cfc678b3c41de2924916997fea1d3c9fa28b6e64d32fdd1511b7da0f021b6e17

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2023, 23:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cfc678b3c41de2924916997fea1d3c9fa28b6e64d32fdd1511b7da0f021b6e17.exe
Size

46KB
MD5

7628003f4744a604377dbf289902eaf9
SHA1

9f19d11d8722e3cc9ae3676576e16b9f220d1a00
SHA256

cfc678b3c41de2924916997fea1d3c9fa28b6e64d32fdd1511b7da0f021b6e17
SHA512

7c4774615634d8427fb174cd0334ec8504dcf199b8ee48a1ae478cde158c64d38b4b2acb0f8fe877619dcbe1b62fe44406b8742501d4b83a1c3c677e0b6fa277
SSDEEP

768:7Y1ODKAaDMG8H92RwZNQSwcfymNBg+g61GoLSnVtPCv6NFZhfyDG7aUf2hSn:7KfgLdQAQfcfymN+VtlhfxaUfTn

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4156	Logo1_.exe
1956	cfc678b3c41de2924916997fea1d3c9fa28b6e64d32fdd1511b7da0f021b6e17.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\security\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\be-BY\View3d\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\it-it\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\bg-BG\View3d\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Solitaire.exe	Logo1_.exe
File created	C:\Program Files (x86)\Windows Media Player\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ga\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-black\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\contrast-black\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\pt-br\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\locale\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.UI.Xaml.2.0_2.1810.18004.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\tr-tr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\pt-br\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\smsconnect\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\cs-cz\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\en-gb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\nb-no\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\de-de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\root\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account-select\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\spu\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-125_8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.221.1104.0_x64__zpdnekdrzrea0\SpotifyStartupTask.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\th\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nb-no\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\es-es\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	cfc678b3c41de2924916997fea1d3c9fa28b6e64d32fdd1511b7da0f021b6e17.exe
File created	C:\Windows\Logo1_.exe	cfc678b3c41de2924916997fea1d3c9fa28b6e64d32fdd1511b7da0f021b6e17.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
4156	Logo1_.exe
4156	Logo1_.exe
4156	Logo1_.exe
4156	Logo1_.exe
4156	Logo1_.exe
4156	Logo1_.exe
4156	Logo1_.exe
4156	Logo1_.exe
4156	Logo1_.exe
4156	Logo1_.exe
4156	Logo1_.exe
4156	Logo1_.exe
4156	Logo1_.exe
4156	Logo1_.exe
4156	Logo1_.exe
4156	Logo1_.exe
4156	Logo1_.exe
4156	Logo1_.exe
4156	Logo1_.exe
4156	Logo1_.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	4576	svchost.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 1112	3036	cfc678b3c41de2924916997fea1d3c9fa28b6e64d32fdd1511b7da0f021b6e17.exe	84
PID 3036 wrote to memory of 1112	3036	cfc678b3c41de2924916997fea1d3c9fa28b6e64d32fdd1511b7da0f021b6e17.exe	84
PID 3036 wrote to memory of 1112	3036	cfc678b3c41de2924916997fea1d3c9fa28b6e64d32fdd1511b7da0f021b6e17.exe	84
PID 3036 wrote to memory of 4156	3036	cfc678b3c41de2924916997fea1d3c9fa28b6e64d32fdd1511b7da0f021b6e17.exe	85
PID 3036 wrote to memory of 4156	3036	cfc678b3c41de2924916997fea1d3c9fa28b6e64d32fdd1511b7da0f021b6e17.exe	85
PID 3036 wrote to memory of 4156	3036	cfc678b3c41de2924916997fea1d3c9fa28b6e64d32fdd1511b7da0f021b6e17.exe	85
PID 4156 wrote to memory of 4324	4156	Logo1_.exe	86
PID 4156 wrote to memory of 4324	4156	Logo1_.exe	86
PID 4156 wrote to memory of 4324	4156	Logo1_.exe	86
PID 4324 wrote to memory of 3008	4324	net.exe	88
PID 4324 wrote to memory of 3008	4324	net.exe	88
PID 4324 wrote to memory of 3008	4324	net.exe	88
PID 1112 wrote to memory of 1956	1112	cmd.exe	90
PID 1112 wrote to memory of 1956	1112	cmd.exe	90
PID 4156 wrote to memory of 3248	4156	Logo1_.exe	51
PID 4156 wrote to memory of 3248	4156	Logo1_.exe	51

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3248
- C:\Users\Admin\AppData\Local\Temp\cfc678b3c41de2924916997fea1d3c9fa28b6e64d32fdd1511b7da0f021b6e17.exe
  "C:\Users\Admin\AppData\Local\Temp\cfc678b3c41de2924916997fea1d3c9fa28b6e64d32fdd1511b7da0f021b6e17.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:3036
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a733C.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1112
  - - C:\Users\Admin\AppData\Local\Temp\cfc678b3c41de2924916997fea1d3c9fa28b6e64d32fdd1511b7da0f021b6e17.exe
      "C:\Users\Admin\AppData\Local\Temp\cfc678b3c41de2924916997fea1d3c9fa28b6e64d32fdd1511b7da0f021b6e17.exe"
      4⤵
      Executes dropped EXE
      PID:1956
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4156
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4324
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:3008

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:4700

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
69f6da654a3a49de8590243642d590c3

SHA1
f78aaa784459c8ae30c9a3c4d3859e2c865fa1f8

SHA256
56be6a70c7a51c57f12564c5da636e21c3238a085f6dcdb3ffcb3d3e61d4ccc8

SHA512
3bd6cf50d13e42ce4264c24b67bccf93e45d360bcecf496df62e22678dbccd8ddc774e575bcd83332fcdf13e2b8f6b4a40df30ec07decf5915dfdeedae21e684

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
484KB

MD5
4e68211d5ca5b4384780da7163aca122

SHA1
067ede6d5d2e700aede8416cbc1344b48bc7f403

SHA256
3fc8a84a337c74c13ea397c9fd998726b36ccab37404f05a3460c0ee4be2d38d

SHA512
9e0d960b1bba53fef5641d5b26ac1798547882cf3d556d58a14bdaf30c00dd5e88b569a7ea362f9f60c92b001aa3267e1968854f45f0897f4b27fdacf16f14de

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a733C.bat

Filesize
722B

MD5
2213521aeeeb707b3ea2ecb09349b523

SHA1
9562eaad51911c760aac5b59a07d79f8edffa113

SHA256
e7d8d59be706c677bdfcaffe99df3d4b1c877f3442b4cefc6ae66224ade6ad8e

SHA512
9b757ef835145b507a9249ac672885fdd2c434572b72d44a8f82dbbc53fa7db89af8aa2c0cff297934fa1c675b78d634d6a47516cb7da253c8864e8a2aca3a5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cfc678b3c41de2924916997fea1d3c9fa28b6e64d32fdd1511b7da0f021b6e17.exe

Filesize
20KB

MD5
eb0efb5a05aee8f8a6f685fbb0f29a04

SHA1
0fcd8c62db64b9b28c10969ba8729a78254aeef0

SHA256
167b2f7a37aa70859ad94cb2637c86cdeed06beb573343bcbcc653c45cb6bbc6

SHA512
82af250491356e58cb4f6efa239fa4d84f834578db429c707d829a4baf211095a94accd17f6e6f10c38c48ce559bf08ecf53365b0290728d342ec8ed0276a049

Download Submit
C:\Users\Admin\AppData\Local\Temp\cfc678b3c41de2924916997fea1d3c9fa28b6e64d32fdd1511b7da0f021b6e17.exe.exe

Filesize
20KB

MD5
eb0efb5a05aee8f8a6f685fbb0f29a04

SHA1
0fcd8c62db64b9b28c10969ba8729a78254aeef0

SHA256
167b2f7a37aa70859ad94cb2637c86cdeed06beb573343bcbcc653c45cb6bbc6

SHA512
82af250491356e58cb4f6efa239fa4d84f834578db429c707d829a4baf211095a94accd17f6e6f10c38c48ce559bf08ecf53365b0290728d342ec8ed0276a049

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
28948521636f027a6e321d0ece85f68b

SHA1
4cc393871c2174328558347094d44cef430836d9

SHA256
37d128b4b8f41d2ed52a38ef4b628fa082d4693729b1af11d4067a1781a1a197

SHA512
2952a8aca9924a6c5a1dbdb94f79a9da49696e88c06f50ca1ce3390efb2b9bb86c8fd1184a160e810485c8f7ff11bc0d58c22787877ae5a46c66d1a6a8173c3b

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
28948521636f027a6e321d0ece85f68b

SHA1
4cc393871c2174328558347094d44cef430836d9

SHA256
37d128b4b8f41d2ed52a38ef4b628fa082d4693729b1af11d4067a1781a1a197

SHA512
2952a8aca9924a6c5a1dbdb94f79a9da49696e88c06f50ca1ce3390efb2b9bb86c8fd1184a160e810485c8f7ff11bc0d58c22787877ae5a46c66d1a6a8173c3b

Download Submit
C:\Windows\rundl132.exe

Filesize
26KB

MD5
28948521636f027a6e321d0ece85f68b

SHA1
4cc393871c2174328558347094d44cef430836d9

SHA256
37d128b4b8f41d2ed52a38ef4b628fa082d4693729b1af11d4067a1781a1a197

SHA512
2952a8aca9924a6c5a1dbdb94f79a9da49696e88c06f50ca1ce3390efb2b9bb86c8fd1184a160e810485c8f7ff11bc0d58c22787877ae5a46c66d1a6a8173c3b

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2344688013-2965468717-2034126-1000\_desktop.ini

Filesize
9B

MD5
0387f4acd0cfa16ac07fab88bff7f344

SHA1
60da1a37a16077ad337f6a91cc4acb9fba2940b3

SHA256
0b1b21f717a6f4add9692073f01b9b560898213b197ef3b47165d56be17c617d

SHA512
7d52216da22ceed1afe2b9d31fcea1798b2879eb6426d3634f38b7ea296627c516ff022d3cfe34df3aac4fa6fb6e2ad8eb21d2c9c040c83c53ea79487b1d13ab

Download Submit
memory/3036-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3036-12-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4156-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4156-4456-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4156-37-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4156-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4156-19-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4156-1278-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4156-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4156-26-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4156-4810-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4576-4811-0x0000018C613A0000-0x0000018C613B0000-memory.dmp

Filesize
64KB

Download
memory/4576-4827-0x0000018C614A0000-0x0000018C614B0000-memory.dmp

Filesize
64KB

Download
memory/4576-4843-0x0000018C69810000-0x0000018C69811000-memory.dmp

Filesize
4KB

Download
memory/4576-4845-0x0000018C69840000-0x0000018C69841000-memory.dmp

Filesize
4KB

Download
memory/4576-4846-0x0000018C69840000-0x0000018C69841000-memory.dmp

Filesize
4KB

Download
memory/4576-4847-0x0000018C69950000-0x0000018C69951000-memory.dmp

Filesize
4KB

Download