695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
05/07/2024, 01:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
Size

7.1MB
MD5

7398126d0f9e59951270034c91521718
SHA1

d2c3fff9b8728360b072ada04b7b480276004eda
SHA256

695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89
SHA512

2092b5c84617ba3d811d000f9a0cb08a58039c147a539f96f8625cf63103e1da6fcc9464a83917b0058d33432e271725c482d8e460df38d0c8e97d74395a01aa
SSDEEP

98304:nUBqSgY9l1GQmGg5TfF1rkTQuDPfOJf9309jTgvojmHvlYZ/AJIZa7uhx28:UPhGfffurfOJlQTS2YvlySyxv

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 39 IoCs

pid	Process
4920	Logo1_.exe
1912	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
4848	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
4372	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
4380	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
2376	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
4664	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
1660	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
3500	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
4948	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
3608	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
2780	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
3036	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
4588	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
3908	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
1416	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
3208	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
2016	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
3664	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
3920	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
1568	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
4272	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
1372	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
2408	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
4252	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
1760	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
1328	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
4040	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
4200	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
2140	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
1156	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
4448	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
4428	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
3236	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
3460	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
1368	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
3984	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
220	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
3828	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.tmp

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\VisualElements\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pa\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\it-it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\da-dk\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\BIN\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Media Player\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\en-gb\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RIPPLE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nb\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\cs-cz\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\cs-cz\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\es-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\assets\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\javafx\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\th\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\wa\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\1.1.1\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sl-si\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\en-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\it-it\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\he-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\zh-tw\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\plugins\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\de-de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\cpdf\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\themes\dark\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themeless\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-cn\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\root\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\de-de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\zh-tw\_desktop.ini	Logo1_.exe

Drops file in Windows directory 40 IoCs

description	ioc	Process
File created	C:\Windows\Logo1_.exe	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
File created	C:\Windows\Logo1_.exe	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
File created	C:\Windows\Logo1_.exe	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
File created	C:\Windows\Logo1_.exe	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
File created	C:\Windows\Logo1_.exe	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
File created	C:\Windows\Logo1_.exe	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
File created	C:\Windows\Logo1_.exe	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
File created	C:\Windows\Logo1_.exe	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
File created	C:\Windows\Logo1_.exe	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
File created	C:\Windows\Logo1_.exe	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
File created	C:\Windows\Logo1_.exe	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
File created	C:\Windows\Logo1_.exe	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
File created	C:\Windows\Logo1_.exe	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
File created	C:\Windows\Logo1_.exe	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
File created	C:\Windows\Logo1_.exe	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
File created	C:\Windows\Logo1_.exe	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
File created	C:\Windows\Logo1_.exe	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
File created	C:\Windows\Logo1_.exe	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
File created	C:\Windows\Dll.dll	Logo1_.exe
File created	C:\Windows\Logo1_.exe	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
File created	C:\Windows\Logo1_.exe	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
File created	C:\Windows\Logo1_.exe	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
File created	C:\Windows\Logo1_.exe	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
File created	C:\Windows\Logo1_.exe	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
File created	C:\Windows\Logo1_.exe	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
File created	C:\Windows\Logo1_.exe	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
File created	C:\Windows\Logo1_.exe	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
File created	C:\Windows\Logo1_.exe	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
File created	C:\Windows\Logo1_.exe	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Logo1_.exe	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
File created	C:\Windows\Logo1_.exe	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
File created	C:\Windows\Logo1_.exe	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
File created	C:\Windows\Logo1_.exe	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
File created	C:\Windows\Logo1_.exe	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
File created	C:\Windows\Logo1_.exe	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
File created	C:\Windows\rundl132.exe	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
File created	C:\Windows\Logo1_.exe	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
File created	C:\Windows\Logo1_.exe	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
File created	C:\Windows\Logo1_.exe	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
864	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
864	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
864	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
864	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
864	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
864	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
864	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
864	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
864	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
864	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
864	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
864	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
864	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
864	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
864	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
864	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
864	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
864	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
4920	Logo1_.exe
4920	Logo1_.exe
4920	Logo1_.exe
4920	Logo1_.exe
4920	Logo1_.exe
4920	Logo1_.exe
4920	Logo1_.exe
4920	Logo1_.exe
4920	Logo1_.exe
4920	Logo1_.exe
4920	Logo1_.exe
4920	Logo1_.exe
4920	Logo1_.exe
4920	Logo1_.exe
4920	Logo1_.exe
4920	Logo1_.exe
4920	Logo1_.exe
4920	Logo1_.exe
4920	Logo1_.exe
4920	Logo1_.exe
4920	Logo1_.exe
4920	Logo1_.exe
4920	Logo1_.exe
4920	Logo1_.exe
4920	Logo1_.exe
4920	Logo1_.exe
4920	Logo1_.exe
4920	Logo1_.exe
4920	Logo1_.exe
4920	Logo1_.exe
4920	Logo1_.exe
4920	Logo1_.exe
4920	Logo1_.exe
4920	Logo1_.exe
4920	Logo1_.exe
4920	Logo1_.exe
4920	Logo1_.exe
4920	Logo1_.exe
4920	Logo1_.exe
4920	Logo1_.exe
4920	Logo1_.exe
4920	Logo1_.exe
4920	Logo1_.exe
4920	Logo1_.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 864 wrote to memory of 3456	864	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe	81
PID 864 wrote to memory of 3456	864	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe	81
PID 864 wrote to memory of 3456	864	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe	81
PID 864 wrote to memory of 4920	864	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe	82
PID 864 wrote to memory of 4920	864	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe	82
PID 864 wrote to memory of 4920	864	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe	82
PID 4920 wrote to memory of 2408	4920	Logo1_.exe	84
PID 4920 wrote to memory of 2408	4920	Logo1_.exe	84
PID 4920 wrote to memory of 2408	4920	Logo1_.exe	84
PID 2408 wrote to memory of 4864	2408	net.exe	86
PID 2408 wrote to memory of 4864	2408	net.exe	86
PID 2408 wrote to memory of 4864	2408	net.exe	86
PID 3456 wrote to memory of 1912	3456	cmd.exe	87
PID 3456 wrote to memory of 1912	3456	cmd.exe	87
PID 3456 wrote to memory of 1912	3456	cmd.exe	87
PID 1912 wrote to memory of 232	1912	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe	88
PID 1912 wrote to memory of 232	1912	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe	88
PID 1912 wrote to memory of 232	1912	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe	88
PID 232 wrote to memory of 4848	232	cmd.exe	91
PID 232 wrote to memory of 4848	232	cmd.exe	91
PID 232 wrote to memory of 4848	232	cmd.exe	91
PID 4848 wrote to memory of 4852	4848	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe	92
PID 4848 wrote to memory of 4852	4848	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe	92
PID 4848 wrote to memory of 4852	4848	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe	92
PID 4852 wrote to memory of 4372	4852	cmd.exe	95
PID 4852 wrote to memory of 4372	4852	cmd.exe	95
PID 4852 wrote to memory of 4372	4852	cmd.exe	95
PID 4372 wrote to memory of 116	4372	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe	96
PID 4372 wrote to memory of 116	4372	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe	96
PID 4372 wrote to memory of 116	4372	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe	96
PID 4920 wrote to memory of 3468	4920	Logo1_.exe	56
PID 4920 wrote to memory of 3468	4920	Logo1_.exe	56
PID 116 wrote to memory of 4380	116	cmd.exe	98
PID 116 wrote to memory of 4380	116	cmd.exe	98
PID 116 wrote to memory of 4380	116	cmd.exe	98
PID 4380 wrote to memory of 4588	4380	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe	99
PID 4380 wrote to memory of 4588	4380	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe	99
PID 4380 wrote to memory of 4588	4380	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe	99
PID 4588 wrote to memory of 2376	4588	cmd.exe	101
PID 4588 wrote to memory of 2376	4588	cmd.exe	101
PID 4588 wrote to memory of 2376	4588	cmd.exe	101
PID 2376 wrote to memory of 3132	2376	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe	102
PID 2376 wrote to memory of 3132	2376	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe	102
PID 2376 wrote to memory of 3132	2376	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe	102
PID 3132 wrote to memory of 4664	3132	cmd.exe	104
PID 3132 wrote to memory of 4664	3132	cmd.exe	104
PID 3132 wrote to memory of 4664	3132	cmd.exe	104
PID 4664 wrote to memory of 1996	4664	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe	105
PID 4664 wrote to memory of 1996	4664	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe	105
PID 4664 wrote to memory of 1996	4664	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe	105
PID 1996 wrote to memory of 1660	1996	cmd.exe	107
PID 1996 wrote to memory of 1660	1996	cmd.exe	107
PID 1996 wrote to memory of 1660	1996	cmd.exe	107
PID 1660 wrote to memory of 2140	1660	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe	108
PID 1660 wrote to memory of 2140	1660	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe	108
PID 1660 wrote to memory of 2140	1660	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe	108
PID 2140 wrote to memory of 3500	2140	cmd.exe	110
PID 2140 wrote to memory of 3500	2140	cmd.exe	110
PID 2140 wrote to memory of 3500	2140	cmd.exe	110
PID 3500 wrote to memory of 2352	3500	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe	111
PID 3500 wrote to memory of 2352	3500	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe	111
PID 3500 wrote to memory of 2352	3500	695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe	111
PID 2352 wrote to memory of 4948	2352	cmd.exe	113
PID 2352 wrote to memory of 4948	2352	cmd.exe	113

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3468
- C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
  "C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9E24.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3456
  - - C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
      "C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:1912
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9F5D.bat
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:232
      - C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
        
        "C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe"
        6⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA18F.bat
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
        
        "C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe"
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:4372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA364.bat
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:116
        
        C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
        
        "C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe"
        10⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:4380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA5E5.bat
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
        
        "C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe"
        12⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA9CD.bat
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:3132
        
        C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
        
        "C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe"
        14⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:4664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aAA88.bat
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
        
        "C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe"
        16⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aAC2E.bat
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
        
        "C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe"
        18⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:3500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aAE60.bat
        19⤵
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
        
        "C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe"
        20⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB064.bat
        21⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
        
        "C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe"
        22⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB229.bat
        23⤵
        
        PID:1440
        
        C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
        
        "C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe"
        24⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB47B.bat
        25⤵
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
        
        "C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe"
        26⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB6AD.bat
        27⤵
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
        
        "C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe"
        28⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB8D0.bat
        29⤵
        
        PID:3828
        
        C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
        
        "C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe"
        30⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBBDE.bat
        31⤵
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
        
        "C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe"
        32⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBEAC.bat
        33⤵
        
        PID:4236
        
        C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
        
        "C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe"
        34⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC10E.bat
        35⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
        
        "C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe"
        36⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC39E.bat
        37⤵
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
        
        "C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe"
        38⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC582.bat
        39⤵
        
        PID:4820
        
        C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
        
        "C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe"
        40⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC8CE.bat
        41⤵
        
        PID:1236
        
        C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
        
        "C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe"
        42⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCA55.bat
        43⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
        
        "C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe"
        44⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCD43.bat
        45⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
        
        "C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe"
        46⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCE2D.bat
        47⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
        
        "C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe"
        48⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCFA4.bat
        49⤵
        
        PID:4048
        
        C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
        
        "C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe"
        50⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD1C7.bat
        51⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
        
        "C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe"
        52⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD273.bat
        53⤵
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
        
        "C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe"
        54⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD33E.bat
        55⤵
        
        PID:3644
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        56⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
        
        "C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe"
        56⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD3F9.bat
        57⤵
        
        PID:1528
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        58⤵
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
        
        "C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe"
        58⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD532.bat
        59⤵
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
        
        "C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe"
        60⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD5FD.bat
        61⤵
        
        PID:3848
        
        C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
        
        "C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe"
        62⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD699.bat
        63⤵
        
        PID:3896
        
        C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
        
        "C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe"
        64⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD793.bat
        65⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
        
        "C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe"
        66⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD8DB.bat
        67⤵
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
        
        "C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe"
        68⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aDA14.bat
        69⤵
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
        
        "C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe"
        70⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aDADF.bat
        71⤵
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
        
        "C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe"
        72⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aDBBA.bat
        73⤵
        
        PID:588
        
        C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
        
        "C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe"
        74⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aDC66.bat
        75⤵
        
        PID:3176
        
        C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe
        
        "C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe"
        76⤵
        Executes dropped EXE
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\is-4N180.tmp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-4N180.tmp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.tmp" /SL5="$70214,5481670,54272,C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe"
        77⤵
        Executes dropped EXE
        
        PID:3828
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4920
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2408
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:4864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$a9E24.bat

Filesize
722B

MD5
77af2218a421a036323de5cd42698c47

SHA1
81e65caf670cf5161cb10045767cd13dee3ee7b4

SHA256
adfd9ec835b2e2ea0bde4adffb9bd8525ecbff50ad5e9f5ae32d52bdeef09017

SHA512
60d252b40d8f017c7886c283e6a27e7019abe61d8dfad0f45c4d95a7fd214fd2966adccd7c332c36125b58d630c9b6414b7e34184e30045dc6dc955766ee40ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a9F5D.bat

Filesize
722B

MD5
71c1806b83cf55ed4e84a07b195765a1

SHA1
5f367004df780e0e95b59b8c4f31c95c1bb5af8d

SHA256
d227eac4fefdb2fd495e67436c04d1a1503cf25d7442f911f52f9fe15f2575f5

SHA512
5df50eaa60599b3ad216a3ab2cbc958e20349a080b7bb322e8b62f92ac7f408e9ed28538c1862339b5597e8a5cd62d2f5c85a3ad8ca42a2b643fe14a3aa900f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aA18F.bat

Filesize
722B

MD5
9b0590912fd5218e553317995e16b2e5

SHA1
68a1c9cee14b9a9cbffd9c12249b1bbf5f86cae0

SHA256
00341b8430125cffd63fb47f14aeb84560a3eb2a371bc7649880c50c87fd4e96

SHA512
dc27a0c8d11d32b71778dc1febe32e1a70d2c6d0f8498869b704dc8719c1838da2b60f48229ca64f18222d0e0d8a007b4fa2107298461acf84303a5667b52fd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aA364.bat

Filesize
722B

MD5
839b43ef54591bbadb94493b2d196b02

SHA1
4041a8588dbc6a2da60aff3188fb344d2386b9eb

SHA256
4e00bd3f7d2c27042413c937e2a5639e15c1fb002f8ad74ab8d2a0b4edeaa55d

SHA512
f75aa39fe01aee9352a158d4d98e4d0d6e36d7c2c6b5604ff20e7403fd14c0edc6484df309c32aa1b085ef02b2dba838170d9448ff14aafd7e176338e1e1f55e

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aA5E5.bat

Filesize
722B

MD5
ec41be85a144859968ecc36f87a1a1a0

SHA1
6eb347379946718dc7293aea5331c26cddc22b7c

SHA256
0d1cef4ccf6befc0f6e4b88db585ce1e122160084f0655b87c3fda4463f78a1a

SHA512
a715d2cc074d6e447e6ac9adb86f89c2c3b8c108a2d85356224666c68a11470e7eb69132cee640dd15751545eda40f51a4d0111e43e7f932fb5a6ed4d525eaac

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aA9CD.bat

Filesize
722B

MD5
90e0e4ae24def9c07f6df4133f319f5d

SHA1
bf15542597985acc58d940e1be2df18104e0f1be

SHA256
88e55649f438894e717e14ca846c47aebf4cc6dfc26d35e0fd08018438bb80ba

SHA512
d6dd901ff23ca55c77f7463ccae583514b90be0c64aa2511880ba9d7c361e4df915e4f2f5adf5923893ecdb1257868b57cbb1cccb3919eb12c63c0606dd72a17

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aAA88.bat

Filesize
722B

MD5
5521b18562eaa975c6915879a696e4fd

SHA1
a8fc76499de6ae37ffa2201abd5e6ca7688ab7f4

SHA256
7cce4d8ee20b45bb2a594309b93a9612c058334513a7956945d5f8d58cb0384f

SHA512
c49f4fceb2e2751f59400fb970eead5ea462d3253f0bfcebf5682790beb9d1261d2e8942a8d46e64291772f32c3feba936b91562616e71284101e068eba6a716

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aAC2E.bat

Filesize
722B

MD5
c3d34f13b877d8b9609e6d01fb35c1c8

SHA1
a1e9adc4b46edd54f4e7f2c7d1ecf43498f386c6

SHA256
06976c48f9fb0b0cd4d723de8a5d6e78c0ca9c13c46f16a23e957fba1993e6ca

SHA512
219297b2ca7ff7d1aa1aa8e9db5cdfdebdf4f06dcbb90147af7e39d3b28149a85925ffaeb9effec9fdc9d330a2d5b70a6c86baa9f3deee5bcf18eaf6226c0086

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aAE60.bat

Filesize
722B

MD5
910f79c2c94a752ac2315433f6736d29

SHA1
cca013964e3abab09d81c88c5f1b6235609eeb3e

SHA256
2e84644d1d2c96db347d7435d268854e38233fccd0687309ccb602a8212dcb1a

SHA512
f3fb00f0b9170713dce718370a00e62a1502bd28f1e2b0817dd7559ec6352256daa0ab040e6e71d3b20f04adc13a65fbeb75fd9b10569a0d7eef2b68bb080b15

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aB064.bat

Filesize
722B

MD5
1ae5385b75d4a9eb40cf71f8b7dd3d61

SHA1
1a8615567957a93bd0f51c2a485b798eadca3ac6

SHA256
2c8645acf72cbee158379b772e7db005bbd135ad4b54b20dd2196dd92b067d0e

SHA512
cadaa1caf5918846824704b68194ed5620059daa9fbe9dddf832f26a30acc4e81075aba5e2c3a8f52b3e557ef5f9e2a2880286c41672e11254fa449b4da3a3c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aB229.bat

Filesize
722B

MD5
c25f8bd3bd2321bb41b38cb90eafd812

SHA1
01cbf4d184f63ca14c292af9c7f8163a449da340

SHA256
99977d64a556f5011e4b6d72f95c403e0d69e8a90189eb22b9f9e5cf2b32dfae

SHA512
68f10079f1c73adcff742b49f2c145ced8b57ce18d419a6a39833b33761d0ed0a1b364666e5bfe2d95c6968d980af4bd80e29598ec63a231864c60c2eb7583ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aB47B.bat

Filesize
722B

MD5
45071552edd8c30a11e0ce020e393e8f

SHA1
8c1ab9eac7eb92fdf24964cb2da8c4ff5613db83

SHA256
ad7d27d390070f6e422c715229da2a5ddb2b4c55c2964994b6fe6cc1217c5908

SHA512
3f852390976620a1b3166910f05222010f6eed9a266530e022197653a8ba7d7ecebe004ec7df84693d12a646194569178360d8d438612ae977c8973e2f10be8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aB6AD.bat

Filesize
722B

MD5
7e9b19aefd872c44f844420c49d867b4

SHA1
56c2f75e81296c47b1ebc8ae343e725ea4f4fc18

SHA256
57db11560039e41fa63748d7ceb59b538b3cb2e4edd6804b6dc81b052bf888b1

SHA512
e15525111aeba1f9b390ad70ccfa0ad2e60a5b0669c492e3445de243d57c97a3667cbde6744c3fc0550b8614a65f3a352e7209694c2bf0ad033f95e5bbf5260d

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aB8D0.bat

Filesize
722B

MD5
f8ada5198146666b4e9b320a159c3c98

SHA1
a8fdf0398d3c57d8bb0a0600a4a7b8f006804f62

SHA256
ff40891cb91c954724553c799d81eafb80a74e6c535f0ab142f9b6a057fe7fd3

SHA512
f93724fbabe11783b7f45e0760df8cdf5c4a41ee3ba02e8a92902faa82bce84979077c48f15c3fb7c35ae1f7ad0887b634287327b09b7f3b8d47b5ec3a76ed45

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aBBDE.bat

Filesize
722B

MD5
0c3b2a083b6e368164159090a23c52ab

SHA1
f487453ec24688eca80abec6c4fb2b4ba88d8c3c

SHA256
a10ac4b2cfdf08a872838fd333e3cdebf97ab809b481aa0e3ec8524626ff64fe

SHA512
2c25e951fee949f1ba461907931a8800d54c0a4aad76b0152b88abe6a6d714e156b8882194232f4099e36e4c6ef3699c28eef3262c0a8fa21e3c1ba3a9b70f23

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aBEAC.bat

Filesize
722B

MD5
63f27002be1e90bd93c016de9be59524

SHA1
56c988088df9a76c1d5bb2f42673a3c5341da03f

SHA256
10e348d4c0fce9448a616fb2e9c5443dd672b4f458ec433a165006cb809e596d

SHA512
66723b62a30b12d1606770f39ec243754a524e88cb41fdc0590ca35e78ac0653d56a39b9b8266566c3c3872e2b68c0566e18f057fb646687306e8d0827872852

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aC10E.bat

Filesize
722B

MD5
3c1e48420f1d71c2e4d864ab44aeebe4

SHA1
11063d348a85e90d52a62a4cd9ffeed9a1385cf6

SHA256
4ce4a60aa20aa4fca9b65f6503a3a9f68d1d629b26e36d43f3377cb2b784fbd3

SHA512
4c94ae40a500208f3732877f4a8b56c320d575082ca54101e155befc24dc5d1c0ad732e05a0c17dfde56db9acc3e30dd7b5f47931eb1bba68da5dafda68186e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aC39E.bat

Filesize
722B

MD5
d498cdd8ec09fa74ec275d859d4fa179

SHA1
e42927513bf3ae5baa0aff5b7ac9b8339341d35e

SHA256
7d99a0f5ecce2fee8d336878372d77a4506bf37700e154864daec5a5b72328bb

SHA512
94645b52ea3f6ceff1c16301f102265b13e9db359be5ab66a7eb4dd50ec10bfdfc9041a6f4a10755c69a41cf2085005db0bc219cebd86f265650dc8df71d1f37

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aC582.bat

Filesize
722B

MD5
bbc6f2ce982bb6a99284bbc27ab70d89

SHA1
5d4833c494863418f5d2b98d5fda6e4893b92595

SHA256
b69dde8f2f0bdaa004ebe0a45a1152264cd43c1bcc82be35517eac47fb097169

SHA512
eed378d15fc081969921e0b0e02666b43697d057c66180a3a94b07f1fb417671bb0dcd56ae73c03cccdf894672053b62e6ac72e09936df0b995fb934e35a2513

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aC8CE.bat

Filesize
722B

MD5
336e7e4f56c0b30e504ffdd29f512ba3

SHA1
f3a82c297007e8ea3f001c01631f4050ba2c93d7

SHA256
6f79198af5a8fd693dfd17ae8d67db273e3046df91113db6b1c3f9af2d4eef62

SHA512
6fc0fbb37ff73c3ef6104ee1d6157a3437cc36ed98f47cfc853d9138c745af69e551663545e7f8d6b12e561675cd4de334e3da2d82cfa5d27617ef53c03454e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aCA55.bat

Filesize
722B

MD5
185f3ac70b178fdf73c21d6cd7e9f93a

SHA1
ac7aeabd07c42e4a2b1b8acdb16ed917ce5118a0

SHA256
aa0384c45c3d0baaa7411f199cbbf240abe41837ea1537cfcb6c65fc77cfce27

SHA512
b934230664b59c3a8c22b23e1349e6a1f92934a9fe649c12d1ccce5e1c03f216f0cb7ae867438671b1877e1bb5382205ad0da2c8cd29111d4e9449f13aea9317

Download Submit
C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe.exe

Filesize
6.7MB

MD5
6963444a60175983affb3e2ab90fe5f9

SHA1
e6435b1b08bf7a81fd28d5706a293f417132cf41

SHA256
9098eef1353f15fd2ef6e512dee350ec0005d331b420e683a03b5c1c98bcb157

SHA512
4b57b5f84b70a748291d62f1ffe2e47604d5495866eac268494d4e942c069713e586d513ae68c5af9134746971293b5da5498b0fca3659b30a6929d0685e05d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe.exe

Filesize
6.6MB

MD5
b6628a0c81e332f07e2baccfafdc2be0

SHA1
8c0accce34f79f77fef1f4f0d61fb923a60d7d91

SHA256
57c2462a9dfcaef6e211b3d5e4cd651d5ce3698157e9727e7e767250f91183ef

SHA512
0915d7ab2fbdcf7bbe84910920f7f55443ed1bd1f3c29a3ed6e96586f0b8c205985eaa88e3e2edbf0ee49a786f7e615e09c9138e1c43adf85baf0f4e10a8be74

Download Submit
C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe.exe

Filesize
6.5MB

MD5
df382ea3ff4398f4a4d837c8987f22dd

SHA1
43806d21a48c3015e89b36a4481420ec7b0a4687

SHA256
99650978423e57f212baaacd81b9dd16cf99bace741e81f7f1da8d978170fbb1

SHA512
9a0528cf8ae65f5e1c200dbeaf8259fac47082459374d8f0c6bcac4a80fdc9c09b6c27d6fa52a47dfc9a7e1f0636c979f91e0733d0cad65de677985b146281e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe.exe

Filesize
6.5MB

MD5
9f2369a963b8e88b266984aa7b02f86b

SHA1
923efab3743c19d91dab6968cf97b5f430b2c07f

SHA256
b4e7a537d03ab538f1d7fac968295fba68d6895fdde63c1384910041b7469f08

SHA512
2cb5136b1e90b94dfdd043b5c37779b782213bcfdc70a1aef60019cae2fa7743bd0da3933647b0b3be463339f2174b7d70c1818157ef7231434a61d7a35b0374

Download Submit
C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe.exe

Filesize
6.5MB

MD5
d2db703748ff151b019a70b179c817d8

SHA1
4fafc376d12eb4d55f9cf2f8ce1385f2e65dc260

SHA256
4bc469c4c014f7dbe8c4a1283d144503191ba1d3d877277e8d5bbee0ce543675

SHA512
d58885a0fd98e4e7301cfcf15ffc44f64201c7ff619f48b7d971292dd57ef135a2c7889c81ecbf0d99b3fdeb45806547f86a6a28267910903e3ded1e4a62e1cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe.exe

Filesize
6.4MB

MD5
4b3307d24bc930eead9454dfb9c35259

SHA1
4e13e284ff62e55325d985cdab068f2ff21821b3

SHA256
a7f8fdced886b5d5a59d86550cdd5f7ae7a4d7c86aa651d25f5e23246a9eb944

SHA512
c6b05bbd6a953dd334ca559b4a25a34a77151f2cf29677a39a51a4cab35a6ec0e313def61e0e8d5ffe24cd3b85a9d455a032df3147c7d2b8f14f20cca7e6c619

Download Submit
C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe.exe

Filesize
6.4MB

MD5
2a0f4d81e8b76ce69a65d0009552a042

SHA1
739270b90ab2e224206c6a88dd9e1cece6ba2a87

SHA256
2fc54163903a1b4d0222287eaffd4dd14a15a13b1b8883b04bb3eac71554dca5

SHA512
0bc459c43b24b8c33d70c20e1f51d3ae1bb2866428de7011d0a74f169f551fda079bf56a4e3dbb32ae9f4eb37d8dc4c473c6f767fcf798e898d67f3bafe8b3d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe.exe

Filesize
6.2MB

MD5
aa0777b06d471f24f326a737774b2b6a

SHA1
73703038b0e4c766b3007f81388dd070c72a13e2

SHA256
bccee2b99cc343bcd74659acfefbcff7637d1ab2d6872ed4b0f6b15eb7bc9ede

SHA512
9cd638c49a8e1d2a75f3073379545b9aa6bf769efbf92e4177d828d0b0ff664fced6b18b60a8dcf0a441f5b89f2b6b676458975afd827c1c1a9e994b7cca5675

Download Submit
C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe.exe

Filesize
7.0MB

MD5
62f27083787ee8cd424938248c7c7cd1

SHA1
e4b6a8631af40b58619964aa1b7cac839b54f157

SHA256
7001405173ef736836f72b3e7641c2187db060136db4cf89db3a976e46cc03e4

SHA512
6bcd7200de046d2126a29d451f267fd326dd8ef962b0fc0b7876c4563c53263c47694da2cf1a81c6a304a90f10c751354c9186d15482c303d735841f23e13368

Download Submit
C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe.exe

Filesize
6.6MB

MD5
b6b1e4c147f553074c77b00a4e98a35d

SHA1
b0f38820daf13466a584e0382ff04321f6dedf25

SHA256
912a273fec82d9aeda9ab2ce50931291effb32687fac5d703c4069cd265c0282

SHA512
756fc0d2c71304e20595335419c413dfe3d1d4264c20042348736d58a9572074fe855b943acab3d1b98afa96da73e128787c2bc897af4a4bb638db7c9a620392

Download Submit
C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe.exe

Filesize
6.3MB

MD5
449d1c12129a80025cc578e713ad538d

SHA1
2f0c5720d164f7b8dc2d06125acddab951483b65

SHA256
eccb31f392449ed2f8ed58f0b2ac87cb4206e5622519db9541da1185f7abedf1

SHA512
5a2e22131dac70f26077f8b4b9fec178b93c4ca9501e5ff6b53af8b6cb1d5ec174a8c912a6a658d09c43ce5a65046c66498214299cc706eb244e6fdd74d677e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe.exe

Filesize
7.1MB

MD5
dc4ce2aabcd8f3563113bfd643489559

SHA1
aeaa8b162ad546f403ae1af66e1c25b36cf0ca59

SHA256
53e1242fc0f5e9c9a81fdde721a7c5f364c6748c4d273c66a4c297208d48c729

SHA512
a55ed55c882e55b1502c92d78e443c8a3ae8adf620bf0d68838a87cae769b36a19fc60124cd5f9f9d31c8b7325b5b08207d4470080c7d92cd4e3dd682c40a653

Download Submit
C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe.exe

Filesize
6.3MB

MD5
a3bbd192499ce129e07c4036f857129e

SHA1
d99f16bc4d47b3ffe19afe1d897800332329e068

SHA256
55912508956ae0155b287a9e46654d2a0d18184a95409c7e6d3d8be153d1f356

SHA512
047e9a3b1901df30698f122c6fc723fcd05367c2c17f838f176b0162b5cfff62d23260e088931b939a8c1c3e06b9cee88307f170565049897f900345116c69d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe.exe

Filesize
7.0MB

MD5
e9dfb1ebba03040461aff20545f9d69f

SHA1
9f2267c208aa6c2c5fc8ac44c1b7305f164f06eb

SHA256
6105aafdc8b82f108e08f22103ea6220faadd30a58a0067cc7501a017e1ab051

SHA512
b246a7b964629cea21178556a6bdc10fe3b461272492ccd3053c01fe12106f7a63f14eb2cadb96000b5c855e37826a07cd177e82d3962a7455e47dd82d1d11da

Download Submit
C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe.exe

Filesize
6.9MB

MD5
7b7e95a967bdce25c43703e0ce775bf0

SHA1
e23a4fe5acabbc6b7f9973418c39feb187ec5a53

SHA256
44d20edc69eb35d23e69ca0642b53905baa670c396fb49226aa2a9592fc5ac1e

SHA512
a7bd50da88e9bf361a58452925f2b4b836dc6cd56dab7070afc946fe151aee9da8b99cb2f890ef1c8109d350f83dd36f489ea1a712f3cce32e3d72c253e44106

Download Submit
C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe.exe

Filesize
6.9MB

MD5
fe862d38295d7a0652cd0d96bcf68636

SHA1
dfb1d42c94b5f2d9bb8e9794251cb8bc63705947

SHA256
312c8f4295b4a6de9bd528f5cfd44839f65ffcc3e08092ecbc3a8ce4e3d4ed6e

SHA512
657f62957509f42d4b5535d8c06ec85534cec247541cb5e9f469838b169dc435157340414567459c0cc97fb205869f1ee7d397c562d3642df134a9a0e70b6f08

Download Submit
C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe.exe

Filesize
6.8MB

MD5
5407f68845c447de77bbb3fe715ecb24

SHA1
95495a8d1974a2541a339fbfcbedcad62cca085d

SHA256
c546d7c93ac912cdf1624e436b49231562546c555893fd9498d199bc7b288372

SHA512
740c99a563103f018540bcef8ca2b94dd3fb4fd1f6a60fbe6569943d7a446a6ae86e146f9824a2c63040302ba02ad9e5cd9321249a709df5ade2096533a29e93

Download Submit
C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe.exe

Filesize
6.8MB

MD5
64654d18d1deef98c95770b1be6906d6

SHA1
3eaed3ebd59016380875516ada680fb9d30b74b3

SHA256
304e9dae2c7dabf04b027c23c231a0ad296ad3f131616320d40573c2a8e052ec

SHA512
84e02ab7b625ce36a361eee2d1a09715e1df73e4c267efd9dc921731e748ce70e3d25e4e36075039c467808211fdc98a3415a8f577fcf9e6ef3e4ef0676e48a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe.exe

Filesize
6.8MB

MD5
428eb5b94bfbe4178ea8b9383bbf56d3

SHA1
a6bb411c6f1713d062072a1b30b2f7fd4c31cb35

SHA256
63b97192cf720abc7907cca3d70fdc78c28cfd561971c97520100d0a7f7a06c9

SHA512
79647dadd3b30d2b86ad6dfe4ceec30f988991e5ee7dd00f2f0c81a371bb46bdac22717d270290f878c614e086fb23383bf26af919f2536d50207d9733d0bcdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89.exe.exe

Filesize
6.7MB

MD5
623d2aeef94622cfdbb1dba473115acb

SHA1
91047961597093bda43579c754f6faf7b49b0184

SHA256
3eb86ebe7d7b106d6cb31d16af728bf9e450652844cb7d2af7720b72ad90cb6e

SHA512
2327c9aeb20b12aa91c764ae1816c1c98097e849845822c92bf243d64f2f19257d412ef4d87abcd2aa797ee7b6c380fbf8231f2cbe08e0bd62244e871e95c556

Download Submit
C:\Windows\Logo1_.exe

Filesize
44KB

MD5
5f2d8db8803f3aee3357da7db29c2462

SHA1
37dc511f9fdbbc2d32de9c2fec65e5599933095f

SHA256
94c19e462b89a4546637ad02a81b5fac230feed1f86c0b3edcd7df7f91fc522f

SHA512
7a0a35cb164d762cc2f3ca89d5834ea7ebc8851081f18163ed5ca26cf74d5018a7cf37ee3c5541e6d519e801af25853e8069972f7a3a7a14177022156ca958e5

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1403246978-718555486-3105247137-1000\_desktop.ini

Filesize
8B

MD5
8ca26bb1fe4da60eed2a231635eb2857

SHA1
405090f7801e12b524dae9c7d0fef9a3fa8b41d8

SHA256
503d5e11de7bb526313442e7b0380b9fb27430b5ada8ad10b5008827c8a4fc54

SHA512
6852196fcd3912e037e41764f999dbb155b95d7b706e496159ac06845e46ec03a875d8a6a3a54e1316d9ce2986fdc17fdaa98024aa3a3c69f276d34ebf0c7426

Download Submit
memory/220-5413-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/220-5403-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/864-10-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/864-0-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1156-3918-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1156-3886-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1328-3271-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1368-5115-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1372-2600-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1372-2560-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1416-1637-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1568-2188-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1660-77-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1760-3115-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1760-3075-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1912-20-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2016-1874-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2016-1878-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2140-3815-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2376-59-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2376-55-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2408-2834-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2780-134-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3036-274-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3208-1763-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3236-4751-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3236-4697-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3460-4935-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3500-84-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3608-100-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3664-1885-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3828-5414-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3908-885-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3920-1999-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3984-5170-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3984-5180-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4040-3377-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4200-3671-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4252-2975-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4272-2437-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4272-2375-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4372-36-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4380-45-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4380-41-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4428-4470-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4448-4096-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4588-349-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4664-66-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4848-27-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4920-11-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4920-102-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4920-5412-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4920-1886-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4948-93-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download