301765407c98c94f800c62083f6e648bd576da8a84e414919a7a99144b409befea5bb86b48cbba

memory/1588-47-0x0000000000400000-0x000000000099F000-memory.dmp

C:\gameofmir.bat

MD5 b47e23449e4fa6dede957f9546f5542d
SHA1 0ba40ed56221c99f20628267df571022a3e9eafa
SHA256 c87b3c4d65a81ae78d22e86cfe4e9390a9cdfa26967bab32aa4560175fcde285
SHA512 2694acb4b3ad3cd8073d4395af45ed87b71c4ec52fac82b8e795f946e73efdf43618678dfd7d3e0c3d56042c890e2bd02ab1e14a96fc570b9f54b517f1d3e065

memory/1588-59-0x0000000000400000-0x000000000099F000-memory.dmp

C:\\GameLogin_Debug.txt

MD5 4f67ea94e43b453253db0756902109c3
SHA1 742c84c30ee1c0f6f80715c890ca5776901d7387
SHA256 233646b07383accf017a97825a26da3f01ea641e6941476b865e5e599ffd9d15
SHA512 8d333d48b895b6efa388803bcc89429fbff26ca79f8d038ca69b34d883b552b0d2053c262c09c2a7dc0b38f8d45d6ac77c855db04a31ecd4d60daf517c0dec4a

C:\Users\Admin\Desktop\2015Ô­°æ½­ºþÇéÔµ.lnk

MD5 412d923067816b5eba568da495e72371
SHA1 dd35ab7777c08fd9faef14710429349200ebc581
SHA256 6c5792ccac04fc2ad81128f545b5a3dc219be7706ab011d30ed515b22ac8cb3b
SHA512 92fb1cb95f59fddab5394c5d61929918dfd3eb3e1dc1019edf41f66459b9e5cf7b501083ff344ba898d974a75c370158ce9abdf0af825650e288166dc7e0ddae

memory/1960-69-0x0000000000400000-0x000000000099F000-memory.dmp

C:\gameofmir.bat

MD5 7427bb5bf3be7f2694e7df4e89d8cc92
SHA1 2f94f843946a1debc6c4f13d4c348d44fd805443
SHA256 48b2f8ea6c86087572c8497bacd2857e8779c0bb1626740d0092ddd42dc720ab
SHA512 bf2f2f822eeae372cb81984947798e6e5b2900aa2ac3837583c1ec71e87377233514a905523c39b27fb5488de4216f82f5e31bfa926d4623767390c566ffcaa9

memory/1960-81-0x0000000000400000-0x000000000099F000-memory.dmp

C:\\GameLogin_Debug.txt

MD5 8e90493d1a772df080e6e55187856448
SHA1 3943c58715126223bbaac7d4312a95b29dbbb09e
SHA256 fb3ec035ef57c51dd31b6e7808edc9dea37163ec95fbf2493e4fc5f4d86e6603
SHA512 a8c28c68386f021f2a63c77688b0feb98f60ce52f87a5c48b4ceeb850600bf99f1ad0f739a2b326c0a6ca0b32f720ea09b04b35f24cc33a7399db53e6e63ef18

C:\Users\Admin\Desktop\2015Ô­°æ½­ºþÇéÔµ.lnk

MD5 5d011a65d50cb64f1263117618b776a2
SHA1 d6f5199a1e0ab6f5c9cc34761e9cd92180a7de62
SHA256 c359bfcfb92c99a226b4cf1e638c4e73616db51672b9de0cecd81cbc360f1e7f
SHA512 83b52b8b7190562d836dd89da310d94f25592c9a53e5933f3ebed9690bfbc11d6fbb1af98309070184cad0ea7495ee08e42ca51a69b0e29fb3ff34a318904006

memory/2948-92-0x0000000000400000-0x000000000099F000-memory.dmp

C:\gameofmir.bat

MD5 23b6731271442175a78f451c4d0484a9
SHA1 53f9cc4006e9f71e895fd7f73d2304093460f7af
SHA256 541d29360511b48de75c4dd2b90132bfb92fc7990a3b64af481daa40d7835aaf
SHA512 d432f30495da9de2471aa811a0079df1acc0bdc1c57377adea5e80a4e1a3f059801605ab5b732c9b323664917d7d8822d74f1643b62aa2d509df3e2ead0ee067

memory/2948-104-0x0000000000400000-0x000000000099F000-memory.dmp

C:\\GameLogin_Debug.txt

MD5 358420af6a4d90aa6c75bdb0f8d019c8
SHA1 e6170b19e805f519b5c94193d124129655ec5054
SHA256 023019a58b6be353c665560d2298ba8d3f840f670f233534e06f2df2c6ee7c93
SHA512 abf613a1280d1b9fe4e5ff60abe42eac338f4612d3861a17cba100ff7255b3693214ca549ce79d14d50f749fe1750c243b00108f7384ea4856efd3a2fefac277

memory/1276-114-0x0000000000400000-0x000000000099F000-memory.dmp

C:\gameofmir.bat

MD5 36eb7bd5b29c2bfd821e98399186cbf6
SHA1 4fda83a711a7aa2fb1ca626cde9edefba12972a9
SHA256 860cb2b65f1daf6f59ace73571bf7d3bc2d7870a1471636d315180f045788e61
SHA512 444222e3c7cefe34624031bafdc95098bc199dee6df73d03cec4784a902d589a6cf350a4cda02d71d05f9b5e57fc3511caf421048c5458b5c474bc55e72bc41c

memory/1276-126-0x0000000000400000-0x000000000099F000-memory.dmp

C:\\GameLogin_Debug.txt

MD5 d5ad169562d5f3129f6bc32a143da63c
SHA1 03831de2d4ea6772995d38b83ecf7f38fcd219fa
SHA256 856a0df63df77a98b4ebb42459d0723a6a64eee9d2407490e69749d26a6c8c6b
SHA512 6276305086330544afd4f6db968b66de8498e413a4582572c9a4dd9181392c520694100d134cbd2fcd4f659bef5c4cdc75b729f29515be868d7ca96a93a2538a

memory/2652-137-0x0000000000400000-0x000000000099F000-memory.dmp

C:\gameofmir.bat

MD5 13fafc99ca6f22bbac842316ac148d00
SHA1 2e681aa36651eb9717fa0e1f30f5ed6396a0ad06
SHA256 036d6f3bed67c9d65357abc1231f2d70e672638cbd8dc388469856a445580ee0
SHA512 649c5ce761cc57a981c4304f491f104fd73cd4ccebec72f3c580741c0f074d36bb5b1f804f04fadb219f8a435e1245b2cb61096031c0854e0cd2ef925a004653

memory/2652-149-0x0000000000400000-0x000000000099F000-memory.dmp

C:\\GameLogin_Debug.txt

MD5 1a86a3aa1c47a28a98bbf73f3efea3f4
SHA1 c1128f551b64982a9404b8ab43682d787ad24ecc
SHA256 85461485e1cc452abe98015c87627358ea97e45e6ec05508c937bc6815593d32
SHA512 d7a195231d9ec14ed9868bbefa2c4f4d7210a24fef648efd767a48a502b9fe5a32744b18643ee4580a116db6b082347ca6d6ba139129a075efd5f50c50290689

memory/1260-159-0x0000000000400000-0x000000000099F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-22 19:19

Reported

2024-06-22 19:22

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093.exe"

Signatures

Detects executables packed with ASPack

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000000.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000000000.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930000.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300000.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930000000.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300000000.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\L: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000.exe N/A
File opened (read-only) \??\K: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300000.exe N/A
File opened (read-only) \??\K: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300000000.exe N/A
File opened (read-only) \??\H: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000000.exe N/A
File opened (read-only) \??\X: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000000000.exe N/A
File opened (read-only) \??\K: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093.exe N/A
File opened (read-only) \??\T: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093.exe N/A
File opened (read-only) \??\J: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300.exe N/A
File opened (read-only) \??\N: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300.exe N/A
File opened (read-only) \??\Q: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930000.exe N/A
File opened (read-only) \??\U: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930.exe N/A
File opened (read-only) \??\I: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000000.exe N/A
File opened (read-only) \??\U: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000000.exe N/A
File opened (read-only) \??\L: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930000000.exe N/A
File opened (read-only) \??\H: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300000000.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093.exe N/A
File opened (read-only) \??\A: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930000000000.exe N/A
File opened (read-only) \??\M: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930000.exe N/A
File opened (read-only) \??\A: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000000.exe N/A
File opened (read-only) \??\G: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000000.exe N/A
File opened (read-only) \??\K: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000000.exe N/A
File opened (read-only) \??\J: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000000000.exe N/A
File opened (read-only) \??\V: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300.exe N/A
File opened (read-only) \??\B: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000.exe N/A
File opened (read-only) \??\L: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300000.exe N/A
File opened (read-only) \??\N: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930000000000.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093.exe N/A
File opened (read-only) \??\W: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093.exe N/A
File opened (read-only) \??\L: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930.exe N/A
File opened (read-only) \??\W: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000.exe N/A
File opened (read-only) \??\U: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300000000.exe N/A
File opened (read-only) \??\R: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930000000000.exe N/A
File opened (read-only) \??\T: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930000000000.exe N/A
File opened (read-only) \??\R: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300000.exe N/A
File opened (read-only) \??\A: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930000000.exe N/A
File opened (read-only) \??\T: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000000000.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093.exe N/A
File opened (read-only) \??\M: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300.exe N/A
File opened (read-only) \??\J: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000.exe N/A
File opened (read-only) \??\M: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000.exe N/A
File opened (read-only) \??\A: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300000.exe N/A
File opened (read-only) \??\Y: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930.exe N/A
File opened (read-only) \??\T: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930000.exe N/A
File opened (read-only) \??\I: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000000000.exe N/A
File opened (read-only) \??\L: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000000000.exe N/A
File opened (read-only) \??\P: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930000000000.exe N/A
File opened (read-only) \??\N: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930000000.exe N/A
File opened (read-only) \??\V: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930000000000.exe N/A
File opened (read-only) \??\H: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093.exe N/A
File opened (read-only) \??\Q: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093.exe N/A
File opened (read-only) \??\R: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300.exe N/A
File opened (read-only) \??\I: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930000.exe N/A
File opened (read-only) \??\B: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300000.exe N/A
File opened (read-only) \??\W: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930000000000.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093.exe N/A
File opened (read-only) \??\P: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300000.exe N/A
File opened (read-only) \??\Q: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000000.exe N/A
File opened (read-only) \??\B: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300000000.exe N/A
File opened (read-only) \??\H: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930000000000.exe N/A
File opened (read-only) \??\N: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300000.exe N/A
File opened (read-only) \??\A: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300000000.exe N/A
File opened (read-only) \??\Q: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000000000.exe N/A
File opened (read-only) \??\R: C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000000000.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300000.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000000.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930000000.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300000000.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300000000.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000000000.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300000.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000000.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930000000.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000000000.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Users\Admin\AppData\Local\Temp\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930000000000.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Users\Admin\AppData\Local\Temp\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930000.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930000.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930000000000.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093.exe N/A
N/A N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093.exe N/A
N/A N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093.exe N/A
N/A N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930.exe N/A
N/A N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930.exe N/A
N/A N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300.exe N/A
N/A N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300.exe N/A
N/A N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000.exe N/A
N/A N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000.exe N/A
N/A N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930000.exe N/A
N/A N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930000.exe N/A
N/A N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300000.exe N/A
N/A N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300000.exe N/A
N/A N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000000.exe N/A
N/A N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000000.exe N/A
N/A N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930000000.exe N/A
N/A N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930000000.exe N/A
N/A N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300000000.exe N/A
N/A N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300000000.exe N/A
N/A N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000000000.exe N/A
N/A N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000000000.exe N/A
N/A N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930000000000.exe N/A
N/A N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930000000000.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2836 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093.exe C:\Windows\SysWOW64\cmd.exe
PID 2836 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093.exe C:\Windows\SysWOW64\cmd.exe
PID 2836 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093.exe C:\Windows\SysWOW64\cmd.exe
PID 1284 wrote to memory of 1300 N/A C:\Windows\SysWOW64\cmd.exe C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093.exe
PID 1284 wrote to memory of 1300 N/A C:\Windows\SysWOW64\cmd.exe C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093.exe
PID 1284 wrote to memory of 1300 N/A C:\Windows\SysWOW64\cmd.exe C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093.exe
PID 1300 wrote to memory of 4852 N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093.exe C:\Windows\SysWOW64\cmd.exe
PID 1300 wrote to memory of 4852 N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093.exe C:\Windows\SysWOW64\cmd.exe
PID 1300 wrote to memory of 4852 N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093.exe C:\Windows\SysWOW64\cmd.exe
PID 4852 wrote to memory of 864 N/A C:\Windows\SysWOW64\cmd.exe C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930.exe
PID 4852 wrote to memory of 864 N/A C:\Windows\SysWOW64\cmd.exe C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930.exe
PID 4852 wrote to memory of 864 N/A C:\Windows\SysWOW64\cmd.exe C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930.exe
PID 864 wrote to memory of 3360 N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 3360 N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 3360 N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930.exe C:\Windows\SysWOW64\cmd.exe
PID 3360 wrote to memory of 3636 N/A C:\Windows\SysWOW64\cmd.exe C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300.exe
PID 3360 wrote to memory of 3636 N/A C:\Windows\SysWOW64\cmd.exe C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300.exe
PID 3360 wrote to memory of 3636 N/A C:\Windows\SysWOW64\cmd.exe C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300.exe
PID 3636 wrote to memory of 2568 N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300.exe C:\Windows\SysWOW64\cmd.exe
PID 3636 wrote to memory of 2568 N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300.exe C:\Windows\SysWOW64\cmd.exe
PID 3636 wrote to memory of 2568 N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300.exe C:\Windows\SysWOW64\cmd.exe
PID 2568 wrote to memory of 860 N/A C:\Windows\SysWOW64\cmd.exe C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000.exe
PID 2568 wrote to memory of 860 N/A C:\Windows\SysWOW64\cmd.exe C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000.exe
PID 2568 wrote to memory of 860 N/A C:\Windows\SysWOW64\cmd.exe C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000.exe
PID 860 wrote to memory of 956 N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000.exe C:\Windows\SysWOW64\cmd.exe
PID 860 wrote to memory of 956 N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000.exe C:\Windows\SysWOW64\cmd.exe
PID 860 wrote to memory of 956 N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 1448 N/A C:\Windows\SysWOW64\cmd.exe C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930000.exe
PID 956 wrote to memory of 1448 N/A C:\Windows\SysWOW64\cmd.exe C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930000.exe
PID 956 wrote to memory of 1448 N/A C:\Windows\SysWOW64\cmd.exe C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930000.exe
PID 1448 wrote to memory of 1444 N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930000.exe C:\Windows\SysWOW64\cmd.exe
PID 1448 wrote to memory of 1444 N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930000.exe C:\Windows\SysWOW64\cmd.exe
PID 1448 wrote to memory of 1444 N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930000.exe C:\Windows\SysWOW64\cmd.exe
PID 1444 wrote to memory of 4680 N/A C:\Windows\SysWOW64\cmd.exe C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300000.exe
PID 1444 wrote to memory of 4680 N/A C:\Windows\SysWOW64\cmd.exe C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300000.exe
PID 1444 wrote to memory of 4680 N/A C:\Windows\SysWOW64\cmd.exe C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300000.exe
PID 4680 wrote to memory of 3104 N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300000.exe C:\Windows\SysWOW64\cmd.exe
PID 4680 wrote to memory of 3104 N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300000.exe C:\Windows\SysWOW64\cmd.exe
PID 4680 wrote to memory of 3104 N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300000.exe C:\Windows\SysWOW64\cmd.exe
PID 3104 wrote to memory of 4428 N/A C:\Windows\SysWOW64\cmd.exe C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000000.exe
PID 3104 wrote to memory of 4428 N/A C:\Windows\SysWOW64\cmd.exe C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000000.exe
PID 3104 wrote to memory of 4428 N/A C:\Windows\SysWOW64\cmd.exe C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000000.exe
PID 4428 wrote to memory of 1852 N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000000.exe C:\Windows\SysWOW64\cmd.exe
PID 4428 wrote to memory of 1852 N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000000.exe C:\Windows\SysWOW64\cmd.exe
PID 4428 wrote to memory of 1852 N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000000.exe C:\Windows\SysWOW64\cmd.exe
PID 1852 wrote to memory of 2184 N/A C:\Windows\SysWOW64\cmd.exe C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930000000.exe
PID 1852 wrote to memory of 2184 N/A C:\Windows\SysWOW64\cmd.exe C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930000000.exe
PID 1852 wrote to memory of 2184 N/A C:\Windows\SysWOW64\cmd.exe C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930000000.exe
PID 2184 wrote to memory of 1696 N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930000000.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 1696 N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930000000.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 1696 N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930000000.exe C:\Windows\SysWOW64\cmd.exe
PID 1696 wrote to memory of 820 N/A C:\Windows\SysWOW64\cmd.exe C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300000000.exe
PID 1696 wrote to memory of 820 N/A C:\Windows\SysWOW64\cmd.exe C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300000000.exe
PID 1696 wrote to memory of 820 N/A C:\Windows\SysWOW64\cmd.exe C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300000000.exe
PID 820 wrote to memory of 4112 N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300000000.exe C:\Windows\SysWOW64\cmd.exe
PID 820 wrote to memory of 4112 N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300000000.exe C:\Windows\SysWOW64\cmd.exe
PID 820 wrote to memory of 4112 N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300000000.exe C:\Windows\SysWOW64\cmd.exe
PID 4112 wrote to memory of 2548 N/A C:\Windows\SysWOW64\cmd.exe C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000000000.exe
PID 4112 wrote to memory of 2548 N/A C:\Windows\SysWOW64\cmd.exe C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000000000.exe
PID 4112 wrote to memory of 2548 N/A C:\Windows\SysWOW64\cmd.exe C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000000000.exe
PID 2548 wrote to memory of 4956 N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000000000.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 4956 N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000000000.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 4956 N/A C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000000000.exe C:\Windows\SysWOW64\cmd.exe
PID 4956 wrote to memory of 2368 N/A C:\Windows\SysWOW64\cmd.exe C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930000000000.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093.exe

"C:\Users\Admin\AppData\Local\Temp\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gameofmir.bat" "

C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093.exe

"\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\gameofmir.bat" "

C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930.exe

"\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\gameofmir.bat" "

C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300.exe

"\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\gameofmir.bat" "

C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000.exe

"\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\gameofmir.bat" "

C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930000.exe

"\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930000.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\gameofmir.bat" "

C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300000.exe

"\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300000.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\gameofmir.bat" "

C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000000.exe

"\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000000.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\gameofmir.bat" "

C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930000000.exe

"\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930000000.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\gameofmir.bat" "

C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300000000.exe

"\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300000000.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\gameofmir.bat" "

C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000000000.exe

"\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093000000000.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\gameofmir.bat" "

C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930000000000.exe

"\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de0930000000000.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\gameofmir.bat" "

C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300000000000.exe

"\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de09300000000000.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/2836-0-0x0000000002890000-0x0000000002891000-memory.dmp

memory/2836-1-0x0000000000442000-0x0000000000443000-memory.dmp

memory/2836-4-0x0000000000400000-0x000000000099F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gameofmir.bat

MD5 e7ea1b2c58fad2c825a7829bb45aba97
SHA1 10cbda7b09abe7c56f9329298152c4fa8a495c92
SHA256 d2964700baf4262b1a4791e837de1373aa4d8b61a2fb755dbef7c6dddd364792
SHA512 e65dbdcb2a04776722f550a11bc088df5e4b301cd989c1649cbe08a21f4a7cb4dd5969aba63a75e69e5d38e6077c3305b2adb0901c75d7a459a3fedf36f0d00b

memory/2836-11-0x0000000000400000-0x000000000099F000-memory.dmp

C:\1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093.exe

MD5 ef8f6471ebd9c98a36aefbadc3e88755
SHA1 f335e8f343413d814f2e640bd01afedcca43629d
SHA256 1f3d6acfb52d17a41c9f85f90c864e9ae8120d27dd3c70c72c1adcb29c8de093
SHA512 f43ed0eed193ccaa188509df1f3c8fe4cc4ba0ff90efdd1b261f4efa4ac72ea063fda0e360c0fa5284b1501c35d138ad4b7f00480926e8f3acf2157ce49c22b4

memory/1300-20-0x0000000000400000-0x000000000099F000-memory.dmp

C:\LoginTemp.ini

MD5 9b2456363290ba7d3b58b22d66ce6a18
SHA1 43f3a27739354d6a21dab842e5910205eb7ebe6b
SHA256 95b5335823c05e3acf512d08169bf4cc9925d70e96b72e83b472cb55b094e218
SHA512 3eceb636eb660bf20d558a396a0ac186902974e9737354577b301765407c98c94f800c62083f6e648bd576da8a84e414919a7a99144b409befea5bb86b48cbba

C:\Users\Admin\AppData\Local\Temp\GameLogin_Debug.txt

MD5 4af02ce2836820192070e0a08ec2f33d
SHA1 ada5e3fbf67e3abff2477b0b8dd798d534f6a3c2
SHA256 faeaf5a123aa8e2136d0f0743c542d250fb099070ffa51d3ac6cbebe2b669b47
SHA512 84093881844e3dcf805dda63ec932bf74d9e69ae931112c9033901c2552da840fc0a44fb535bd2b2115569143235e25772e3fe05beaa88409a95e3491e158e83

memory/1300-21-0x0000000000400000-0x000000000099F000-memory.dmp

C:\Users\Admin\Desktop\2015Ô­°æ½­ºþÇéÔµ.lnk

MD5 50a0df331bf15942ff34dac9ee224032
SHA1 5802541965d37d4b9d4bc014b9aa7baeb1a2fa13
SHA256 6f5a32f2824387ed1b34e33a0e27ef8791f05c8ee93219790df7dcefde53f624
SHA512 4bb657ce9806c3d74db77719b9da9219ab5385d3ca0567c0096348e992f4958461e89d5817d11f2cae2fd4e1afa431beb081c1fbc9f487870a6a8b5e2c406a25

memory/1300-24-0x0000000000400000-0x000000000099F000-memory.dmp

C:\gameofmir.bat

MD5 4ce55cae36264db969790a6a0f7841ae
SHA1 92d436993d32ee8721b3cd0ab2ef61366e59d403
SHA256 6a2b0f6a570f295472d68edec1c14a0e92e433130190b18de62c85ba34f381c0
SHA512 2f7d66245841df0ca49759dd6bed68ab271a1f763658122cc60b37271aed547fe2bcfab5530b8fe582c5bcf66e74abd77602932aa0c169459f97f0d0ab0f1492

memory/1300-32-0x0000000000400000-0x000000000099F000-memory.dmp

C:\Users\Admin\Desktop\2015Ô­°æ½­ºþÇéÔµ.lnk

MD5 06b59be8806aa3a2083afa05477356ec
SHA1 006e2fcbe225fbbb61c38a27fe566ea01df01880
SHA256 2d9e844bf68698e14e70766d72b064289064094b804ce648b396fcc252bad43d
SHA512 009030f89344b94914fd3cbcc29c191780934203ff762ea4966a376f0bc6ee62e315e045e971dcfb0923c8516b34fdf06f43e097914b626e1a65fbc775e615fc

memory/864-42-0x0000000000400000-0x000000000099F000-memory.dmp

\??\PIPE\wkssvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\gameofmir.bat

MD5 b47e23449e4fa6dede957f9546f5542d
SHA1 0ba40ed56221c99f20628267df571022a3e9eafa
SHA256 c87b3c4d65a81ae78d22e86cfe4e9390a9cdfa26967bab32aa4560175fcde285
SHA512 2694acb4b3ad3cd8073d4395af45ed87b71c4ec52fac82b8e795f946e73efdf43618678dfd7d3e0c3d56042c890e2bd02ab1e14a96fc570b9f54b517f1d3e065

memory/864-50-0x0000000000400000-0x000000000099F000-memory.dmp

C:\\GameLogin_Debug.txt

MD5 6150872defe7801a3a1a9972e4726ea9
SHA1 01f0447d51b5f3d8328302895b1c3cecd0070ad8
SHA256 0e20dc2f57274a85eb9012be139e60c9a08c8ff95cc12401e4b521d7e565fcab
SHA512 a284d61939909807d9576b94c358ff0c04fa2d8d1f012b07678a2e62ebcf248ee630ec4497ab1574bbc20cfcfb8072954c6a17fe237e250ad44f9e5131a8c207

C:\gameofmir.bat

MD5 7427bb5bf3be7f2694e7df4e89d8cc92
SHA1 2f94f843946a1debc6c4f13d4c348d44fd805443
SHA256 48b2f8ea6c86087572c8497bacd2857e8779c0bb1626740d0092ddd42dc720ab
SHA512 bf2f2f822eeae372cb81984947798e6e5b2900aa2ac3837583c1ec71e87377233514a905523c39b27fb5488de4216f82f5e31bfa926d4623767390c566ffcaa9

memory/3636-68-0x0000000000400000-0x000000000099F000-memory.dmp

memory/3636-69-0x0000000000400000-0x000000000099F000-memory.dmp

C:\\GameLogin_Debug.txt

MD5 fd684de6bb0593ca48b5da0f3faebcea
SHA1 336b1d24d75df697e131181251feda3780aad3d3
SHA256 733f65da23416e36ebb9a85e892c8fea6adb39b6330f1dde6a6125290365acb2
SHA512 a4d77176afdf7b86928b47eb53e564df502ae856fe9d4622a55ecbeaa14510566f08ae9c2177a51ad41fd4201035dd077ba25bd0e092a2973c92c4f5fd4aa43e

C:\LoginTemp.ini

MD5 072418f231e0bf022453501d596b6b89
SHA1 c8e473298746f00c4f88013768417388dc202edc
SHA256 02498df477a6df1e5fb0e320e05b5554350e53c48178ab4fdac8a8c19b3ccda0
SHA512 0547c2f3c9da08ad230cd4910d04a24908dcd030ebbe499a7158f2c2bff4420946b71f91371a2345468378c90dfad804626d814f6b8031172a0ae998fe8fd8c1

C:\gameofmir.bat

MD5 23b6731271442175a78f451c4d0484a9
SHA1 53f9cc4006e9f71e895fd7f73d2304093460f7af
SHA256 541d29360511b48de75c4dd2b90132bfb92fc7990a3b64af481daa40d7835aaf
SHA512 d432f30495da9de2471aa811a0079df1acc0bdc1c57377adea5e80a4e1a3f059801605ab5b732c9b323664917d7d8822d74f1643b62aa2d509df3e2ead0ee067

memory/860-86-0x0000000000400000-0x000000000099F000-memory.dmp

C:\\GameLogin_Debug.txt

MD5 efffd6bbbdf3429c66c2b08e68294ef7
SHA1 d025a6f7970b9fe40ce433fe5b29ef5fed4cfe3b
SHA256 a9fd898ece70b57d179a97a82be77d510cdbf1d23af97b1a5d433ba8db1edf3c
SHA512 66183a0f587d83341a5d06fa9dbcb975887991a09de5cee5231f9a1780fbb8b6a38862bdf5209b45dba3da1edd156da72491c6ac50bec99100d6cf68a2fbbb19

C:\Users\Admin\Desktop\2015Ô­°æ½­ºþÇéÔµ.lnk

MD5 4d8f28f601a0ab82f3d264dd634e22f5
SHA1 c35224eb7bd262a018afff9afcf4074bbb8e0a84
SHA256 85b3fdaf2a7069698ef3ba7f4e3492c7f65beb9e5a89a9aa3a258145d2f0a8c6
SHA512 052ad10476ee82b0c7ff351748070f9294c768715a9770a70a7fb4eadc954824f6d5addb6577dbe27082f1ac96c5c92c1256829abced554ab238f70897c33995

memory/1448-104-0x0000000000400000-0x000000000099F000-memory.dmp

C:\gameofmir.bat

MD5 36eb7bd5b29c2bfd821e98399186cbf6
SHA1 4fda83a711a7aa2fb1ca626cde9edefba12972a9
SHA256 860cb2b65f1daf6f59ace73571bf7d3bc2d7870a1471636d315180f045788e61
SHA512 444222e3c7cefe34624031bafdc95098bc199dee6df73d03cec4784a902d589a6cf350a4cda02d71d05f9b5e57fc3511caf421048c5458b5c474bc55e72bc41c

memory/1448-106-0x0000000000400000-0x000000000099F000-memory.dmp

C:\\GameLogin_Debug.txt

MD5 6979579ca3728c66193ddec0f83dbfdf
SHA1 3466e29ef7d277612e79234abfedb5b17a21ac1f
SHA256 3ddb764751412b9ca09fa1d8d31da52e3bac60436bda4e24dbb64dfd255069f8
SHA512 8809b85473395ced809ba2d31741b8c72450e6ba810eb79dde8f759dcad7382cae2b23642b73f4bd65a4bf2c3de602c230d3c144745af5d68b3449f18dd9fd20

C:\gameofmir.bat

MD5 13fafc99ca6f22bbac842316ac148d00
SHA1 2e681aa36651eb9717fa0e1f30f5ed6396a0ad06
SHA256 036d6f3bed67c9d65357abc1231f2d70e672638cbd8dc388469856a445580ee0
SHA512 649c5ce761cc57a981c4304f491f104fd73cd4ccebec72f3c580741c0f074d36bb5b1f804f04fadb219f8a435e1245b2cb61096031c0854e0cd2ef925a004653

memory/4680-123-0x0000000000400000-0x000000000099F000-memory.dmp

memory/4680-124-0x0000000000400000-0x000000000099F000-memory.dmp

C:\\GameLogin_Debug.txt

MD5 a86593504dea433d6baa88e480b7b258
SHA1 d1b462c48c4f6c31e64760ade8b16b2936e9e28b
SHA256 9c7467af4d1dfca29a2d140388a6e7c8e060f5801117560d27e0547bbf2ef802
SHA512 b66429775aa6fa7c59b708188fcc78175cf7dbd4a8df633b4e28a844e8e36012070a175d316c2b80a59f16452b27be4d403ef7b789d995e6bb2eb4fe4e4b89f9

C:\Users\Admin\Desktop\2015Ô­°æ½­ºþÇéÔµ.lnk

MD5 3a8d4f07506549f4f2b7a766783bfce2
SHA1 ff5f7e96f1ef782283fe35f60eb04607d7f5ba54
SHA256 2b2d65ac6ad56d6b76113d3d3a10b64dbb5d994918b85c0a1057258b9697381a
SHA512 08cd759ead285f888dcc92b5b2b294306258973cf5f6d0c41c2d480b3a3645dd489ee5094b256b748d65eb52a83bd7beb0d93cafc7bb5e228ba9a4a8855f03cf

C:\gameofmir.bat

MD5 f335220f493daacbdce6e52ec3ae02e4
SHA1 a43f1108f3f96bc469f8c3b88adbca1a60b123ed
SHA256 c49bc04a1b2cbee1000845609ba7165ceae2431919fd58471e2d121f14f37ada
SHA512 6554e6dbe9c34a01a9170906abac8b888c04a8f6463d0364fcb22f690d33138daadf72e867c1a928a26f8470f2c771fa4f44a9b74cc2e546eca37f11d25a058b

memory/4428-142-0x0000000000400000-0x000000000099F000-memory.dmp

C:\\GameLogin_Debug.txt

MD5 df68aa0a08279c202351b1bf6c4168dd
SHA1 c788bb0923f2050c68de60f8893811952719a2fb
SHA256 74a5b1f5909a36f08933867c37a0654e8ff8381aa03ce73a926241452c6fd53c
SHA512 38bc539952819f5d7914acc4c9517dcbe41742abba9fdb6f6aef380173a334c81ce793ae96ac13e4b4634a6470dc0608db9ed292ce6a5e6c0c0a9a221dc1677a

memory/2184-153-0x0000000000400000-0x000000000099F000-memory.dmp

C:\gameofmir.bat

MD5 3dad1858568c3047976c20ec1267ab73
SHA1 ccd29940db129c610e183bc3d8f75f802284bc09
SHA256 5bbcd7147d120ac28174cfe4cbdc9a0cf07e8114d945daac63e1c06b60b263da
SHA512 aa2ca442d62aa85a5372b6e4cc661d28e52d93fdabe3cdeed437a49975d56f8ad7d31771bc2cd7224399fa5582c5980cb2c03599ed767980cb527ab0ec4f7d14

memory/2184-160-0x0000000000400000-0x000000000099F000-memory.dmp

C:\\GameLogin_Debug.txt

MD5 8a4384de82780decfad20da59299608d
SHA1 b4747963b87099664f43a962ccd63d5221fb8ccb
SHA256 171fc0310aac88098b84827e4f5259ef172cdcfbee23a75fd5fdcad3ebb71502
SHA512 a4d1dfb4abb1912a4950073e0a4e5040f7626410e2a0fbf34a94711689f9c38d5b0d3da4b3bd62b3ac5c5dc396e7af39e8d9f872a6df0459d508f577cfcbff8c

C:\Users\Admin\Desktop\2015Ô­°æ½­ºþÇéÔµ.lnk

MD5 20ecf69761f378fc1081d52af84b52b2
SHA1 97ba83680e8b3d022422be0ffb094091931663b9
SHA256 1351a9680dad520b87611b710a1bc939c9b3885c9b33c955fc38f292c7156915
SHA512 d684e789b7911ee4ccbd56eac1c24b6d493209b0e7c1d3ed7609988257cdb39e0fdfdc93561514c55c87e3ba21ac31c4908bc41b6e37d3ed8705724833bfda10

memory/820-171-0x0000000000400000-0x000000000099F000-memory.dmp

memory/820-177-0x0000000000400000-0x000000000099F000-memory.dmp

memory/2548-183-0x0000000000400000-0x000000000099F000-memory.dmp

memory/2548-189-0x0000000000400000-0x000000000099F000-memory.dmp

memory/2368-200-0x0000000000400000-0x000000000099F000-memory.dmp

memory/2368-201-0x0000000000400000-0x000000000099F000-memory.dmp