2c835fc4e52bb18b181cde9445d4055f49f4ba6c98f5e359ea5c772b1e2d35e3

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
07/10/2023, 22:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2c835fc4e52bb18b181cde9445d4055f49f4ba6c98f5e359ea5c772b1e2d35e3.exe
Size

101KB
MD5

c982d024f5ab4d7f44d895db026d1837
SHA1

e1a5d4a20ca2bdeeec9fdde5589bf61b86c2d3b4
SHA256

2c835fc4e52bb18b181cde9445d4055f49f4ba6c98f5e359ea5c772b1e2d35e3
SHA512

2751c2b1581661ae0418329be5cc77bde5016df468ca3ef265130e8f874a9a32be1dd206c16ad68f107127ac784297614e1268b633556d9bdd01fd03e90a4e84
SSDEEP

1536:IefgLdQAQfcfymNz2Go0VeoE4p9nV5Icq+cRXZ2N4xHuF8sQWNe5lb1PW:tftffjmN6GvE4pL4zv2NL6sRe5lxe

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4844	Logo1_.exe
4472	2c835fc4e52bb18b181cde9445d4055f49f4ba6c98f5e359ea5c772b1e2d35e3.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactNative\Tracing\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ro-ro\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\pt-br\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\loc_archives\en\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Configuration\Registration\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ja-jp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Shell\Themes\Glyphs\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\eu-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\Diagnostics\Simple\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\kk-KZ\View3d\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAppRuntime.1.2_2000.802.31.0_x86__8wekyb3d8bbwe\ko-KR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-black\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\root\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\logger\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\deployed\jdk16\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Resources\RetailDemo\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\_Resources\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\en-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-gb\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\pt-BR\View3d\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAppRuntime.1.2_2000.802.31.0_x86__8wekyb3d8bbwe\DeploymentAgent.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmic.exe	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sv-SE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\plugins\rhp\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ca-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\he-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAppRuntime.1.2_2000.802.31.0_x86__8wekyb3d8bbwe\en-GB\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\tnameserv.exe	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Images\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\fi-fi\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	2c835fc4e52bb18b181cde9445d4055f49f4ba6c98f5e359ea5c772b1e2d35e3.exe
File created	C:\Windows\Logo1_.exe	2c835fc4e52bb18b181cde9445d4055f49f4ba6c98f5e359ea5c772b1e2d35e3.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
4844	Logo1_.exe
4844	Logo1_.exe
4844	Logo1_.exe
4844	Logo1_.exe
4844	Logo1_.exe
4844	Logo1_.exe
4844	Logo1_.exe
4844	Logo1_.exe
4844	Logo1_.exe
4844	Logo1_.exe
4844	Logo1_.exe
4844	Logo1_.exe
4844	Logo1_.exe
4844	Logo1_.exe
4844	Logo1_.exe
4844	Logo1_.exe
4844	Logo1_.exe
4844	Logo1_.exe
4844	Logo1_.exe
4844	Logo1_.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	2200	svchost.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3856 wrote to memory of 852	3856	2c835fc4e52bb18b181cde9445d4055f49f4ba6c98f5e359ea5c772b1e2d35e3.exe	88
PID 3856 wrote to memory of 852	3856	2c835fc4e52bb18b181cde9445d4055f49f4ba6c98f5e359ea5c772b1e2d35e3.exe	88
PID 3856 wrote to memory of 852	3856	2c835fc4e52bb18b181cde9445d4055f49f4ba6c98f5e359ea5c772b1e2d35e3.exe	88
PID 3856 wrote to memory of 4844	3856	2c835fc4e52bb18b181cde9445d4055f49f4ba6c98f5e359ea5c772b1e2d35e3.exe	89
PID 3856 wrote to memory of 4844	3856	2c835fc4e52bb18b181cde9445d4055f49f4ba6c98f5e359ea5c772b1e2d35e3.exe	89
PID 3856 wrote to memory of 4844	3856	2c835fc4e52bb18b181cde9445d4055f49f4ba6c98f5e359ea5c772b1e2d35e3.exe	89
PID 4844 wrote to memory of 3636	4844	Logo1_.exe	91
PID 4844 wrote to memory of 3636	4844	Logo1_.exe	91
PID 4844 wrote to memory of 3636	4844	Logo1_.exe	91
PID 3636 wrote to memory of 4108	3636	net.exe	93
PID 3636 wrote to memory of 4108	3636	net.exe	93
PID 3636 wrote to memory of 4108	3636	net.exe	93
PID 852 wrote to memory of 4472	852	cmd.exe	94
PID 852 wrote to memory of 4472	852	cmd.exe	94
PID 4844 wrote to memory of 3148	4844	Logo1_.exe	60
PID 4844 wrote to memory of 3148	4844	Logo1_.exe	60

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3148
- C:\Users\Admin\AppData\Local\Temp\2c835fc4e52bb18b181cde9445d4055f49f4ba6c98f5e359ea5c772b1e2d35e3.exe
  "C:\Users\Admin\AppData\Local\Temp\2c835fc4e52bb18b181cde9445d4055f49f4ba6c98f5e359ea5c772b1e2d35e3.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:3856
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aADF3.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:852
  - - C:\Users\Admin\AppData\Local\Temp\2c835fc4e52bb18b181cde9445d4055f49f4ba6c98f5e359ea5c772b1e2d35e3.exe
      "C:\Users\Admin\AppData\Local\Temp\2c835fc4e52bb18b181cde9445d4055f49f4ba6c98f5e359ea5c772b1e2d35e3.exe"
      4⤵
      Executes dropped EXE
      PID:4472
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4844
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3636
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:4108

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:3192

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
a87a63f1d34e67b55a85e09c2e8f3d89

SHA1
f9ddadadd1d9308574b67033db940dfdb128d244

SHA256
0b0a3ef78d63506a36b89358270ff96a9f42b95dc8a55ec917c3dc072d798e57

SHA512
ec60903b3389d30523d04de88ef7f75fc11af018d2e4a7a3656c5148fbbc7dade2fc9f4e1c7875d9760f3eb569305628fa19abc9931a315c171e50b08330aa84

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
484KB

MD5
a47e8beae71111af9af6998c617ae09b

SHA1
06dc053f62e2bc1135ac0ee92b34efc280d5033d

SHA256
c977d418fd4bc6017d918c5a724dedb30ba09c87e1878a0e592d7bccc969f596

SHA512
377d48e2b29bd306dfd55c85fb7c620c3bc48a544cbd7e8b246ace050e3df551c2b2ba551d4ad0a2a234854de115db1c7072d29ec669d5119385b7f8625d2cf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aADF3.bat

Filesize
722B

MD5
6f47aaebb0f67a98575e9aacf321ce8a

SHA1
aba8f59c3e59b5142353b8e072f77dc25daf94bc

SHA256
69a5d4ddee998d7a2cc9a3e68292ecdff1cc699ed33014b30d8dc85e4b3d07dc

SHA512
f6291a568751323c36d9d8318fdd9609974b92dc33256437a8e92692ce425d798b2da26371e8b9be6310b9d7d28ebd35422e3c5a97cc6befe1a6ab926e6cd861

Download Submit
C:\Users\Admin\AppData\Local\Temp\2c835fc4e52bb18b181cde9445d4055f49f4ba6c98f5e359ea5c772b1e2d35e3.exe

Filesize
75KB

MD5
a7851a05e83f42f741a804320c485083

SHA1
b76d2e6eb6d2bf289a5118c908578906851460d0

SHA256
3600ff58fdb37f53562e626fd74d6f4d8d39925d711a96f221bb4aca7992926a

SHA512
eadbfbee79aa0f34b35e0a9c9d717b3c8ac18729df8e52332b696352a2a41d0da37119ab1cb81a10bb7854b930e6479686f8fa8b5a447d48213e3c1c9304ce7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2c835fc4e52bb18b181cde9445d4055f49f4ba6c98f5e359ea5c772b1e2d35e3.exe.exe

Filesize
75KB

MD5
a7851a05e83f42f741a804320c485083

SHA1
b76d2e6eb6d2bf289a5118c908578906851460d0

SHA256
3600ff58fdb37f53562e626fd74d6f4d8d39925d711a96f221bb4aca7992926a

SHA512
eadbfbee79aa0f34b35e0a9c9d717b3c8ac18729df8e52332b696352a2a41d0da37119ab1cb81a10bb7854b930e6479686f8fa8b5a447d48213e3c1c9304ce7b

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
af4aa190d08fe222e2be7da523824c9e

SHA1
9f59a5e39bf7efe4bd1514cc0db1953d1dea0358

SHA256
a046ced4dc861dd8a659d24d7c039a139eb407242a7e6c633a9b90f2f90f83f9

SHA512
77437effa4a99c7fba14c926ffed9c13bff8ea1f0ce766587a3327b31f70fd54c67b05b47072afa83cc6c91e2642c8efd78ee1da136deeee6f79f0cd1d51b505

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
af4aa190d08fe222e2be7da523824c9e

SHA1
9f59a5e39bf7efe4bd1514cc0db1953d1dea0358

SHA256
a046ced4dc861dd8a659d24d7c039a139eb407242a7e6c633a9b90f2f90f83f9

SHA512
77437effa4a99c7fba14c926ffed9c13bff8ea1f0ce766587a3327b31f70fd54c67b05b47072afa83cc6c91e2642c8efd78ee1da136deeee6f79f0cd1d51b505

Download Submit
C:\Windows\rundl132.exe

Filesize
26KB

MD5
af4aa190d08fe222e2be7da523824c9e

SHA1
9f59a5e39bf7efe4bd1514cc0db1953d1dea0358

SHA256
a046ced4dc861dd8a659d24d7c039a139eb407242a7e6c633a9b90f2f90f83f9

SHA512
77437effa4a99c7fba14c926ffed9c13bff8ea1f0ce766587a3327b31f70fd54c67b05b47072afa83cc6c91e2642c8efd78ee1da136deeee6f79f0cd1d51b505

Download Submit
C:\odt\_desktop.ini

Filesize
9B

MD5
872506f1dadcc0cedd1e9dee11f54da4

SHA1
d1e87145ed1d918f10ae4e93ccdbb994bc906ed5

SHA256
a0049e98811438481e150df54f7b555026746c943cb03106677bf75b4e412104

SHA512
6cf3aeeed18e66a16ed653a5c33133ec8d5fb58cf42aab9e712cf473233e506d4f14692dff04b7c20847718e5c344ec2651e57d2ae7a034610b07679b786344c

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1574508946-349927670-1185736483-1000\_desktop.ini

Filesize
9B

MD5
7b55ef79e83deff31c4c16ca44427d3d

SHA1
cd86347713b82993e86355d6937d54d08aef56b0

SHA256
c440aca6a410ba6673250517487032636dbb9a73d8287b312a49867b99b81f46

SHA512
1a53953508d74b22c37a81dec6767624bf7ca04cf1aa45f7b7a447e63f86cf6a469c89444f9f4b9d902899f4a005dbd6fa1a82fc432b6cf84b62ced9d31f512e

Download Submit
memory/2200-73-0x0000028717E90000-0x0000028717E91000-memory.dmp

Filesize
4KB

Download
memory/2200-78-0x0000028717E90000-0x0000028717E91000-memory.dmp

Filesize
4KB

Download
memory/2200-106-0x0000028717D00000-0x0000028717D01000-memory.dmp

Filesize
4KB

Download
memory/2200-105-0x0000028717BF0000-0x0000028717BF1000-memory.dmp

Filesize
4KB

Download
memory/2200-104-0x0000028717BF0000-0x0000028717BF1000-memory.dmp

Filesize
4KB

Download
memory/2200-38-0x000002870F770000-0x000002870F780000-memory.dmp

Filesize
64KB

Download
memory/2200-54-0x000002870F870000-0x000002870F880000-memory.dmp

Filesize
64KB

Download
memory/2200-70-0x0000028717E60000-0x0000028717E61000-memory.dmp

Filesize
4KB

Download
memory/2200-71-0x0000028717E90000-0x0000028717E91000-memory.dmp

Filesize
4KB

Download
memory/2200-72-0x0000028717E90000-0x0000028717E91000-memory.dmp

Filesize
4KB

Download
memory/2200-102-0x0000028717BE0000-0x0000028717BE1000-memory.dmp

Filesize
4KB

Download
memory/2200-74-0x0000028717E90000-0x0000028717E91000-memory.dmp

Filesize
4KB

Download
memory/2200-75-0x0000028717E90000-0x0000028717E91000-memory.dmp

Filesize
4KB

Download
memory/2200-76-0x0000028717E90000-0x0000028717E91000-memory.dmp

Filesize
4KB

Download
memory/2200-77-0x0000028717E90000-0x0000028717E91000-memory.dmp

Filesize
4KB

Download
memory/2200-90-0x00000287179E0000-0x00000287179E1000-memory.dmp

Filesize
4KB

Download
memory/2200-79-0x0000028717E90000-0x0000028717E91000-memory.dmp

Filesize
4KB

Download
memory/2200-80-0x0000028717E90000-0x0000028717E91000-memory.dmp

Filesize
4KB

Download
memory/2200-81-0x0000028717AB0000-0x0000028717AB1000-memory.dmp

Filesize
4KB

Download
memory/2200-82-0x0000028717AA0000-0x0000028717AA1000-memory.dmp

Filesize
4KB

Download
memory/2200-84-0x0000028717AB0000-0x0000028717AB1000-memory.dmp

Filesize
4KB

Download
memory/2200-87-0x0000028717AA0000-0x0000028717AA1000-memory.dmp

Filesize
4KB

Download
memory/3856-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3856-10-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4844-26-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4844-37-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4844-19-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4844-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4844-110-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4844-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download