db4a99690a44d48efc44e756434611d86ba6255f70192204d65879810ea68a3c

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db4a99690a44d48efc44e756434611d86ba6255f70192204d65879810ea68a3c.exe
Size

41KB
MD5

6232c3d5e15eae0f468c95b5a59e016d
SHA1

5bb93cdce7ae07316f1bcb381cc06a91ab4cfe3b
SHA256

db4a99690a44d48efc44e756434611d86ba6255f70192204d65879810ea68a3c
SHA512

02a156c246f52114f228994ef5f8fec7f1c6e1408850a674cb604a6933486fa9f1ba59551fbdf8019e7a15d452951d99d1019bfe41586dc0dc7c5afe946b9338
SSDEEP

768:kb1ODKAaDMG8H92RwZNQSwcfymNBg+g61Go0ssQVHseNP3L3baeY:afgLdQAQfcfymNjPNP3HaeY

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3452	Logo1_.exe
1788	db4a99690a44d48efc44e756434611d86ba6255f70192204d65879810ea68a3c.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sv\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-150_8wekyb3d8bbwe\Assets\AppTiles\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.2.2_2.2.27405.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\FileAssociation\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sl-si\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\en-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-black\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\PeopleAppAssets\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\TagAlbumDefinitions\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sl-si\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sl-sl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ca-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\pt-br\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\pl-PL\View3d\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\libs\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\it-it\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\visualization\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Fonts\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Lumia.MagicEdit\UserControls\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_neutral_~_8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\cs-cz\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sv-se\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\he-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\osf\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-black\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-black\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\de\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Shell\Themes\Glyphs\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\cs-cz\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\bin\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\people\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\cef\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\nl-nl\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	db4a99690a44d48efc44e756434611d86ba6255f70192204d65879810ea68a3c.exe
File created	C:\Windows\Logo1_.exe	db4a99690a44d48efc44e756434611d86ba6255f70192204d65879810ea68a3c.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
3452	Logo1_.exe
3452	Logo1_.exe
3452	Logo1_.exe
3452	Logo1_.exe
3452	Logo1_.exe
3452	Logo1_.exe
3452	Logo1_.exe
3452	Logo1_.exe
3452	Logo1_.exe
3452	Logo1_.exe
3452	Logo1_.exe
3452	Logo1_.exe
3452	Logo1_.exe
3452	Logo1_.exe
3452	Logo1_.exe
3452	Logo1_.exe
3452	Logo1_.exe
3452	Logo1_.exe
3452	Logo1_.exe
3452	Logo1_.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 3696	1712	db4a99690a44d48efc44e756434611d86ba6255f70192204d65879810ea68a3c.exe	86
PID 1712 wrote to memory of 3696	1712	db4a99690a44d48efc44e756434611d86ba6255f70192204d65879810ea68a3c.exe	86
PID 1712 wrote to memory of 3696	1712	db4a99690a44d48efc44e756434611d86ba6255f70192204d65879810ea68a3c.exe	86
PID 1712 wrote to memory of 3452	1712	db4a99690a44d48efc44e756434611d86ba6255f70192204d65879810ea68a3c.exe	88
PID 1712 wrote to memory of 3452	1712	db4a99690a44d48efc44e756434611d86ba6255f70192204d65879810ea68a3c.exe	88
PID 1712 wrote to memory of 3452	1712	db4a99690a44d48efc44e756434611d86ba6255f70192204d65879810ea68a3c.exe	88
PID 3452 wrote to memory of 1300	3452	Logo1_.exe	89
PID 3452 wrote to memory of 1300	3452	Logo1_.exe	89
PID 3452 wrote to memory of 1300	3452	Logo1_.exe	89
PID 1300 wrote to memory of 1620	1300	net.exe	91
PID 1300 wrote to memory of 1620	1300	net.exe	91
PID 1300 wrote to memory of 1620	1300	net.exe	91
PID 3696 wrote to memory of 1788	3696	cmd.exe	93
PID 3696 wrote to memory of 1788	3696	cmd.exe	93
PID 3696 wrote to memory of 1788	3696	cmd.exe	93
PID 3452 wrote to memory of 3168	3452	Logo1_.exe	56
PID 3452 wrote to memory of 3168	3452	Logo1_.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3168
- C:\Users\Admin\AppData\Local\Temp\db4a99690a44d48efc44e756434611d86ba6255f70192204d65879810ea68a3c.exe
  "C:\Users\Admin\AppData\Local\Temp\db4a99690a44d48efc44e756434611d86ba6255f70192204d65879810ea68a3c.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a830B.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3696
  - - C:\Users\Admin\AppData\Local\Temp\db4a99690a44d48efc44e756434611d86ba6255f70192204d65879810ea68a3c.exe
      "C:\Users\Admin\AppData\Local\Temp\db4a99690a44d48efc44e756434611d86ba6255f70192204d65879810ea68a3c.exe"
      4⤵
      Executes dropped EXE
      PID:1788
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3452
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1300
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
8591b14f2c92328b95455ec670799642

SHA1
d17c6a31a66dbd3cc53961d2f0e85fdb605af667

SHA256
ce9bfeb973ae43c94157901c348098551f599a8ad1ed62dc845ad9198c029182

SHA512
cf2dfde459a660000e0af861be7708218537319040b220972de5aeca886f8e520f26dcf05902e4b3875ae6bf34576a18334064f100550bb15125c3a46a97445c

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
484KB

MD5
7322201ea1f1128a2d6bdea39cc37b8e

SHA1
c646cd395d37fda6aa3a6a831b205b7cf39fa147

SHA256
c3f63033404d2b285b0eba68635f6971debbbb9654b4444b2d0876f214a817b9

SHA512
fe32ba19f98b1f8a28fc32f035778c3fc1a97b52fa1ec6aa10c9a141b82b533752ad7d3f3b9461338e15053305f686432e454b73c05b1976753e04b723733cf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a830B.bat

Filesize
722B

MD5
355b6cbdd0e8fbfab80fd84c693a195c

SHA1
080bd80a1ce5cb577352e090e18add4e369a63f0

SHA256
2fac7aea75435996db0a3aa006f8a6532e8e1d7bbabff5935174ce09cc4a004d

SHA512
8fbef45aeafd903f182614ec3a9c8321d17d96b30c441fbf6841485a2675a2ffae901009f4187aeac5558fe09cb516c475be23850c5266fa202c40d0a1e94fae

Download Submit
C:\Users\Admin\AppData\Local\Temp\db4a99690a44d48efc44e756434611d86ba6255f70192204d65879810ea68a3c.exe

Filesize
15KB

MD5
180ee9846fa2bf8b09cbe7891204d876

SHA1
666272260569dae5820aa10f508f798c5a84452c

SHA256
f66dc0485f3d53157c660bb615db2274ce6af5e3117f848bc0a7e50f105244b6

SHA512
a3220c9032b184444ba1e7e86b4c87c1eaa6e4d82c1472768d7962d5abb9cad821641fcdae0ad8dcd260947c19fbccaa2c532d93b842492bfea06639ff8f70fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\db4a99690a44d48efc44e756434611d86ba6255f70192204d65879810ea68a3c.exe.exe

Filesize
15KB

MD5
180ee9846fa2bf8b09cbe7891204d876

SHA1
666272260569dae5820aa10f508f798c5a84452c

SHA256
f66dc0485f3d53157c660bb615db2274ce6af5e3117f848bc0a7e50f105244b6

SHA512
a3220c9032b184444ba1e7e86b4c87c1eaa6e4d82c1472768d7962d5abb9cad821641fcdae0ad8dcd260947c19fbccaa2c532d93b842492bfea06639ff8f70fc

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
effabf58aa1a3a22c697a47eab559ac7

SHA1
48d54b1aa74e05414e98824a769682907b4cba8b

SHA256
142c3db22634f219899ef2f0a60a7f857419dc69d896bec778bbef38c055c5c0

SHA512
6bfbb7159315b1d396edf318539e152fcfbc3aa9a1f8d7737957dd3cf43bffedeee9a60b68a2b2c3cc4025316b16509b5c504eca93619e18806c57af2e5fbc39

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
effabf58aa1a3a22c697a47eab559ac7

SHA1
48d54b1aa74e05414e98824a769682907b4cba8b

SHA256
142c3db22634f219899ef2f0a60a7f857419dc69d896bec778bbef38c055c5c0

SHA512
6bfbb7159315b1d396edf318539e152fcfbc3aa9a1f8d7737957dd3cf43bffedeee9a60b68a2b2c3cc4025316b16509b5c504eca93619e18806c57af2e5fbc39

Download Submit
C:\Windows\rundl132.exe

Filesize
26KB

MD5
effabf58aa1a3a22c697a47eab559ac7

SHA1
48d54b1aa74e05414e98824a769682907b4cba8b

SHA256
142c3db22634f219899ef2f0a60a7f857419dc69d896bec778bbef38c055c5c0

SHA512
6bfbb7159315b1d396edf318539e152fcfbc3aa9a1f8d7737957dd3cf43bffedeee9a60b68a2b2c3cc4025316b16509b5c504eca93619e18806c57af2e5fbc39

Download Submit
C:\odt\_desktop.ini

Filesize
9B

MD5
872506f1dadcc0cedd1e9dee11f54da4

SHA1
d1e87145ed1d918f10ae4e93ccdbb994bc906ed5

SHA256
a0049e98811438481e150df54f7b555026746c943cb03106677bf75b4e412104

SHA512
6cf3aeeed18e66a16ed653a5c33133ec8d5fb58cf42aab9e712cf473233e506d4f14692dff04b7c20847718e5c344ec2651e57d2ae7a034610b07679b786344c

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3027552071-446050021-1254071215-1000\_desktop.ini

Filesize
10B

MD5
81570c50286369016cef7a9f904c4b04

SHA1
b5758b23667cb35cad0adb23371b830fcee4f4e5

SHA256
b882f41a5c84d248a75714eaf215a9e363a49361b6a14beedb921ee3dfdb46a1

SHA512
0e6c479b0252e24635810b7d030cc9b5b17603ee20ccf62812446b8d15884521c6c7be65dfc0090bb1502e859fae27c2a63b3e58be714021f473a88407982162

Download Submit
memory/1712-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1712-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1788-19-0x000000002F800000-0x000000002F805000-memory.dmp

Filesize
20KB

Download
memory/1788-18-0x000000002F800000-0x000000002F805000-memory.dmp

Filesize
20KB

Download
memory/3452-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3452-29-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3452-36-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3452-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3452-45-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3452-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3452-544-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3452-1282-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3452-2627-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download