Analysis

  • max time kernel
    149s
  • max time network
    105s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250610-en
  • resource tags

    arch:x64arch:x86image:win11-20250610-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    30/06/2025, 17:43

General

  • Target

    29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe

  • Size

    904KB

  • MD5

    8be7024a19f3ba4a71539f42ec6c7d28

  • SHA1

    746eb185a9ff8cd572f9ef50db7f5916559f844d

  • SHA256

    29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5

  • SHA512

    45041ddabd62d5bc95d9175b440952acd085cc4429cf1f16468b18de03976c82075fdead9fd430712008316d94068f612e20b17b143e5dbc1e34589a7275daad

  • SSDEEP

    12288:VjiSjjiSjjiSjjiSjjiSjjiSjjiSjjiSjjiSjjiSjjiSjjiSjjiSjjiSjjiSjjiG:kfffffffffffffffffffffffffji

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 28 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 31 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 57 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3220
      • C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe
        "C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2868
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a48B1.bat
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4816
          • C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe
            "C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:6068
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a49DA.bat
              5⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:4192
              • C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe
                "C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"
                6⤵
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:3536
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4A38.bat
                  7⤵
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:2012
                  • C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe
                    "C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"
                    8⤵
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of WriteProcessMemory
                    PID:2456
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4AC4.bat
                      9⤵
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of WriteProcessMemory
                      PID:5864
                      • C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe
                        "C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"
                        10⤵
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of WriteProcessMemory
                        PID:3400
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4B32.bat
                          11⤵
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of WriteProcessMemory
                          PID:2680
                          • C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe
                            "C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"
                            12⤵
                            • Executes dropped EXE
                            • Drops file in Windows directory
                            • System Location Discovery: System Language Discovery
                            • Suspicious use of WriteProcessMemory
                            PID:4232
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4BCE.bat
                              13⤵
                              • System Location Discovery: System Language Discovery
                              • Suspicious use of WriteProcessMemory
                              PID:5240
                              • C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe
                                "C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"
                                14⤵
                                • Executes dropped EXE
                                • Drops file in Windows directory
                                • System Location Discovery: System Language Discovery
                                • Suspicious use of WriteProcessMemory
                                PID:5036
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4C4B.bat
                                  15⤵
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious use of WriteProcessMemory
                                  PID:3328
                                  • C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe
                                    "C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"
                                    16⤵
                                    • Executes dropped EXE
                                    • Drops file in Windows directory
                                    • System Location Discovery: System Language Discovery
                                    • Suspicious use of WriteProcessMemory
                                    PID:2240
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4CC8.bat
                                      17⤵
                                      • System Location Discovery: System Language Discovery
                                      • Suspicious use of WriteProcessMemory
                                      PID:1676
                                      • C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe
                                        "C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"
                                        18⤵
                                        • Executes dropped EXE
                                        • Drops file in Windows directory
                                        • System Location Discovery: System Language Discovery
                                        • Suspicious use of WriteProcessMemory
                                        PID:2432
                                        • C:\Windows\SysWOW64\cmd.exe
                                          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4D45.bat
                                          19⤵
                                          • System Location Discovery: System Language Discovery
                                          • Suspicious use of WriteProcessMemory
                                          PID:3380
                                          • C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe
                                            "C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"
                                            20⤵
                                            • Executes dropped EXE
                                            • Drops file in Windows directory
                                            • System Location Discovery: System Language Discovery
                                            • Suspicious use of WriteProcessMemory
                                            PID:5728
                                            • C:\Windows\SysWOW64\cmd.exe
                                              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4DA3.bat
                                              21⤵
                                              • System Location Discovery: System Language Discovery
                                              PID:2196
                                              • C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe
                                                "C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"
                                                22⤵
                                                • Executes dropped EXE
                                                • Drops file in Windows directory
                                                • System Location Discovery: System Language Discovery
                                                PID:4732
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4DF1.bat
                                                  23⤵
                                                  • System Location Discovery: System Language Discovery
                                                  PID:5264
                                                  • C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe
                                                    "C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"
                                                    24⤵
                                                    • Executes dropped EXE
                                                    • Drops file in Windows directory
                                                    • System Location Discovery: System Language Discovery
                                                    PID:2476
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4E6E.bat
                                                      25⤵
                                                      • System Location Discovery: System Language Discovery
                                                      PID:4424
                                                      • C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"
                                                        26⤵
                                                        • Executes dropped EXE
                                                        • Drops file in Windows directory
                                                        • System Location Discovery: System Language Discovery
                                                        PID:1672
                                                        • C:\Windows\SysWOW64\cmd.exe
                                                          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4EBC.bat
                                                          27⤵
                                                          • System Location Discovery: System Language Discovery
                                                          PID:1904
                                                          • C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"
                                                            28⤵
                                                            • Executes dropped EXE
                                                            • Drops file in Windows directory
                                                            • System Location Discovery: System Language Discovery
                                                            PID:1316
                                                            • C:\Windows\SysWOW64\cmd.exe
                                                              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4F0A.bat
                                                              29⤵
                                                              • System Location Discovery: System Language Discovery
                                                              PID:1436
                                                              • C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"
                                                                30⤵
                                                                • Executes dropped EXE
                                                                • Drops file in Windows directory
                                                                • System Location Discovery: System Language Discovery
                                                                PID:4700
                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4F97.bat
                                                                  31⤵
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:4856
                                                                  • C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"
                                                                    32⤵
                                                                    • Executes dropped EXE
                                                                    • Drops file in Windows directory
                                                                    • System Location Discovery: System Language Discovery
                                                                    PID:104
                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4FF5.bat
                                                                      33⤵
                                                                      • System Location Discovery: System Language Discovery
                                                                      PID:2500
                                                                      • C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"
                                                                        34⤵
                                                                        • Executes dropped EXE
                                                                        • Drops file in Windows directory
                                                                        • System Location Discovery: System Language Discovery
                                                                        PID:1004
                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5052.bat
                                                                          35⤵
                                                                          • System Location Discovery: System Language Discovery
                                                                          PID:412
                                                                          • C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"
                                                                            36⤵
                                                                            • Executes dropped EXE
                                                                            • Drops file in Windows directory
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:1612
                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a50B0.bat
                                                                              37⤵
                                                                              • System Location Discovery: System Language Discovery
                                                                              PID:5296
                                                                              • C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe
                                                                                "C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"
                                                                                38⤵
                                                                                • Executes dropped EXE
                                                                                • Drops file in Windows directory
                                                                                • System Location Discovery: System Language Discovery
                                                                                PID:4908
                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a510E.bat
                                                                                  39⤵
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  PID:3816
                                                                                  • C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe
                                                                                    "C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"
                                                                                    40⤵
                                                                                    • Executes dropped EXE
                                                                                    • Drops file in Windows directory
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    PID:2324
                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a517B.bat
                                                                                      41⤵
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      PID:6100
                                                                                      • C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe
                                                                                        "C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"
                                                                                        42⤵
                                                                                        • Executes dropped EXE
                                                                                        • Drops file in Windows directory
                                                                                        • System Location Discovery: System Language Discovery
                                                                                        PID:3820
                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a51E9.bat
                                                                                          43⤵
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          PID:2368
                                                                                          • C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe
                                                                                            "C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"
                                                                                            44⤵
                                                                                            • Executes dropped EXE
                                                                                            • Drops file in Windows directory
                                                                                            • System Location Discovery: System Language Discovery
                                                                                            PID:3900
                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5266.bat
                                                                                              45⤵
                                                                                              • System Location Discovery: System Language Discovery
                                                                                              PID:5788
                                                                                              • C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe
                                                                                                "C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"
                                                                                                46⤵
                                                                                                • Executes dropped EXE
                                                                                                • Drops file in Windows directory
                                                                                                • System Location Discovery: System Language Discovery
                                                                                                PID:3064
                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a52B4.bat
                                                                                                  47⤵
                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                  PID:4052
                                                                                                  • C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe
                                                                                                    "C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"
                                                                                                    48⤵
                                                                                                    • Executes dropped EXE
                                                                                                    • Drops file in Windows directory
                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                    PID:2348
                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5321.bat
                                                                                                      49⤵
                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                      PID:3756
                                                                                                      • C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe
                                                                                                        "C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"
                                                                                                        50⤵
                                                                                                        • Executes dropped EXE
                                                                                                        • Drops file in Windows directory
                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                        PID:1092
                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a537F.bat
                                                                                                          51⤵
                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                          PID:1336
                                                                                                          • C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe
                                                                                                            "C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"
                                                                                                            52⤵
                                                                                                            • Executes dropped EXE
                                                                                                            • Drops file in Windows directory
                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                            PID:4996
                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a53CD.bat
                                                                                                              53⤵
                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                              PID:3936
                                                                                                              • C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe
                                                                                                                "C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe"
                                                                                                                54⤵
                                                                                                                • Modifies visibility of file extensions in Explorer
                                                                                                                • Executes dropped EXE
                                                                                                                • Adds Run key to start application
                                                                                                                • Drops file in Windows directory
                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                PID:4688
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4892
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:5688
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:1928
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\WINDOWS\FONTS\1DF55.com
        2⤵
          PID:4104
          • C:\WINDOWS\FONTS\1DF55.com
            C:\WINDOWS\FONTS\1DF55.com
            3⤵
            • Modifies visibility of file extensions in Explorer
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            PID:5168

      Network

            MITRE ATT&CK Enterprise v16

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\$$a48B1.bat

              Filesize

              722B

              MD5

              4a2fd41e9890f3d4dc4ff56600ce494f

              SHA1

              74dada022eccbc615b42addb8803307cae027c7b

              SHA256

              aaeb46a032ab82dcdc523af5546b1a5104d909c6ba992afc735e6ac728cbcaa1

              SHA512

              d61844780b91ebd4fdde7763999d40c284773ff66d2a7f70b12ced36e978ac97383777e8111163d8cb53efed6f309c7d5765ba7d762d256d61d02b8ce79bc30d

            • C:\Users\Admin\AppData\Local\Temp\$$a49DA.bat

              Filesize

              722B

              MD5

              04698ab1677b500474434215d1b260a3

              SHA1

              7036b4fc642a3902f65a3a32c98ef2320e6349cc

              SHA256

              0105adecb794207027c98c846327094540fbc0a46dae3a676222fda390c3ae2a

              SHA512

              b28affb25f9ae6dc666dbc4d7cdbb74b5a6ebe440b73f6c947d3c03a2e0c450933a099aa295ef458e727cc274ca1c465dd4fde71cd14806e4deb974cd6759f51

            • C:\Users\Admin\AppData\Local\Temp\$$a4A38.bat

              Filesize

              722B

              MD5

              b73fb5588cc214630c046d5aa1d214f7

              SHA1

              a3ff2699ae3e1156097808a189255cd14e78601c

              SHA256

              305ddf3b07983231dccd49118561d62e4e617d8480e524293c71526c9e6fab7b

              SHA512

              63bf42814d6270d3a98601d2be6716c6496c38442a0905e6e7eeaf7a801433f51efef165bbc5fc74348b0be8f26d9c0d0fbb8ae7b2ccf6ca99b095eecac390ab

            • C:\Users\Admin\AppData\Local\Temp\$$a4AC4.bat

              Filesize

              722B

              MD5

              5e75a53caccd4897a8a4d7fed8f3ba2e

              SHA1

              1ac54f93f0f486f22809602d288abebbea5b2298

              SHA256

              ec216e6596013a2a9d280fbef9562e4f8d0aa1a5dd65946d9416324579229bd2

              SHA512

              0c79150a7f7ee186853dc9b70cab27d60f7818f02c9db3b7eb6be9f4b6149dc3df1a422f3773814f08b512c6fc61edabb95ba90c62b2aa30482da6ce39557150

            • C:\Users\Admin\AppData\Local\Temp\$$a4B32.bat

              Filesize

              722B

              MD5

              fb455267415a09a2aadac7245997e449

              SHA1

              0174a1a784e1260a1463eff3874255884f15679b

              SHA256

              d1f2b91de70a5169964562b367ba5e0b29858d6cbd2766ca5ce50a18c916ee6e

              SHA512

              c40640e5dd1dcbfa4cdd5cbaf27336ff4562abae4dfe1212c00e99dcef6dec044ff886e65c0dcbf9416a7a30b5763b351c4dcae2d93194722086c49954fb6cf1

            • C:\Users\Admin\AppData\Local\Temp\$$a4BCE.bat

              Filesize

              722B

              MD5

              d3de69590b0551f47e8e1b8e8f3cb636

              SHA1

              475d3e8c74d0f0db379cae00763dae4b23479b46

              SHA256

              b0ed7ded5388d3ae00195e3b2817fdb2bd7d11c452ce46937d3d9d0ac517ac2d

              SHA512

              0d2007e18f796911c6cedf8c2ebf6b4044f1145b802be26f7c60acb0762657d1a92b2618a4475394f30e2f763a8c3992bfe6a330ade5b56af24188fb98d131bd

            • C:\Users\Admin\AppData\Local\Temp\$$a4C4B.bat

              Filesize

              722B

              MD5

              c179d9c70789f3daebad719cfd8c1605

              SHA1

              66fa6ad4db4874198d0408e51eeaf8fd14259340

              SHA256

              fe3ad47fa2b80d072a09504d5bf11627c43385a448778cc7c6810221f9a8426e

              SHA512

              73d8e5ea84118656a182657ef1d40420d3d8dacf3f392f4f2a56d6af60ab3f33c77cb84897cf06b8df7c48d4d4f08655f4be329af2bc7b7f9e9bd758593d6e4a

            • C:\Users\Admin\AppData\Local\Temp\$$a4CC8.bat

              Filesize

              722B

              MD5

              e139cd8b5c4d96e86b447be2cfd35208

              SHA1

              2c40341e937302659678f0312d662bf46b722388

              SHA256

              8da6244e112c9156fd37f68e7f1eaeca50079a9bfc94e7e2af961e1afc4eb12d

              SHA512

              139ee5f22f7c72c57172f22d4b20b142bdc512103fc6f9967ed3684b2850394958e422dd8ac58164690955ee5a502416fd17d97b0866587a54bc4e8debeca432

            • C:\Users\Admin\AppData\Local\Temp\$$a4D45.bat

              Filesize

              722B

              MD5

              d18d66f8cf51d425702372e75681e912

              SHA1

              b5156526c03aa005ba020cab74a2d0fa84fa8d6c

              SHA256

              6e58103a2f51744be45999f3ecf9b79267bedfc4ecdecbd415bae97526459a8b

              SHA512

              c5e0a30b6f665e6a2cd6c94ee7b03625ff892b09bb667585fd7f7f0ecda1d5856ba5c5b88a893c5eb452548ff8addaa228d1ba387fa30773bad5cf7a322ce15c

            • C:\Users\Admin\AppData\Local\Temp\$$a4DA3.bat

              Filesize

              722B

              MD5

              0167fa7d59c347db19cb756d199e4a48

              SHA1

              67b7ce4235a7ac24540f8c3c468f3bfc1ff04523

              SHA256

              62249fba382fc1480d9d242771b5288271d437184d07452693899d9fa91811bb

              SHA512

              2a2637c33cfdea3dfcd18061e301c5fd693070ed482f2e190521eab1d0163e06e9e9c6e6e765380be9331bfb2aad60dd341c373e7a0a17333ca00029ceef938f

            • C:\Users\Admin\AppData\Local\Temp\$$a4DF1.bat

              Filesize

              722B

              MD5

              aa6201e7a86308e7a31e691e3e7de60a

              SHA1

              0fed3af8033b0a991cf74d767ab1a37405f4c5df

              SHA256

              48b2557f438ff1b85e5592088a531525505a765f4ac8d6e37c6afa15f95d14e0

              SHA512

              337081ccb042ce41e7fcfd6edba367676aaa654cca77197eede10e91b55978456261dcf61890dfb612f0c720126d8bf7d7c538f5432b08945c8e31d8982377fd

            • C:\Users\Admin\AppData\Local\Temp\$$a4E6E.bat

              Filesize

              722B

              MD5

              1fd9ae1973c081a479fd6f250154f23e

              SHA1

              111969bb4617820ea3b6d7782659665d506be059

              SHA256

              258b28ed6641051703cd6cd9cd52646da60bab69717cdc360d2a8d299efca5b4

              SHA512

              c515ef77d04b4cb6a3687eec4fd42f1a6cceb080b18a48a1aa70f1b92f35b733d5e81633104a73a84729c9859ab65061abf0b44a2e1bd71aaf5cbfc120acdcfe

            • C:\Users\Admin\AppData\Local\Temp\$$a4EBC.bat

              Filesize

              722B

              MD5

              a0c214b7126db4f88c05b8ff27275218

              SHA1

              025ef8be4b13038d0111f655bfc0cd1313999cb5

              SHA256

              25bb3820bba686746104e3aa409be1f4cbd24a0513370d46b5614fe020628212

              SHA512

              2d0d8f08be86943e7a4f19f1fa68627748439016e4edb974302056e666d98dbf5a679260a1167a6bf3cb23e19cd3360e8c569575916d9dbcd59bab52c8469e5d

            • C:\Users\Admin\AppData\Local\Temp\$$a4F0A.bat

              Filesize

              722B

              MD5

              5389d795f4bd3ee9639be115664652c8

              SHA1

              647837eded7ba92900ca3a74b4cbe67abaa2eeb4

              SHA256

              91c5439f3fa097b2975a40e02b5c3da6c95b3e7d6d4286c283973644dbf16954

              SHA512

              55b0e1cf5bf32a387c30029cc50f69004b33e6ffaf59f6ce2ed4cbff2e5ad632c3382c6bdba3a7ac9dedaae563748262e3fecd2c2bc116f10c62e484fa768236

            • C:\Users\Admin\AppData\Local\Temp\$$a4F97.bat

              Filesize

              722B

              MD5

              285e1d1fa77b9c911aade9f8b50ae1b2

              SHA1

              9b3058bace8173ded3f024c994889f30b1296e4f

              SHA256

              bb8b18b9e2a28b275aabfcbcf9c2369162f1cb1029feca3e82985fa38489ecfc

              SHA512

              db08293e9de2599939f936b595887a8c0a2f8869d4143f418e9d2ae68048730e7e12cf13142650576dc1b34296702650243955910069eaf718d9ab506fcd4c1b

            • C:\Users\Admin\AppData\Local\Temp\$$a4FF5.bat

              Filesize

              722B

              MD5

              0a6e1e30b4637b2b5bb0885567ddfde8

              SHA1

              8555bbeca21725c93e0fec02e1a97df5ecfe47fb

              SHA256

              d29702e0f902a106559e75be7c986123f7f8549ed118e1f01c3d99e1ac56a2b7

              SHA512

              b87afd107b0689bfbdecb6e17ea48a24cf09829267709c6bc9d53adcb6608f69ccf68a3c2f83f0c3a92319fd1707f76c019e56af7b7b229d4b862cff7bb1ef5d

            • C:\Users\Admin\AppData\Local\Temp\$$a5052.bat

              Filesize

              722B

              MD5

              6e02362ca67e5efc8787f7fda48abde0

              SHA1

              1aa1cfdd61f44f46086b718718e84e9bf722f980

              SHA256

              6580d4675573bb65ba59bf448909787ecbb12dc44cfc5547cb5068f2d430c3b8

              SHA512

              46ab4a5e41950b2cc898e82500b5b399c1964596fb36a0eaefcaab70dd2d39a81996402a1fa953e22aebdc2b4f0285c5cc56c48468133a2dd942ecdbd74f9906

            • C:\Users\Admin\AppData\Local\Temp\$$a50B0.bat

              Filesize

              722B

              MD5

              ac224a083f13b58defba5d93d1d18f9b

              SHA1

              2bdfc20d6015c80ee3c76935c6f8e9ba47bfa72b

              SHA256

              9d02ac2e0d3c38b5ba9c65fb20269a38bbd5d71d60882f76800e1562261e2e2b

              SHA512

              6eb976885cd0deb5b06984a3a1645201cb9c0206fcac72513c341099f1d17496b10fdae37c6ea73c06b69c9d4c772c377c14ada8e7989a1edaaf07ee4630ecb7

            • C:\Users\Admin\AppData\Local\Temp\$$a510E.bat

              Filesize

              722B

              MD5

              b1341653fa68532ee381dedb67f3bf44

              SHA1

              e58b691eaedded9370391a295e47910cc891a122

              SHA256

              5cae226237de33a29793aa51bc9d2dd529b0d649036a545c4ccc10a785fe9c5e

              SHA512

              1ab51fbc8beede662905f7c41e25be00bd61b58c54bf302863a296015047bb3f34462fc48d2f966deb8fdaca186b44ae6893a6235033d881f54015d12f3dcdb4

            • C:\Users\Admin\AppData\Local\Temp\$$a517B.bat

              Filesize

              722B

              MD5

              b4ccf659a939dfb914ac38e56ccfe943

              SHA1

              b00f1dc61a37397ca868fb0760ecf382a538b17f

              SHA256

              c0a3ec8196d9e5cedde76b83f82e39aa66322283f245c59e9467bdd2d33fd899

              SHA512

              d9cded0515a88aad901867562dc985191b7f2cfc80bdbf1d3431b58b9392cf625556ac673b5cb642533fbb5627fe2a71e3cfda8723949472fd7fe33ca65775c6

            • C:\Users\Admin\AppData\Local\Temp\$$a51E9.bat

              Filesize

              722B

              MD5

              0d8a53773806992882ee1e462ecfb7d7

              SHA1

              8841e704d5293ea8cad86c6fd3fc39ec48aab55a

              SHA256

              2ab5324fcaf0544375f50ffe22e3322b92c824361f3fb3de2ea58210cab7c835

              SHA512

              6b9340496825b6e334e7099f587c697cd5d95cb556aae20dcb6d8f5432359c64ce1e545ee55813fe448740ed07891278361708673c6f9abd6c5ec122a02daaf5

            • C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe.exe

              Filesize

              872KB

              MD5

              b7ef4ac77f450bdd50764ff7fb40e83d

              SHA1

              d46c294f7a5c420f3e2eb953f801badc1c39e47c

              SHA256

              a5c6ae4e19893f62a5a1c617ffaf6de4c3798a29c104bd762f751ced5bc37e2c

              SHA512

              bc3ad0c91fd347c70a14f1372194d783c039150b8b8cc60fba162758fc8d18a5cccd22f52dc896a5d8b7e2f8ac34007016b823254c91937e3a1e30fadad65b06

            • C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe.exe

              Filesize

              839KB

              MD5

              4b9090bbfb7f607d3f882346eb71a169

              SHA1

              e8f4ba0d869ae0cee44be9614fae66a0f747e82e

              SHA256

              845c138b1678dc87cc210759b3f24392641998e1ccca50ab900308f2adb61737

              SHA512

              2944f9c9fe1a402c8698de350d671b2579d163e0f4f0e605e98e7b1796ee1285bdbe4f3bd0556fe3dd5fba320b4887b1f53ac17cb9f825bd9bb12984eaf97dfc

            • C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe.exe

              Filesize

              287KB

              MD5

              56cf1234d82b459b0d4b0e91312d62da

              SHA1

              18c24408609bb6546b66e41bd6e8dfbd013563fe

              SHA256

              c11d5b1dc931fd3aaf644df9fd7d8febb921c71a918a221202d0f48a105831d0

              SHA512

              57d70544604eda2438d4a18cc3a87fdb948ff62e15296a8525bf127e1758ae045bf3fe2b4c46c3196d07ae5ad50ef296169c99fec8c93f2bb93b39798feea6f3

            • C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe.exe

              Filesize

              807KB

              MD5

              0aa288c5b3ca45282e87c439a49b5c0c

              SHA1

              99f8e63ee28874a2c0f2fff016258e5a3505a192

              SHA256

              9bbe58bc26f108090bd120292fb2aac65c17fc037e3fbe063403958bd46a8149

              SHA512

              d71c82261d06806e8df7bed5448221fe7e6d3f3d7543f5454112e81359238cb13f262038437fe7e907e934cc828f8bec8feb2783d51622bac5115075ca83ba12

            • C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe.exe

              Filesize

              774KB

              MD5

              7a0a4cc842cc4d8f9ce9fbb050ff7cfb

              SHA1

              2abef4041ba3f639fcb365a9427df2d1685f5d32

              SHA256

              2b3131d58f0175abc9cf7bbfacef4870821db3fc9855c876706200d18824d761

              SHA512

              9a764930c0fc4b8fe796952c857d8c786664267c5e760bb1c3c22cf51584dcd6c1e2da214a0b66c6cca187578b24d60408911fa2cf00ced0545a4732938cf898

            • C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe.exe

              Filesize

              742KB

              MD5

              36fdfa112c8964f87fe6ea00dfbaf13f

              SHA1

              184f2afcf27e086cbe5ad066d51fa9ea45b465b8

              SHA256

              16efba4ff6d80842fac37d2e135e97a215502d7f6fe1bf897993f68f129beeea

              SHA512

              d7b0a155fc5ad3a67cf8a7310f120a947753c6f35f6d9aca661a5e64ede5918667298380942f85bc3acde87a2b4ed5127f5bc047a76e22a2ae37032e2f9ffbb7

            • C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe.exe

              Filesize

              709KB

              MD5

              94e7a7c4097a8be425e43e8374b3e07c

              SHA1

              9afcc2b390e850aa4c0eb03c8e6c9a2220731fe4

              SHA256

              c6a1a91a7264b1323900533252c9932f112d3fe77aefe97ab4cf58caa8a9a8a8

              SHA512

              7e8a07547f37a6a238a8b6ed35ab05b79e4a3b205b90839887f7bae2a355a5a736272646a8b8432336598322e9e6e765f6088cf76e8112870539fe03b6b37d18

            • C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe.exe

              Filesize

              677KB

              MD5

              bf21200d0730b76ed14331c26efd6f9a

              SHA1

              e50ad28d7eeff0af91450b1baa57324cd5c07e8d

              SHA256

              31de1be72fdd7aca5a430396c3e8bfed2642ca160020b56348e54302098280ca

              SHA512

              3811b7fe345953504e8001cfdc48e53d0672b0e29cdaeb67a0ea58468313e2889483b6b8677e68fcdcfac0ac9f724ce769a955f4a66179141374b55a2259636e

            • C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe.exe

              Filesize

              644KB

              MD5

              4d08c3836fddb6ff034253da2ddd8212

              SHA1

              5448488a994ae7de593802e9d55074848f7482cf

              SHA256

              9fed7013f9c4f5cae66f7f6fb7fa21ea8d801b203fcd224cc2a0a7994accfae7

              SHA512

              8a27a34fd77cdf05ff35c63524be0b2c6de8a7add0affe104468f01eabf52739add080aea2f550bca2ebff1b95d5b0e66a3bcce00dd43797dbba645447cf9e30

            • C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe.exe

              Filesize

              612KB

              MD5

              80cb0a885f223c77b49eb94535f29be0

              SHA1

              c631c770d41d0b6043521c3b16838d02554ee952

              SHA256

              214996f8328d42c20b13e8a847d8b0b33100e5180e0a748a220e24a84ea4ceda

              SHA512

              91ecef3a67a184fe531e1ca7616553153c0585bf2262373a4d167b911bda73704b106c688c560a1c82cc076cc3762b2481f02ceaf31b89892f90a6fcf01f92f0

            • C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe.exe

              Filesize

              579KB

              MD5

              28bd5c3abf0b5b887d65baf1994b56a6

              SHA1

              86102826cbdc7e7801eae5ab3c51f67c88411eef

              SHA256

              d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91

              SHA512

              1e2446e3e68c6038a9a8ead218942dde6bec49cd3d311ccd94f15c94a769fcea5d8433d22ec8ea9ab065acdeeea8ad30be9bd9daf4f9ffa50fa28fd06e38c186

            • C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe.exe

              Filesize

              547KB

              MD5

              0137dec43c77f401659bcd7a4032702c

              SHA1

              e40ab90e560caa2734ba3e46c5cd5aaa684b3eea

              SHA256

              6cb9ea30ccbbd5f19396010e30c7e4aca6cba55894014a64412a43511ada433d

              SHA512

              c434bcd9e0beb61137a55fdb11b17d3ce0445f058791923bac3dd326d658db319b35f2226d7c450d1b7baad6f24c53637b14fede37b173cb672ffc5a46e9e740

            • C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe.exe

              Filesize

              514KB

              MD5

              f0866c2d2ab43b833b957787b4a08526

              SHA1

              1410b5b5faf130cf22160968238aab93bb3c960b

              SHA256

              ebd70e789f272064e045929c7d1d0bce6f64a5a5c056ea2e70ab1542ab3ce1ae

              SHA512

              6a4813362a23f390922388eb8123aa81af797cb6435dbe6ded1dc281d54135c93ee5b6567f55586210808384f27052e76eb07bcc3641a9906294f88f4a499a2c

            • C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe.exe

              Filesize

              482KB

              MD5

              47db56aa979056f9beba80adc63e72ea

              SHA1

              1dc36f048b9ed9f98f7f9ef069f26193dea713b8

              SHA256

              bc1183cf270c5164bd3e4c6ad4c1fc32a729fe5aba53784e52d76238d7f873e8

              SHA512

              f2f520e95283a73a009eb3b8be439c386dd921cd008b68a78594df744053611057b7e7f6794388edf63d93cc4ba1349d2cca9415a9c2e317fcd5047d0e12adb9

            • C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe.exe

              Filesize

              449KB

              MD5

              6d9545c6556a236a67207db368fcdce2

              SHA1

              b44856864eeb77f2d73d71fbfd323f006363c3fb

              SHA256

              27d02f0a88d28829a83f1cb05a90fd47798e1ff91591029793a9ccfb6d8d14da

              SHA512

              344bb66f4200dc7b91ec12c6dd73f8a5c9bf6f0942fa12ba65be2d8f7081efa723defad4f604a4b907a39282fe80ed97433b84601f5e4abb40ed09905da72a5f

            • C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe.exe

              Filesize

              417KB

              MD5

              a5e603ffd2f00e966f2230590c221c66

              SHA1

              297c2d9fdc76fefca09dac5bf5b20b7ab9510890

              SHA256

              9bf22ad59d805cd058457dc980c7d66388923ef0c00bf60fbd2d28933f621737

              SHA512

              632725977a5452af0cb57085bb49833cd9f99c05f81c3477bdbc39c1d3198b8227a862f711e95740729e2c7fdef1ceb1562da8bab5dad4da7df932dafe9b0f2f

            • C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe.exe

              Filesize

              384KB

              MD5

              a353218f7897ca4ea7b1ff4416fe1817

              SHA1

              84d8a5c89b0193eac2f74bd315811c68022946d2

              SHA256

              ff4695e69b9c508b085d5dedf5fd3cac436076f56dc5b098920713418dac3c89

              SHA512

              df38221aa63a6c0d4575dddcb51ae00373dfcd566f09d90748aa4aec661359f64e81ac4feffa8280068abc35c512dc15f343989ce769074d88b5f744e03aaaac

            • C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe.exe

              Filesize

              352KB

              MD5

              00428256f70551c84c7321970cdc53cd

              SHA1

              ea6d64e78c991a1978fc8018928b4a82a4d1564d

              SHA256

              41b8de82fa304213245bbaf54a95d9bf62a621478b8918576309fb6e89eda97c

              SHA512

              b9c20a134a1fadf59fdf7ad6638f6ef7882c68f8d68b539e2bd75ce4df31430ced6cc270b4dba47fa037faefce4209374d27118bd759e6d81aa5091d1bdae1be

            • C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe.exe

              Filesize

              319KB

              MD5

              e9d499bb915d58a3a58429209eb00b7d

              SHA1

              8715af16ec2efe464f486eefd15a5d248e3caebb

              SHA256

              f6baf3ee157e1e1798836bbd3ef63de56d4573c6c81f1fb68a3f64c8d5fdf992

              SHA512

              b9a408171b0827496f81490e9351401943e5de79c19c3da234b05fc543dde913c0f2928f73d5a207d8e5df30954b320f5006faf70a5591ae93de84ca659fcce6

            • C:\Users\Admin\AppData\Local\Temp\29fed93761d652598daf49e56d2c51946b69cc3807f27d52466712471f4876f5.exe.exe

              Filesize

              254KB

              MD5

              7d5a6de393b9a9d8b97e5f85f8d96ef6

              SHA1

              27ee54c58fd5133e5e53dfdc09bcc4a921cac422

              SHA256

              4af8e75dfddfde4ce118b847e95e77fad7f775aa6e0824e586932c4807059e7f

              SHA512

              ac397a542daa97822d06b763217b55da2663c4c73c01b70a335844278a4fe60e4b1b00a31fe2f7b5954cc9ac4d46f0a8cd5f9d639ad64b260e5f4cfb2642550e

            • C:\Windows\Logo1_.exe

              Filesize

              32KB

              MD5

              cdaabb480b7d3c10c6f4f451c8c08d69

              SHA1

              667ce007c73b1d663decd86d730227569d23acbb

              SHA256

              f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842

              SHA512

              389083da42235678a2d2b3420729fd46be6c0139b9177dc39108252cbbc24881d610e0637f12980f86c042ec79abcf0bdbac7d94610ab11269f8b0f44a6bbc31

            • F:\$RECYCLE.BIN\S-1-5-21-2238466657-712128251-1221219315-1000\_desktop.ini

              Filesize

              9B

              MD5

              8d5d367ed8a2afc1fc0b8fc7d14da98c

              SHA1

              fddfad39cd8b448d0d3dbb6e9c67752999568783

              SHA256

              93740c0db50f557803e16032194380e92e586f9cd845c4543eae2c3aa97d95f6

              SHA512

              3215518f650fe697fa80054e2e7e98a55a23832309347704985d502ecf46726048291ace0a619b669726fda404c9235047a21563971a238864ee3523f5bbe96b

            • memory/104-122-0x0000000000400000-0x0000000000444000-memory.dmp

              Filesize

              272KB

            • memory/1004-129-0x0000000000400000-0x0000000000444000-memory.dmp

              Filesize

              272KB

            • memory/1092-180-0x0000000000400000-0x0000000000444000-memory.dmp

              Filesize

              272KB

            • memory/1316-108-0x0000000000400000-0x0000000000444000-memory.dmp

              Filesize

              272KB

            • memory/1612-136-0x0000000000400000-0x0000000000444000-memory.dmp

              Filesize

              272KB

            • memory/1672-100-0x0000000000400000-0x0000000000444000-memory.dmp

              Filesize

              272KB

            • memory/2240-62-0x0000000000400000-0x0000000000444000-memory.dmp

              Filesize

              272KB

            • memory/2324-156-0x0000000000400000-0x0000000000444000-memory.dmp

              Filesize

              272KB

            • memory/2348-176-0x0000000000400000-0x0000000000444000-memory.dmp

              Filesize

              272KB

            • memory/2432-71-0x0000000000400000-0x0000000000444000-memory.dmp

              Filesize

              272KB

            • memory/2456-34-0x0000000000400000-0x0000000000444000-memory.dmp

              Filesize

              272KB

            • memory/2476-93-0x0000000000400000-0x0000000000444000-memory.dmp

              Filesize

              272KB

            • memory/2868-11-0x0000000000400000-0x0000000000444000-memory.dmp

              Filesize

              272KB

            • memory/2868-0-0x0000000000400000-0x0000000000444000-memory.dmp

              Filesize

              272KB

            • memory/3064-172-0x0000000000400000-0x0000000000444000-memory.dmp

              Filesize

              272KB

            • memory/3400-41-0x0000000000400000-0x0000000000444000-memory.dmp

              Filesize

              272KB

            • memory/3536-27-0x0000000000400000-0x0000000000444000-memory.dmp

              Filesize

              272KB

            • memory/3820-163-0x0000000000400000-0x0000000000444000-memory.dmp

              Filesize

              272KB

            • memory/3900-168-0x0000000000400000-0x0000000000444000-memory.dmp

              Filesize

              272KB

            • memory/4232-48-0x0000000000400000-0x0000000000444000-memory.dmp

              Filesize

              272KB

            • memory/4688-186-0x0000000000400000-0x0000000000410000-memory.dmp

              Filesize

              64KB

            • memory/4688-191-0x0000000000400000-0x0000000000410000-memory.dmp

              Filesize

              64KB

            • memory/4700-115-0x0000000000400000-0x0000000000444000-memory.dmp

              Filesize

              272KB

            • memory/4732-86-0x0000000000400000-0x0000000000444000-memory.dmp

              Filesize

              272KB

            • memory/4892-8-0x0000000000400000-0x0000000000444000-memory.dmp

              Filesize

              272KB

            • memory/4892-10233-0x0000000000400000-0x0000000000444000-memory.dmp

              Filesize

              272KB

            • memory/4892-2655-0x0000000000400000-0x0000000000444000-memory.dmp

              Filesize

              272KB

            • memory/4892-82-0x0000000000400000-0x0000000000444000-memory.dmp

              Filesize

              272KB

            • memory/4908-149-0x0000000000400000-0x0000000000444000-memory.dmp

              Filesize

              272KB

            • memory/4996-185-0x0000000000400000-0x0000000000444000-memory.dmp

              Filesize

              272KB

            • memory/4996-181-0x0000000000400000-0x0000000000444000-memory.dmp

              Filesize

              272KB

            • memory/5036-55-0x0000000000400000-0x0000000000444000-memory.dmp

              Filesize

              272KB

            • memory/5168-10240-0x0000000000400000-0x0000000000410000-memory.dmp

              Filesize

              64KB

            • memory/5728-78-0x0000000000400000-0x0000000000444000-memory.dmp

              Filesize

              272KB

            • memory/6068-20-0x0000000000400000-0x0000000000444000-memory.dmp

              Filesize

              272KB