1bdb80742c8681822df0355155826fd50aebdf83c9a8f17ecc895b5c7aec3ec5

Analysis

max time kernel
160s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2023 12:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1bdb80742c8681822df0355155826fd50aebdf83c9a8f17ecc895b5c7aec3ec5.exe
Size

316KB
MD5

7da6d7f75a140a1c16cb7b8cc8cf27fe
SHA1

347e569f06d8b5c797ae8a7c33ff1c0c56f5afeb
SHA256

1bdb80742c8681822df0355155826fd50aebdf83c9a8f17ecc895b5c7aec3ec5
SHA512

583c133d0a29e62b5dbf3e58cb719132ecd927543473f2c64246998218b1b2f6fc31022937e4dec9e26e974c0ed22096ecacada4a57a65953668de8ddd69602a
SSDEEP

6144:KdVfjmNIgsm6/SJB2VzS+p5kHcLnZ5RT2vYW4F1MVhsoo04Se2RRp:K7+I3RSJB2lS+4UT1FS3ZLn

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4632	Logo1_.exe
2576	1bdb80742c8681822df0355155826fd50aebdf83c9a8f17ecc895b5c7aec3ec5.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ktab.exe	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-black\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\zh-cn\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\pt-br\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ru-ru\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\en-gb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\vi\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ar-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\pt-br\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\cs-cz\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\it-it\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.UI.Xaml.2.0_2.1810.18004.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\de-de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\Classic\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\root\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sl-sl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\et\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_2019.716.2316.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\eu-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\zh-cn\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\he-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\en-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\az\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\cs-cz\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-black\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\nb-no\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\x64\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\fr-FR\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	1bdb80742c8681822df0355155826fd50aebdf83c9a8f17ecc895b5c7aec3ec5.exe
File created	C:\Windows\Logo1_.exe	1bdb80742c8681822df0355155826fd50aebdf83c9a8f17ecc895b5c7aec3ec5.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
4632	Logo1_.exe
4632	Logo1_.exe
4632	Logo1_.exe
4632	Logo1_.exe
4632	Logo1_.exe
4632	Logo1_.exe
4632	Logo1_.exe
4632	Logo1_.exe
4632	Logo1_.exe
4632	Logo1_.exe
4632	Logo1_.exe
4632	Logo1_.exe
4632	Logo1_.exe
4632	Logo1_.exe
4632	Logo1_.exe
4632	Logo1_.exe
4632	Logo1_.exe
4632	Logo1_.exe
4632	Logo1_.exe
4632	Logo1_.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1464 wrote to memory of 2776	1464	1bdb80742c8681822df0355155826fd50aebdf83c9a8f17ecc895b5c7aec3ec5.exe	83
PID 1464 wrote to memory of 2776	1464	1bdb80742c8681822df0355155826fd50aebdf83c9a8f17ecc895b5c7aec3ec5.exe	83
PID 1464 wrote to memory of 2776	1464	1bdb80742c8681822df0355155826fd50aebdf83c9a8f17ecc895b5c7aec3ec5.exe	83
PID 1464 wrote to memory of 4632	1464	1bdb80742c8681822df0355155826fd50aebdf83c9a8f17ecc895b5c7aec3ec5.exe	84
PID 1464 wrote to memory of 4632	1464	1bdb80742c8681822df0355155826fd50aebdf83c9a8f17ecc895b5c7aec3ec5.exe	84
PID 1464 wrote to memory of 4632	1464	1bdb80742c8681822df0355155826fd50aebdf83c9a8f17ecc895b5c7aec3ec5.exe	84
PID 4632 wrote to memory of 4184	4632	Logo1_.exe	86
PID 4632 wrote to memory of 4184	4632	Logo1_.exe	86
PID 4632 wrote to memory of 4184	4632	Logo1_.exe	86
PID 4184 wrote to memory of 376	4184	net.exe	88
PID 4184 wrote to memory of 376	4184	net.exe	88
PID 4184 wrote to memory of 376	4184	net.exe	88
PID 2776 wrote to memory of 2576	2776	cmd.exe	89
PID 2776 wrote to memory of 2576	2776	cmd.exe	89
PID 2776 wrote to memory of 2576	2776	cmd.exe	89
PID 4632 wrote to memory of 3140	4632	Logo1_.exe	68
PID 4632 wrote to memory of 3140	4632	Logo1_.exe	68

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3140
- C:\Users\Admin\AppData\Local\Temp\1bdb80742c8681822df0355155826fd50aebdf83c9a8f17ecc895b5c7aec3ec5.exe
  "C:\Users\Admin\AppData\Local\Temp\1bdb80742c8681822df0355155826fd50aebdf83c9a8f17ecc895b5c7aec3ec5.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1464
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA19F.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Users\Admin\AppData\Local\Temp\1bdb80742c8681822df0355155826fd50aebdf83c9a8f17ecc895b5c7aec3ec5.exe
      "C:\Users\Admin\AppData\Local\Temp\1bdb80742c8681822df0355155826fd50aebdf83c9a8f17ecc895b5c7aec3ec5.exe"
      4⤵
      Executes dropped EXE
      PID:2576
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4632
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4184
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
823531bbd70233476ca605959cb8d2cc

SHA1
74d878fd6828e77407da2f3c7a4085df4a6911ab

SHA256
9a10abcfd9877c51a6a4bfd5f81681f59537171b37f398571d9ba9cbde784c16

SHA512
08bb43ac1d17d35709a4beafe60fd5074d9ee0c30398e0e934ff3bef0577a19f20be821dbf5d02fcaa0fb1f48fa2defec4b41d6ca99bfb2b7d51f5290f622632

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
484KB

MD5
6a7f204fa4ffd417ccd83928b35482b6

SHA1
c9b8d6c232b0584326938e67703c0a3f1ca839ef

SHA256
0898d285d5ec1843485b7380bcbc3f665cfbe759a426b525007a76ad77940917

SHA512
2c13e6ff5ee26a25d4e5be491fc5ad526aa6dfb34fb2c4b8a5f1a7c8286e0e911985dc3a70cfc82924137d70e361382c2fe15be9ceecebb6a5787c770477d677

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aA19F.bat

Filesize
722B

MD5
1590cd77326ca666a84cecc9c66c9197

SHA1
451c4cce1a48fdf5184dc15dd88306944e02a4c1

SHA256
efe89bbaa97b1259a3ffc74c8abde08c3224b7a8444a3eadba96e6cbe780f394

SHA512
f3dfff7fc1cf2c4043cd82affa7d6595ef1532967fde47d6cb09c78a0c6773b08c382191e5e4f2300b52cf797d2f7c4013720d868bbda18e210ed05d8bdeed13

Download Submit
C:\Users\Admin\AppData\Local\Temp\1bdb80742c8681822df0355155826fd50aebdf83c9a8f17ecc895b5c7aec3ec5.exe

Filesize
289KB

MD5
2e0a4e779b0bc3249632a2ee142abea1

SHA1
49396629e30100ad2a29cc46ca738cf4165e4aa2

SHA256
34464f94ae95d0be898172f344565f4f5220d10a921a9c9098a1f65b6234dd03

SHA512
3e58456b4f8bccf1b9807e3e2202deae17f6a7ad78415fbc2013a4fe437cd729624c101da0d24637d6c5a09e5aa3be64ee84cd718d70bb84c826c37ad777c265

Download Submit
C:\Users\Admin\AppData\Local\Temp\1bdb80742c8681822df0355155826fd50aebdf83c9a8f17ecc895b5c7aec3ec5.exe.exe

Filesize
289KB

MD5
2e0a4e779b0bc3249632a2ee142abea1

SHA1
49396629e30100ad2a29cc46ca738cf4165e4aa2

SHA256
34464f94ae95d0be898172f344565f4f5220d10a921a9c9098a1f65b6234dd03

SHA512
3e58456b4f8bccf1b9807e3e2202deae17f6a7ad78415fbc2013a4fe437cd729624c101da0d24637d6c5a09e5aa3be64ee84cd718d70bb84c826c37ad777c265

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
b16f445581f1c84748e3ef64f127b97d

SHA1
b5eee38ce13635f35a781926f8434a07ca295872

SHA256
b3fe889ff71155b7882670d7a2197a75cc11601a7a1003eb1948be8a87f916f8

SHA512
de97b113bed31ba85a533a4f8bc6a6f25df09403299e45a23cd908cbd6dded5b033fc0dbd800f143045871f57dff198036bc1a539b1d44527fca2cb7cb195e54

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
b16f445581f1c84748e3ef64f127b97d

SHA1
b5eee38ce13635f35a781926f8434a07ca295872

SHA256
b3fe889ff71155b7882670d7a2197a75cc11601a7a1003eb1948be8a87f916f8

SHA512
de97b113bed31ba85a533a4f8bc6a6f25df09403299e45a23cd908cbd6dded5b033fc0dbd800f143045871f57dff198036bc1a539b1d44527fca2cb7cb195e54

Download Submit
C:\Windows\rundl132.exe

Filesize
26KB

MD5
b16f445581f1c84748e3ef64f127b97d

SHA1
b5eee38ce13635f35a781926f8434a07ca295872

SHA256
b3fe889ff71155b7882670d7a2197a75cc11601a7a1003eb1948be8a87f916f8

SHA512
de97b113bed31ba85a533a4f8bc6a6f25df09403299e45a23cd908cbd6dded5b033fc0dbd800f143045871f57dff198036bc1a539b1d44527fca2cb7cb195e54

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-919254492-3979293997-764407192-1000\_desktop.ini

Filesize
10B

MD5
a2f55d4dd0965430ceab2e112f7ee0a8

SHA1
d5e114f97985141a73b1e325728e5fd21e432f60

SHA256
f905d8a1cc369898067bdb4538843b91eb17d0d84032e2b5766ef438e25f807f

SHA512
8bce44ff59da58c0f9a3fdec7edb997a6781cd8f6aa4bc8ef0945c0a4dcde1db93092b88d2e114cd29d58931265b2aa1055dab677716cf75f1482faaa4c9bcdc

Download Submit
memory/1464-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1464-10-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4632-19-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4632-26-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4632-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4632-37-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4632-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4632-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4632-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4632-1278-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4632-3775-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4632-4820-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download