124bb58c1b7e152e176e85cb18440ced11d47556d1d6d69dcda2a9fa78862f00

Analysis

max time kernel
151s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
22/09/2023, 05:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

124bb58c1b7e152e176e85cb18440ced11d47556d1d6d69dcda2a9fa78862f00.exe
Size

103KB
MD5

b14d0d9fc2f8ca14bcc13e2912171aae
SHA1

8ba2fbd5bba87ad5428cfc9515b8674a2f1e425e
SHA256

124bb58c1b7e152e176e85cb18440ced11d47556d1d6d69dcda2a9fa78862f00
SHA512

2a31f544395579cad1e3c756098febbb2bba7746d40a664c786378e673deac39887429f4cfb5071a09f950472c467358684908c93678fc9c1741399bc89ba5af
SSDEEP

3072:bLftffjmNATKZMRF+qqELfagnus3i6BR+8Cu1:nVfjmNCKZMRF+qRhi6B0a

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1028	Logo1_.exe
4400	124bb58c1b7e152e176e85cb18440ced11d47556d1d6d69dcda2a9fa78862f00.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ca-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\es-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Toolkit\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\zh-cn\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files-select\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\1.1.1\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\Diagnostics\Simple\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\cgg\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-100_8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\cs-cz\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\he-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\he-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ca-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\dummy\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\1.1.1\Diagnostics\Simple\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square71x71\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\da-dk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fi\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-white\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Google\Temp\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.update\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\gui\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\ja\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\tr-tr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\de\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\en-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\gl-ES\View3d\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zh_CN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Examples\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\cy\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	124bb58c1b7e152e176e85cb18440ced11d47556d1d6d69dcda2a9fa78862f00.exe
File created	C:\Windows\Logo1_.exe	124bb58c1b7e152e176e85cb18440ced11d47556d1d6d69dcda2a9fa78862f00.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1028	Logo1_.exe
1028	Logo1_.exe
1028	Logo1_.exe
1028	Logo1_.exe
1028	Logo1_.exe
1028	Logo1_.exe
1028	Logo1_.exe
1028	Logo1_.exe
1028	Logo1_.exe
1028	Logo1_.exe
1028	Logo1_.exe
1028	Logo1_.exe
1028	Logo1_.exe
1028	Logo1_.exe
1028	Logo1_.exe
1028	Logo1_.exe
1028	Logo1_.exe
1028	Logo1_.exe
1028	Logo1_.exe
1028	Logo1_.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeBackupPrivilege	1856	dw20.exe
Token: SeBackupPrivilege	1856	dw20.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 3604	1996	124bb58c1b7e152e176e85cb18440ced11d47556d1d6d69dcda2a9fa78862f00.exe	84
PID 1996 wrote to memory of 3604	1996	124bb58c1b7e152e176e85cb18440ced11d47556d1d6d69dcda2a9fa78862f00.exe	84
PID 1996 wrote to memory of 3604	1996	124bb58c1b7e152e176e85cb18440ced11d47556d1d6d69dcda2a9fa78862f00.exe	84
PID 1996 wrote to memory of 1028	1996	124bb58c1b7e152e176e85cb18440ced11d47556d1d6d69dcda2a9fa78862f00.exe	86
PID 1996 wrote to memory of 1028	1996	124bb58c1b7e152e176e85cb18440ced11d47556d1d6d69dcda2a9fa78862f00.exe	86
PID 1996 wrote to memory of 1028	1996	124bb58c1b7e152e176e85cb18440ced11d47556d1d6d69dcda2a9fa78862f00.exe	86
PID 1028 wrote to memory of 1280	1028	Logo1_.exe	87
PID 1028 wrote to memory of 1280	1028	Logo1_.exe	87
PID 1028 wrote to memory of 1280	1028	Logo1_.exe	87
PID 1280 wrote to memory of 1296	1280	net.exe	89
PID 1280 wrote to memory of 1296	1280	net.exe	89
PID 1280 wrote to memory of 1296	1280	net.exe	89
PID 3604 wrote to memory of 4400	3604	cmd.exe	90
PID 3604 wrote to memory of 4400	3604	cmd.exe	90
PID 1028 wrote to memory of 1916	1028	Logo1_.exe	42
PID 1028 wrote to memory of 1916	1028	Logo1_.exe	42
PID 4400 wrote to memory of 1856	4400	124bb58c1b7e152e176e85cb18440ced11d47556d1d6d69dcda2a9fa78862f00.exe	94
PID 4400 wrote to memory of 1856	4400	124bb58c1b7e152e176e85cb18440ced11d47556d1d6d69dcda2a9fa78862f00.exe	94

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1916
- C:\Users\Admin\AppData\Local\Temp\124bb58c1b7e152e176e85cb18440ced11d47556d1d6d69dcda2a9fa78862f00.exe
  "C:\Users\Admin\AppData\Local\Temp\124bb58c1b7e152e176e85cb18440ced11d47556d1d6d69dcda2a9fa78862f00.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB602.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3604
  - - C:\Users\Admin\AppData\Local\Temp\124bb58c1b7e152e176e85cb18440ced11d47556d1d6d69dcda2a9fa78862f00.exe
      "C:\Users\Admin\AppData\Local\Temp\124bb58c1b7e152e176e85cb18440ced11d47556d1d6d69dcda2a9fa78862f00.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4400
    - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 1408
        5⤵
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:1856
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1028
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1280
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:1296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
70f74cf4971343a9f26aca99c98ed7ba

SHA1
1e68782b838b8c9f824e2f6a09f3dfd17d83bd58

SHA256
1ae1a45c997a071ae877191b2708a820993f6027f0ddae920d51778dd5260200

SHA512
ad3168e3049d3943d7617d019b05b796c15c811ab8e9a7cb0d8da625ca1c8a2a28dcca92a3264ed3e429292e45c1bbf00b7bc6ec71a8b542b2c579f29f0d2584

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
484KB

MD5
6a44873de23cd96586616b1a397fa63e

SHA1
28269d6d3ef82723234a7a9f7bca3d270c7b3865

SHA256
541944133d38f200e2ccfcb27da8ab4e8573472d2121059a5454d2641c6eaab7

SHA512
f25228e04e89d93c3821c06209a0468ab4b40222ebb3628fb522ee0bd35567c7258938ec5de8cf30b3319b1cd68ba773f83b8c1451ea187fddab9616cf4d6f3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aB602.bat

Filesize
722B

MD5
57c294e13076754c6694ac88c4278955

SHA1
9821e76239e774d10c20e82a0db79086468bc37b

SHA256
87e2bd43d3869eac3d472b8ddf09adcdab427e6b1947e773df64cd6dc2d0f344

SHA512
da5866b0b8bb41ebe05619b7d3a2f6902342c6a9e8bacfd0e6a3205eba442f940043b6b2856f30b07af1a19678c1ae343bcd65a6eb67ac84d7d5cde8855c5a21

Download Submit
C:\Users\Admin\AppData\Local\Temp\124bb58c1b7e152e176e85cb18440ced11d47556d1d6d69dcda2a9fa78862f00.exe

Filesize
77KB

MD5
6ac63d349d17b6b55ff4d0e07ad30e19

SHA1
0186365694505f90c5134832e18fab9583c1ec57

SHA256
57432324e83d5d2be87d7ad01ca3687143eed38b3d049cfb327c5a26f3bf4a01

SHA512
bcd1b9d4da1bd0b8862cf78d3257fec8be1496746378548191b8d63e2d3927c9205f376470266a380dd183a762b7eb3a94aedab8b1f14716d495a1b046148291

Download Submit
C:\Users\Admin\AppData\Local\Temp\124bb58c1b7e152e176e85cb18440ced11d47556d1d6d69dcda2a9fa78862f00.exe.exe

Filesize
77KB

MD5
6ac63d349d17b6b55ff4d0e07ad30e19

SHA1
0186365694505f90c5134832e18fab9583c1ec57

SHA256
57432324e83d5d2be87d7ad01ca3687143eed38b3d049cfb327c5a26f3bf4a01

SHA512
bcd1b9d4da1bd0b8862cf78d3257fec8be1496746378548191b8d63e2d3927c9205f376470266a380dd183a762b7eb3a94aedab8b1f14716d495a1b046148291

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
5b9f516a1ff924c0be92c504618c3197

SHA1
a18de40ea9f4a4c62e99653bd274151c9af4e927

SHA256
1ac67686379ff269e98e2b7221201bc00cbd111f3d7ce7314876730ee7a1a0c7

SHA512
4d20713958ff26df807d0c7773234f25ffb7eb325df7a94c3a93013c531adb1577912cf5f07ecce884b71b5206d9c7247561f9d9af96e6a4f1afff4f13b766e5

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
5b9f516a1ff924c0be92c504618c3197

SHA1
a18de40ea9f4a4c62e99653bd274151c9af4e927

SHA256
1ac67686379ff269e98e2b7221201bc00cbd111f3d7ce7314876730ee7a1a0c7

SHA512
4d20713958ff26df807d0c7773234f25ffb7eb325df7a94c3a93013c531adb1577912cf5f07ecce884b71b5206d9c7247561f9d9af96e6a4f1afff4f13b766e5

Download Submit
C:\Windows\rundl132.exe

Filesize
26KB

MD5
5b9f516a1ff924c0be92c504618c3197

SHA1
a18de40ea9f4a4c62e99653bd274151c9af4e927

SHA256
1ac67686379ff269e98e2b7221201bc00cbd111f3d7ce7314876730ee7a1a0c7

SHA512
4d20713958ff26df807d0c7773234f25ffb7eb325df7a94c3a93013c531adb1577912cf5f07ecce884b71b5206d9c7247561f9d9af96e6a4f1afff4f13b766e5

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1574508946-349927670-1185736483-1000\_desktop.ini

Filesize
9B

MD5
dff4f6f0cc6b8b3bb8efb4a275a8f779

SHA1
e87d0f214e09712ed6d4d73e571edb2c1b140327

SHA256
34eaeafe313f318504cabbbdf6a150f2928ed89c13a836126478f56c6904cd20

SHA512
1a534267509c4dd7c0421a5460ea7b3d58e05ba1343c2f45ca6ca537ff5259f1fae31c68928acba3492875ba270242f41c43ed5d705d31cf9af5a56ca4edd0e0

Download Submit
memory/1028-46-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1028-51-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1028-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1028-4292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1028-1314-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1028-1291-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1028-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1028-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1028-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1996-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1996-10-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4400-19-0x00007FFE1B980000-0x00007FFE1C321000-memory.dmp

Filesize
9.6MB

Download
memory/4400-18-0x00007FFE1B980000-0x00007FFE1C321000-memory.dmp

Filesize
9.6MB

Download
memory/4400-30-0x00007FFE1B980000-0x00007FFE1C321000-memory.dmp

Filesize
9.6MB

Download
memory/4400-23-0x000000001CEF0000-0x000000001CF8C000-memory.dmp

Filesize
624KB

Download
memory/4400-22-0x000000001E4B0000-0x000000001E97E000-memory.dmp

Filesize
4.8MB

Download
memory/4400-20-0x00000000019A0000-0x00000000019B0000-memory.dmp

Filesize
64KB

Download