1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c

Analysis

max time kernel
3s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
05/07/2024, 06:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe
Size

7.2MB
MD5

f33d56243b78b6cab21098e4b477b11d
SHA1

28d9d86a1a4f82690ce93dcb30969bce1571c637
SHA256

1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c
SHA512

1a58b7e652c695203ae8721e8c871dacf06d82af057ba5cf9602c329c559a80b093ea3339dc4663d3c5066971e7ab220b93c385e7ceee34d20f90474b92df51a
SSDEEP

98304:/UBqSgY9l1GQmGg5TfF1rkTQuDPfOJf9309jTgvojmHvlYZ/AJIZa7uhx28:MPhGfffurfOJlQTS2YvlySyxv

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2932	Logo1_.exe
1992	1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Dll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe
File created	C:\Windows\Logo1_.exe	1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Logo1_.exe	1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2428	2932	WerFault.exe	83
2948	2932	WerFault.exe	83

Runs net.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
4968	1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe
4968	1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe
4968	1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe
4968	1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe
4968	1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe
4968	1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe
4968	1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe
4968	1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe
4968	1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe
4968	1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe
4968	1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe
4968	1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe
4968	1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe
4968	1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe
4968	1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe
4968	1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe
4968	1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe
4968	1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe
2932	Logo1_.exe
2932	Logo1_.exe
2932	Logo1_.exe
2932	Logo1_.exe
2932	Logo1_.exe
2932	Logo1_.exe
2932	Logo1_.exe
2932	Logo1_.exe
2932	Logo1_.exe
2932	Logo1_.exe
2932	Logo1_.exe
2932	Logo1_.exe
2932	Logo1_.exe
2932	Logo1_.exe
2932	Logo1_.exe
2932	Logo1_.exe
2932	Logo1_.exe
2932	Logo1_.exe
2932	Logo1_.exe
2932	Logo1_.exe
2932	Logo1_.exe
2932	Logo1_.exe
2932	Logo1_.exe
2932	Logo1_.exe
2932	Logo1_.exe
2932	Logo1_.exe
2932	Logo1_.exe
2932	Logo1_.exe
2932	Logo1_.exe
2932	Logo1_.exe
2932	Logo1_.exe
2932	Logo1_.exe
2932	Logo1_.exe
2932	Logo1_.exe
2932	Logo1_.exe
2932	Logo1_.exe
2932	Logo1_.exe
2932	Logo1_.exe
2932	Logo1_.exe
2932	Logo1_.exe
2932	Logo1_.exe
2932	Logo1_.exe
2932	Logo1_.exe
2932	Logo1_.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4968 wrote to memory of 1716	4968	1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe	81
PID 4968 wrote to memory of 1716	4968	1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe	81
PID 4968 wrote to memory of 1716	4968	1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe	81
PID 4968 wrote to memory of 2932	4968	1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe	83
PID 4968 wrote to memory of 2932	4968	1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe	83
PID 4968 wrote to memory of 2932	4968	1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe	83
PID 2932 wrote to memory of 2140	2932	Logo1_.exe	84
PID 2932 wrote to memory of 2140	2932	Logo1_.exe	84
PID 2932 wrote to memory of 2140	2932	Logo1_.exe	84
PID 1716 wrote to memory of 1992	1716	cmd.exe	86
PID 1716 wrote to memory of 1992	1716	cmd.exe	86
PID 1716 wrote to memory of 1992	1716	cmd.exe	86
PID 2140 wrote to memory of 2412	2140	net.exe	105
PID 2140 wrote to memory of 2412	2140	net.exe	105
PID 2140 wrote to memory of 2412	2140	net.exe	105
PID 1992 wrote to memory of 1548	1992	1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe	88
PID 1992 wrote to memory of 1548	1992	1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe	88
PID 1992 wrote to memory of 1548	1992	1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe	88
PID 2932 wrote to memory of 3516	2932	Logo1_.exe	56
PID 2932 wrote to memory of 3516	2932	Logo1_.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3516
- C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe
  "C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4DA3.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1716
  - - C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe
      "C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:1992
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4E2F.bat
        5⤵
        
        PID:1548
      - C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe"
        6⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC6AB.bat
        7⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe"
        8⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aE167.bat
        9⤵
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe"
        10⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5E7.bat
        11⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe"
        12⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a27F5.bat
        13⤵
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe"
        14⤵
        
        PID:896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3CB6.bat
        15⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe"
        16⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4D6F.bat
        17⤵
        
        PID:368
        
        C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe"
        18⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5E38.bat
        19⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe"
        20⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6EF1.bat
        21⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe"
        22⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8028.bat
        23⤵
        
        PID:4528
        
        C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe"
        24⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9277.bat
        25⤵
        
        PID:3916
        
        C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe"
        26⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA8ED.bat
        27⤵
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe"
        28⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBC75.bat
        29⤵
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe"
        30⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD29D.bat
        31⤵
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe"
        32⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aF4AC.bat
        33⤵
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe"
        34⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a13DC.bat
        35⤵
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe"
        36⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a2560.bat
        37⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe"
        38⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a304D.bat
        39⤵
        
        PID:752
        
        C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe"
        40⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3956.bat
        41⤵
        
        PID:3808
        
        C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe"
        42⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a39A4.bat
        43⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe"
        44⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a39F2.bat
        45⤵
        
        PID:608
        
        C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe"
        46⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3A40.bat
        47⤵
        
        PID:4180
        
        C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe"
        48⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3A8E.bat
        49⤵
        
        PID:424
        
        C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe"
        50⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3AFC.bat
        51⤵
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe"
        52⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3B4A.bat
        53⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe"
        54⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3BA8.bat
        55⤵
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe"
        56⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3C05.bat
        57⤵
        
        PID:3512
        
        C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe"
        58⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3C53.bat
        59⤵
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe"
        60⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3CB1.bat
        61⤵
        
        PID:4312
        
        C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe"
        62⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3CFF.bat
        63⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe"
        64⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3D4D.bat
        65⤵
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe"
        66⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3DAB.bat
        67⤵
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe"
        68⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3DF9.bat
        69⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe"
        70⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3E47.bat
        71⤵
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe"
        72⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3EA5.bat
        73⤵
        
        PID:3612
        
        C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe"
        74⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3EF3.bat
        75⤵
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe"
        76⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3F41.bat
        77⤵
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe"
        78⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3F90.bat
        79⤵
        
        PID:4228
        
        C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe"
        80⤵
        
        PID:2576
        
        C:\Users\Admin\AppData\Local\Temp\is-8AD1H.tmp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-8AD1H.tmp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.tmp" /SL5="$1B0068,5481670,54272,C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe"
        81⤵
        
        PID:2352
        
        C:\Windows\Logo1_.exe
        
        C:\Windows\Logo1_.exe
        7⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "Kingsoft AntiVirus Service"
        8⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        9⤵
        
        PID:4648
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2932
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2140
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2412
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2932 -s 968
      4⤵
      Program crash
      PID:2428
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2932 -s 968
      4⤵
      Program crash
      PID:2948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2932 -ip 2932
1⤵
PID:1212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2932 -ip 2932
1⤵
PID:1512

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$a13DC.bat

Filesize
722B

MD5
2cbf1e6d0e2ab9991b31a192575d08e9

SHA1
f017a0e9443bd5882d8947d0c9780bdbc4f76b43

SHA256
a370b8a012772cb62aa1086fdb575227e9eff1a34d5b081d9be8ccfa7dabaa90

SHA512
65348062bb0d4ba794feb2da5fa2baead540fa808cc8f2e5fb449a4ecc65fca4544aa382466142d7de2cbddc9393a070d980c38565b9bb20ad5bf110943463ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a2560.bat

Filesize
722B

MD5
a4f34f0ce770d926529b6185c26a89dd

SHA1
7b16a91268c0669701ab047ee96e5790313f9a15

SHA256
516eded6de96973bd8918b1bc010f3274995b9e9bfd45a1fc17b99eaf1c862be

SHA512
ff93c89a1676a071c7c37ce868fb5f1aade775e87c01ba8d7827b4006e3fa75ef03ea2d690f84ef1ce9fbf0e23db3b7aa96e0cd060e2fcf8250b9cf368d2e87f

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a27F5.bat

Filesize
722B

MD5
a8f627171633179fab9045cd614800d2

SHA1
41e1d4e6c2db055cbb175ce9fd272aff1e548590

SHA256
78038fe3ce846baf6f6a4bf20e3c5cd218c0be7aceb2c94897a14cf113a89a12

SHA512
cdce1295cf2d755e0040b468c677170cc1d2c4ac18921145ca211c9c1f3a5e99ccc0144fb35f1a2ecc63e2de16c5106ca1957173eff29f9875c8abf77be26d29

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a3CB6.bat

Filesize
722B

MD5
8162df34ba14e5631c9283f8294d2d12

SHA1
a8d2ffb56e553e637d52e7829e5b1f99e5a07ec3

SHA256
367412a0de5d3ce2bb5a9058b68e9cbb78e96338735983ec41107af4c169a7ab

SHA512
890813e05c30ff9d6f02c8f35335a4a1ff5081b667faa543558f083d06132ec7393735a657cbcd4154cb118892ed865f3f8a3fd61eaad9c5bc7ae71c6d991a0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a4D6F.bat

Filesize
722B

MD5
e6c696aada24560399373e993a4cb695

SHA1
e53f820e2dead7d23c47c6d4e166008ca23f53a3

SHA256
b88ca4f8aadf5f6daa0f74bc188ed73c849045e5a6e0cce993462afaddec0d99

SHA512
72cd514a71fad5b6f3b9d5789f70bbb98a0392172898c54ee8f99542a116e331d0ce30901fe1c6638b306d22f9add9406edff217f0b09c602d6c3e7d4369d85e

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a4DA3.bat

Filesize
722B

MD5
567043c8f2b4998e086ca8b18a066353

SHA1
31b50aba80d3c8f6e7a7bb0bf4aa0ff3ff0c6cab

SHA256
05b42d2e2b96f669a5f7bd51f3263db0854fbb7500a2cc99f331efce15557da4

SHA512
3d5d3ad0a1dad75d399856c5fb44cf2d86b2828aea734636a82206d971602ce5f347900b060b068452b5a55297d613ef45a9934f83d4f0452e90fe070cb62132

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a4E2F.bat

Filesize
722B

MD5
86b25b1ca2cd206d4b20308893f95e81

SHA1
48ff9816e3b88d209717d14c6ec7e17537cfbfe9

SHA256
cc1311c03046e5feafcea03516e858a826072fde2bbfd8774c6d784abc778e9c

SHA512
83ab1da8fb29cf41d028ab1f38afab864e844c713e14ee60b8d9368521dbd10d56b3c2ef0b5bb8aed5006888c6fdcf3121dba753122f2f69e3f3b31b762274cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a5E38.bat

Filesize
722B

MD5
4fd1a10fb9154abda2856677218039b9

SHA1
4834c1c7f0bf5f6fce80cf9ca3026a33da7862f1

SHA256
057b99414bf7bbaa4ecc0c32af6803b4866122102c4a4d5b13ff90b3731a0a84

SHA512
ce84c0d82a4920c97edc2ea9875f7d06d86f363e3ca74f60b50cb055fb25f06619648afa0a647efc43decc0dc85e3619f63929583206c9b4b37e58cc028f3604

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a5E7.bat

Filesize
721B

MD5
a046ec03acbb893bde51f24de12d0ffd

SHA1
a506643e2023ce175e49a320c1b481d3ad2a5ee5

SHA256
2f53d80fbacecfe0f5cc0fd708e1ef0e9e7d692a618134679cc40aa75180097e

SHA512
3be92fe1d9b957f5238166a363ab1d93c9c646c3f26dca5a73532bf9421f85a4dd0165f3d21bde9979907536a7bea6d0ca021554e5a8183670704e624d24874e

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a6EF1.bat

Filesize
722B

MD5
c09153ab5e3b48f15b301ecf1ba5acdd

SHA1
43ee428d0bf2dd8e5267fc5b113d4572b61eb895

SHA256
ce62738739ed27a4edace365e9bd3d526b792b8154ba14ffb4b3959ee4487292

SHA512
01fa7be1bf372a3f96de437e5b2305eca5ccd32882bc53b9dc44b868c7dfae258cb3093a9fbd127d9423c62d432f57e3a23be2882496430f4fff028e15c854ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a8028.bat

Filesize
722B

MD5
8fd252e4481f0bc70516118312c857c0

SHA1
0a2f73cf6fa45c133be5cac10a8c644f5f7500ee

SHA256
3710ba8c0d13b8ca792dfaab08e60decb8cec6c8b5dedec5b0210a25702b316f

SHA512
6fd606f6f54294fb49a57031b4d268a59110ae01076cb341e3872891088c05a0cf7d1d6955741eb4b6550577f3c6b0be6441fe1a62c4f7d2d634786a29efdcc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a9277.bat

Filesize
722B

MD5
82466c88169346a168cf1c1cf068f6cb

SHA1
117c8a138b476fdd49fceef4da577cc276836964

SHA256
fa8caf2be9747c08a3b526d234bb5743df947c425ddf4bb34d52f7b8e475a874

SHA512
37da98701701bba8a3a6e7d4a0301ce2e6e5360077cbcd0c2e1ed53d686bde2452a80eb3d19f2e4a9bb3c77f2e8f1264059e6a899fe7ad99a0100a40884b49da

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aA8ED.bat

Filesize
722B

MD5
967f11209ed33cdfab95cc93267c64d9

SHA1
5380ff4398e44ec82721d12f2f990fed733ae515

SHA256
9c97a8e27d4be5e9be946a3e49b4e746d80f44d8e19aeda789b206e54713cef6

SHA512
75fd9b5f899d7b33757eb4a7ee546ca364c804d4725710f55a6b168026e7a2a1aa45c179dd2783900627b5a669ef7cf68b02d54152c24894a2a0d831db50b0f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aBC75.bat

Filesize
722B

MD5
88c4f6d1be7a72b6024fb99b036dbd27

SHA1
bd7f54fafaa51fbbbf67b44d96fa8dc3dd6ee3d9

SHA256
76b9c2437b280662461030bba1f4da1c0ccfd444683a5faff77c68c1610ddd69

SHA512
2e58331ff557dfb8933587a1288c2391922cd1f52b17ba66e7dece78039d01d24c4bc6adf841a3f0d05caeb7cde14c9455e0aa91ba91f697e6d654e329439c4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aC6AB.bat

Filesize
722B

MD5
ddac01e05c14e6ad2f8f29cbe2d82f87

SHA1
3c60a0a37d6d03283239f01ff27f1ad6a8d30bf7

SHA256
cb56109b89a53f1e2e202d6a08f76c8a5d2fe34b4ddb24a4c74dc6414de899da

SHA512
1c11eef255c34411d16f76cef4e1f909cea6a692d645031e6121ea7f62eb3733d2eb973d4195cc2a30408a41c083286d47c2c1f80c0d146f2e0caad654186592

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aD29D.bat

Filesize
722B

MD5
81c72ace56caf8a74155970f4ccd8cb6

SHA1
947866da1035237cdfa9e45654d0e0ae2518eb3e

SHA256
b387ef7a2cb4d178984a43f426e439679beb51e772d1b185b00954f600e48d26

SHA512
83255c7c46b99277e3bd5d09bdf60ffa803fcf603ccc8c23631f8e23acf751a904f2da94ea8eb5c69f81f09a9bb075d44f53f6b643d0e571c00389a352d74704

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aE167.bat

Filesize
722B

MD5
b10e0b4124f59c8df3d952f31544808b

SHA1
5006e1fe7471489ed4dccac8b6328362f0dd5c46

SHA256
d994b38fc69e424dfb2e86cfcd06a8059a843b5dd039058faf49fb1391b6e39d

SHA512
fceb6de874956750ac2f6ea7b4ca3abd717cb6f07e1d7e6ace69bfd6305e79eb15f587434b191324f29d4de6c51544ce1c843669cab5c0eada676aeac4d4a9bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aF4AC.bat

Filesize
722B

MD5
a1a5d513124e09091ad85210caab8b02

SHA1
98de3341c75c4dda70c755814eccb99e76570a15

SHA256
4ca6ab563b46f501185b09def45bd1ed2ddd9a9ef7e1343182dd8d25daa42e69

SHA512
373ef4429edcc8b20ea891ee2a5d38d609f2c2418dff28b225a333e391d4e263b3b37b1d1d63aca312810c0a76e5ef59cfda3ebb777bbd95da46e5e494278001

Download Submit
C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe

Filesize
7.1MB

MD5
0555a01e078496ce5fec52c27e7b1cfb

SHA1
ab8c3af05fb15cf1d4ccbfec666c490c1094c1e0

SHA256
d412dc70a599bacaeb80138f428e2aaed127daeb5c281d2f524f47ab1b87b16a

SHA512
90426ca864cecf00eba216083a91fa79a7495f2d858d8b4b6944986b268f6d97d383d0c303acf02211e9d74589615b021bbc6ea8d3ea70d49920e622cdd4249c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe

Filesize
7.1MB

MD5
7398126d0f9e59951270034c91521718

SHA1
d2c3fff9b8728360b072ada04b7b480276004eda

SHA256
695a607cd42666baca5e78c62d30ce466162526f87b6f240cf280b2248f6eb89

SHA512
2092b5c84617ba3d811d000f9a0cb08a58039c147a539f96f8625cf63103e1da6fcc9464a83917b0058d33432e271725c482d8e460df38d0c8e97d74395a01aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe

Filesize
7.0MB

MD5
e9dfb1ebba03040461aff20545f9d69f

SHA1
9f2267c208aa6c2c5fc8ac44c1b7305f164f06eb

SHA256
6105aafdc8b82f108e08f22103ea6220faadd30a58a0067cc7501a017e1ab051

SHA512
b246a7b964629cea21178556a6bdc10fe3b461272492ccd3053c01fe12106f7a63f14eb2cadb96000b5c855e37826a07cd177e82d3962a7455e47dd82d1d11da

Download Submit
C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe

Filesize
7.0MB

MD5
62f27083787ee8cd424938248c7c7cd1

SHA1
e4b6a8631af40b58619964aa1b7cac839b54f157

SHA256
7001405173ef736836f72b3e7641c2187db060136db4cf89db3a976e46cc03e4

SHA512
6bcd7200de046d2126a29d451f267fd326dd8ef962b0fc0b7876c4563c53263c47694da2cf1a81c6a304a90f10c751354c9186d15482c303d735841f23e13368

Download Submit
C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe

Filesize
6.9MB

MD5
fe862d38295d7a0652cd0d96bcf68636

SHA1
dfb1d42c94b5f2d9bb8e9794251cb8bc63705947

SHA256
312c8f4295b4a6de9bd528f5cfd44839f65ffcc3e08092ecbc3a8ce4e3d4ed6e

SHA512
657f62957509f42d4b5535d8c06ec85534cec247541cb5e9f469838b169dc435157340414567459c0cc97fb205869f1ee7d397c562d3642df134a9a0e70b6f08

Download Submit
C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe

Filesize
6.9MB

MD5
7b7e95a967bdce25c43703e0ce775bf0

SHA1
e23a4fe5acabbc6b7f9973418c39feb187ec5a53

SHA256
44d20edc69eb35d23e69ca0642b53905baa670c396fb49226aa2a9592fc5ac1e

SHA512
a7bd50da88e9bf361a58452925f2b4b836dc6cd56dab7070afc946fe151aee9da8b99cb2f890ef1c8109d350f83dd36f489ea1a712f3cce32e3d72c253e44106

Download Submit
C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe

Filesize
6.7MB

MD5
6963444a60175983affb3e2ab90fe5f9

SHA1
e6435b1b08bf7a81fd28d5706a293f417132cf41

SHA256
9098eef1353f15fd2ef6e512dee350ec0005d331b420e683a03b5c1c98bcb157

SHA512
4b57b5f84b70a748291d62f1ffe2e47604d5495866eac268494d4e942c069713e586d513ae68c5af9134746971293b5da5498b0fca3659b30a6929d0685e05d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe

Filesize
6.5MB

MD5
df382ea3ff4398f4a4d837c8987f22dd

SHA1
43806d21a48c3015e89b36a4481420ec7b0a4687

SHA256
99650978423e57f212baaacd81b9dd16cf99bace741e81f7f1da8d978170fbb1

SHA512
9a0528cf8ae65f5e1c200dbeaf8259fac47082459374d8f0c6bcac4a80fdc9c09b6c27d6fa52a47dfc9a7e1f0636c979f91e0733d0cad65de677985b146281e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe

Filesize
6.6MB

MD5
b6628a0c81e332f07e2baccfafdc2be0

SHA1
8c0accce34f79f77fef1f4f0d61fb923a60d7d91

SHA256
57c2462a9dfcaef6e211b3d5e4cd651d5ce3698157e9727e7e767250f91183ef

SHA512
0915d7ab2fbdcf7bbe84910920f7f55443ed1bd1f3c29a3ed6e96586f0b8c205985eaa88e3e2edbf0ee49a786f7e615e09c9138e1c43adf85baf0f4e10a8be74

Download Submit
C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe

Filesize
6.5MB

MD5
9f2369a963b8e88b266984aa7b02f86b

SHA1
923efab3743c19d91dab6968cf97b5f430b2c07f

SHA256
b4e7a537d03ab538f1d7fac968295fba68d6895fdde63c1384910041b7469f08

SHA512
2cb5136b1e90b94dfdd043b5c37779b782213bcfdc70a1aef60019cae2fa7743bd0da3933647b0b3be463339f2174b7d70c1818157ef7231434a61d7a35b0374

Download Submit
C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe.exe

Filesize
7.1MB

MD5
dc4ce2aabcd8f3563113bfd643489559

SHA1
aeaa8b162ad546f403ae1af66e1c25b36cf0ca59

SHA256
53e1242fc0f5e9c9a81fdde721a7c5f364c6748c4d273c66a4c297208d48c729

SHA512
a55ed55c882e55b1502c92d78e443c8a3ae8adf620bf0d68838a87cae769b36a19fc60124cd5f9f9d31c8b7325b5b08207d4470080c7d92cd4e3dd682c40a653

Download Submit
C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe.exe

Filesize
6.8MB

MD5
64654d18d1deef98c95770b1be6906d6

SHA1
3eaed3ebd59016380875516ada680fb9d30b74b3

SHA256
304e9dae2c7dabf04b027c23c231a0ad296ad3f131616320d40573c2a8e052ec

SHA512
84e02ab7b625ce36a361eee2d1a09715e1df73e4c267efd9dc921731e748ce70e3d25e4e36075039c467808211fdc98a3415a8f577fcf9e6ef3e4ef0676e48a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe.exe

Filesize
6.8MB

MD5
5407f68845c447de77bbb3fe715ecb24

SHA1
95495a8d1974a2541a339fbfcbedcad62cca085d

SHA256
c546d7c93ac912cdf1624e436b49231562546c555893fd9498d199bc7b288372

SHA512
740c99a563103f018540bcef8ca2b94dd3fb4fd1f6a60fbe6569943d7a446a6ae86e146f9824a2c63040302ba02ad9e5cd9321249a709df5ade2096533a29e93

Download Submit
C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe.exe

Filesize
6.8MB

MD5
428eb5b94bfbe4178ea8b9383bbf56d3

SHA1
a6bb411c6f1713d062072a1b30b2f7fd4c31cb35

SHA256
63b97192cf720abc7907cca3d70fdc78c28cfd561971c97520100d0a7f7a06c9

SHA512
79647dadd3b30d2b86ad6dfe4ceec30f988991e5ee7dd00f2f0c81a371bb46bdac22717d270290f878c614e086fb23383bf26af919f2536d50207d9733d0bcdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe.exe

Filesize
6.6MB

MD5
b6b1e4c147f553074c77b00a4e98a35d

SHA1
b0f38820daf13466a584e0382ff04321f6dedf25

SHA256
912a273fec82d9aeda9ab2ce50931291effb32687fac5d703c4069cd265c0282

SHA512
756fc0d2c71304e20595335419c413dfe3d1d4264c20042348736d58a9572074fe855b943acab3d1b98afa96da73e128787c2bc897af4a4bb638db7c9a620392

Download Submit
C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe.exe

Filesize
6.7MB

MD5
623d2aeef94622cfdbb1dba473115acb

SHA1
91047961597093bda43579c754f6faf7b49b0184

SHA256
3eb86ebe7d7b106d6cb31d16af728bf9e450652844cb7d2af7720b72ad90cb6e

SHA512
2327c9aeb20b12aa91c764ae1816c1c98097e849845822c92bf243d64f2f19257d412ef4d87abcd2aa797ee7b6c380fbf8231f2cbe08e0bd62244e871e95c556

Download Submit
C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe.exe

Filesize
6.5MB

MD5
d2db703748ff151b019a70b179c817d8

SHA1
4fafc376d12eb4d55f9cf2f8ce1385f2e65dc260

SHA256
4bc469c4c014f7dbe8c4a1283d144503191ba1d3d877277e8d5bbee0ce543675

SHA512
d58885a0fd98e4e7301cfcf15ffc44f64201c7ff619f48b7d971292dd57ef135a2c7889c81ecbf0d99b3fdeb45806547f86a6a28267910903e3ded1e4a62e1cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1c35214eab87212c297a24ff1f9d051e44dc25ffeda0e750e88b1fd7a0401f4c.exe.exe

Filesize
6.4MB

MD5
4b3307d24bc930eead9454dfb9c35259

SHA1
4e13e284ff62e55325d985cdab068f2ff21821b3

SHA256
a7f8fdced886b5d5a59d86550cdd5f7ae7a4d7c86aa651d25f5e23246a9eb944

SHA512
c6b05bbd6a953dd334ca559b4a25a34a77151f2cf29677a39a51a4cab35a6ec0e313def61e0e8d5ffe24cd3b85a9d455a032df3147c7d2b8f14f20cca7e6c619

Download Submit
C:\Windows\Dll.dll

Filesize
92KB

MD5
4013279ba9e12a3f6e6d4e288fc1568d

SHA1
25d149e740adeaf4f750acf8945cee2814628bb9

SHA256
684282aad338a0db114734088a571275ead2c04db6cb94c4fc90dcff70b398e7

SHA512
953050813b9849f242b419c89b0f014f3547214262e669b130fc7c13d1d66794b696a95665718e43ca9a099a9e264fe59a3d11c39ebd9bad497a85fd759e5889

Download Submit
C:\Windows\rundl132.exe

Filesize
44KB

MD5
5f2d8db8803f3aee3357da7db29c2462

SHA1
37dc511f9fdbbc2d32de9c2fec65e5599933095f

SHA256
94c19e462b89a4546637ad02a81b5fac230feed1f86c0b3edcd7df7f91fc522f

SHA512
7a0a35cb164d762cc2f3ca89d5834ea7ebc8851081f18163ed5ca26cf74d5018a7cf37ee3c5541e6d519e801af25853e8069972f7a3a7a14177022156ca958e5

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2539840389-1261165778-1087677076-1000\_desktop.ini

Filesize
8B

MD5
8ca26bb1fe4da60eed2a231635eb2857

SHA1
405090f7801e12b524dae9c7d0fef9a3fa8b41d8

SHA256
503d5e11de7bb526313442e7b0380b9fb27430b5ada8ad10b5008827c8a4fc54

SHA512
6852196fcd3912e037e41764f999dbb155b95d7b706e496159ac06845e46ec03a875d8a6a3a54e1316d9ce2986fdc17fdaa98024aa3a3c69f276d34ebf0c7426

Download Submit
memory/896-311-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/896-307-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1080-362-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1080-366-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1232-382-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1232-285-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1232-281-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1648-337-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1648-341-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1776-390-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1796-302-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1836-446-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1836-442-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1908-469-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1908-473-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1976-485-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1992-20-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2016-441-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2176-406-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2176-402-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2200-454-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2208-489-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2260-410-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2352-505-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2424-261-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2424-271-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2572-481-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2576-397-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2576-494-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2576-504-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2720-419-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2840-423-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2932-11-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2932-258-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2968-464-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2968-460-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3184-433-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3184-429-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3328-459-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3524-493-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3540-428-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3540-424-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3620-325-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3740-450-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4040-318-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4228-294-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4228-290-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4308-468-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4312-357-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4340-374-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4340-370-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4536-287-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4748-437-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4812-477-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4840-346-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4840-350-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4968-9-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4968-0-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4988-415-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4988-411-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/5076-333-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download