3a96ec76438d148b5f01e9dbc1b7c72a538cc4e722115ed02532429d11ec92db

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
23/12/2023, 22:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a96ec76438d148b5f01e9dbc1b7c72a538cc4e722115ed02532429d11ec92db.exe
Size

1.8MB
MD5

f3f907603e41a2133b2d629b9f98f372
SHA1

82225d5cb4300acfa0a827cb7f40200171ca1c63
SHA256

3a96ec76438d148b5f01e9dbc1b7c72a538cc4e722115ed02532429d11ec92db
SHA512

b69e6b2ca81a329672769db98abb8ca10d15bb1451ee3ef2df5ea29531285c794a4306ed26d13faca77d2e3c83f2136e3727c9d41c11ff1260cb28e1923c7a09
SSDEEP

49152:o7h2DrmHMYyD2hP/MBE7zyZ+ABENWyg+hql:semHGqnM4z0+ABEMyFu

Score

7^/10

bootkit persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3024	cmd.exe

Executes dropped EXE 4 IoCs

pid	Process
2788	Logo1_.exe
2824	3a96ec76438d148b5f01e9dbc1b7c72a538cc4e722115ed02532429d11ec92db.exe
2792	cpuz_x64.exe
1368	Explorer.EXE

Loads dropped DLL 2 IoCs

pid	Process
3024	cmd.exe
2824	3a96ec76438d148b5f01e9dbc1b7c72a538cc4e722115ed02532429d11ec92db.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00090000000141c0-23.dat	upx
behavioral1/files/0x00090000000141c0-24.dat	upx
behavioral1/memory/3024-25-0x0000000000130000-0x000000000015C000-memory.dmp	upx
behavioral1/memory/2824-29-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/files/0x00090000000141c0-26.dat	upx
behavioral1/memory/2824-92-0x0000000000400000-0x000000000042C000-memory.dmp	upx

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	cpuz_x64.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sl\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CAPSULES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\si\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Mahjong\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Americana\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PROPLUS\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\ext\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hu\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ne\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\be\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Word.en-us\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\server\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\meta\reader\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Shared Gadgets\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Internet Explorer\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\wabmig.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\browser\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	3a96ec76438d148b5f01e9dbc1b7c72a538cc4e722115ed02532429d11ec92db.exe
File created	C:\Windows\Logo1_.exe	3a96ec76438d148b5f01e9dbc1b7c72a538cc4e722115ed02532429d11ec92db.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
928	NOTEPAD.EXE

Runs net.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2788	Logo1_.exe
2788	Logo1_.exe
2788	Logo1_.exe
2788	Logo1_.exe
2788	Logo1_.exe
2788	Logo1_.exe
2788	Logo1_.exe
2788	Logo1_.exe
2788	Logo1_.exe
2788	Logo1_.exe
2792	cpuz_x64.exe
2792	cpuz_x64.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
484	Process not Found
484	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	2792	cpuz_x64.exe
Token: SeLoadDriverPrivilege	2792	cpuz_x64.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2792	cpuz_x64.exe
2792	cpuz_x64.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2784 wrote to memory of 3024	2784	3a96ec76438d148b5f01e9dbc1b7c72a538cc4e722115ed02532429d11ec92db.exe	28
PID 2784 wrote to memory of 3024	2784	3a96ec76438d148b5f01e9dbc1b7c72a538cc4e722115ed02532429d11ec92db.exe	28
PID 2784 wrote to memory of 3024	2784	3a96ec76438d148b5f01e9dbc1b7c72a538cc4e722115ed02532429d11ec92db.exe	28
PID 2784 wrote to memory of 3024	2784	3a96ec76438d148b5f01e9dbc1b7c72a538cc4e722115ed02532429d11ec92db.exe	28
PID 2784 wrote to memory of 2788	2784	3a96ec76438d148b5f01e9dbc1b7c72a538cc4e722115ed02532429d11ec92db.exe	29
PID 2784 wrote to memory of 2788	2784	3a96ec76438d148b5f01e9dbc1b7c72a538cc4e722115ed02532429d11ec92db.exe	29
PID 2784 wrote to memory of 2788	2784	3a96ec76438d148b5f01e9dbc1b7c72a538cc4e722115ed02532429d11ec92db.exe	29
PID 2784 wrote to memory of 2788	2784	3a96ec76438d148b5f01e9dbc1b7c72a538cc4e722115ed02532429d11ec92db.exe	29
PID 2788 wrote to memory of 3012	2788	Logo1_.exe	31
PID 2788 wrote to memory of 3012	2788	Logo1_.exe	31
PID 2788 wrote to memory of 3012	2788	Logo1_.exe	31
PID 2788 wrote to memory of 3012	2788	Logo1_.exe	31
PID 3024 wrote to memory of 2824	3024	cmd.exe	32
PID 3024 wrote to memory of 2824	3024	cmd.exe	32
PID 3024 wrote to memory of 2824	3024	cmd.exe	32
PID 3024 wrote to memory of 2824	3024	cmd.exe	32
PID 3012 wrote to memory of 2744	3012	net.exe	34
PID 3012 wrote to memory of 2744	3012	net.exe	34
PID 3012 wrote to memory of 2744	3012	net.exe	34
PID 3012 wrote to memory of 2744	3012	net.exe	34
PID 2824 wrote to memory of 2792	2824	3a96ec76438d148b5f01e9dbc1b7c72a538cc4e722115ed02532429d11ec92db.exe	35
PID 2824 wrote to memory of 2792	2824	3a96ec76438d148b5f01e9dbc1b7c72a538cc4e722115ed02532429d11ec92db.exe	35
PID 2824 wrote to memory of 2792	2824	3a96ec76438d148b5f01e9dbc1b7c72a538cc4e722115ed02532429d11ec92db.exe	35
PID 2824 wrote to memory of 2792	2824	3a96ec76438d148b5f01e9dbc1b7c72a538cc4e722115ed02532429d11ec92db.exe	35
PID 2788 wrote to memory of 1368	2788	Logo1_.exe	6
PID 2788 wrote to memory of 1368	2788	Logo1_.exe	6
PID 2792 wrote to memory of 928	2792	cpuz_x64.exe	36
PID 2792 wrote to memory of 928	2792	cpuz_x64.exe	36
PID 2792 wrote to memory of 928	2792	cpuz_x64.exe	36

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
PID:1368
- C:\Users\Admin\AppData\Local\Temp\3a96ec76438d148b5f01e9dbc1b7c72a538cc4e722115ed02532429d11ec92db.exe
  "C:\Users\Admin\AppData\Local\Temp\3a96ec76438d148b5f01e9dbc1b7c72a538cc4e722115ed02532429d11ec92db.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a6A5.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3024
  - - C:\Users\Admin\AppData\Local\Temp\3a96ec76438d148b5f01e9dbc1b7c72a538cc4e722115ed02532429d11ec92db.exe
      "C:\Users\Admin\AppData\Local\Temp\3a96ec76438d148b5f01e9dbc1b7c72a538cc4e722115ed02532429d11ec92db.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2824
    - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CPU-Z\cpuz_x64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CPU-Z\cpuz_x64.exe"
        5⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2792
      - C:\Windows\system32\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Windows\temp\cpuz_driver_2792.log
        6⤵
        Opens file in notepad (likely ransom note)
        
        PID:928
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3012
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
0c5e863b4f42e3666a8c10967ff5a592

SHA1
b1f368bc31b28fe047ba65ff7f15646e853cccc9

SHA256
0e47e74aeff65c1fc274fcb519c595232df39a52534e72616fbc2efdf67bfeba

SHA512
c21bb24395feea23bd40a91a20cfdae809727c199f25654bcd47c3522c3bbc3cd8574700a1c233083608bd028304b5ef656d0869f0b322bf4d84ccbcb66b38ef

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
4cfdb20b04aa239d6f9e83084d5d0a77

SHA1
f22863e04cc1fd4435f785993ede165bd8245ac6

SHA256
30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

SHA512
35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a6A5.bat

Filesize
721B

MD5
ea93061e713f4cd1ce435656f3b40e0f

SHA1
89fa1922ba737f1f30fcc538d13adeb3da4e0ae2

SHA256
55441be08b747392756de7c1b7aa815335e1b7236e51c64bfb7a056b1ff0db6c

SHA512
7c63d6c97797fe1fc403d8755a218725425e43579a796788050bd656abae7ede47d23645d2e1544e418e01ace806bfaf09fb30c88d0750bf8cd24548d19cf197

Download Submit
C:\Users\Admin\AppData\Local\Temp\3a96ec76438d148b5f01e9dbc1b7c72a538cc4e722115ed02532429d11ec92db.exe.exe

Filesize
1024KB

MD5
0b46d71e14ef86ae5cf63b18f4dbaea5

SHA1
0bdccd178ae076080861d5f8abd76ce5b4ecc02e

SHA256
075f8bbe1928317f45eb3614a24deea5d93a02309ffdabd3e9732b6710588dd2

SHA512
2ef104e11f33ea0fcf93a6a58d0f22cab746ddb3a997513a6dbc95a258ab5274788dfc186f9890e070f240ae259b0b0ae68e76a161c368dc2ae2ec2ae3bdece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CPU-Z\cpuz_x64.exe

Filesize
1.4MB

MD5
0bf44c4471d8d9992c2622a79f0a8398

SHA1
4f9807da4190d7d7f3169bf7638c0b9c4f11e9ce

SHA256
6fa1eb4e0d9422ef782b786408bb2f0a6b4bff7670877d72058dbd6dd6ddf15f

SHA512
45191b9ddd33394bcaf8911244caca8ae9ff59dc6413ef09290cb59accf4404bf9c64fe7d9f5a0541736f331539837bfb3a105df86b345ff0f1d64a118ef10cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CPU-Z\cpuz_x64.exe

Filesize
382KB

MD5
d07b5a6407ba95e3d5451994096a5bc0

SHA1
93332622499ed372c35ff0492f08d98c7d7ecfaa

SHA256
265f9e571e662c2464dc1fb05960b7f304914eb654a03ed067246092c4da37f7

SHA512
9c0ee34e38612c012ee7d3f3e8f5d8491ae6f38d45d76265c525793555782ba927cebc96036569323f0dd493c378a72ec540ce233cff5ccf1f14261a17df5a5a

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
fb93094f20bbc5dcb79268d23f38361c

SHA1
516b8b78319dc3f2adbe7e4de6a4e3fba41ae76a

SHA256
cf70d1c51b86031f36294c54caa11f02cd09e2b82fcd286240809891c7a82eff

SHA512
ceeb1988199292d7792ebff568e7bb89f49b628e5df409432b2263752de9142f00101f2bfe1bfc44321ed7934e70a1bf02f9823be43a1ee0e7ea52c504ab3d0f

Download Submit
C:\Windows\temp\cpuz_driver_2792.log

Filesize
2KB

MD5
b6c7de60bfebcfac31bd11e65eba0c37

SHA1
ef131f326594579e8f1414217b16da4f66bc4591

SHA256
41a81c972019bd809b241145d51c0f20cca66d0ccca737504b6af3426d9f1db7

SHA512
8814df7eb127b3faf6647d8d4f9f44589029218448b48ac6c15b418a9d74ebccf3751ec7d7e5797ee7b716ce67fe4d1dd9e350e0114a864780c2190df7e5d00a

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3627615824-4061627003-3019543961-1000\_desktop.ini

Filesize
10B

MD5
7ffaa74dcf5b57082a43c17464e10782

SHA1
c6cf002ebb82e54cb14553d044f6c61463b369a6

SHA256
b3bfda52765f0ec02320ef68e5fca5e0d4bb61e1ec6f062430a5711a41c1be65

SHA512
35ef0f681e44781b5dc20e179918be9dad7be2029093f9537cfe30bff888bc875ad32e6bbb59294dc36779829bab7aa6ebfac9e93c6a1ef5e4e7ddde85bb6de8

Download Submit
\Users\Admin\AppData\Local\Temp\3a96ec76438d148b5f01e9dbc1b7c72a538cc4e722115ed02532429d11ec92db.exe

Filesize
321KB

MD5
a64241f5e4a9b907fec9023126fc69c9

SHA1
286db07d17b3b9a4275b69396f86a1038b3a41c0

SHA256
ef526dba35909633cad64563c27c375352fd25f0ea190d73748eee46a4b0ed7a

SHA512
62e6af8250924530399f9e18f81f5a5983b3a887c99a439e5d84b78978a65ee36d3214ce7ad9ef967794ab0bb08d228f36add0ca3c2d49fc4a0567d6961ad479

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CPU-Z\cpuz_x64.exe

Filesize
1.2MB

MD5
9dc494e7a51f22b7385d1b66e1449bcc

SHA1
45820527aee63439a78b9e22db8d70b151473e33

SHA256
84b7b9b108b561391638cdd53e8e57d4cb83e86d6b693dfad44dc766bfaa65be

SHA512
a359142cf7a40ea0d4ddbc6f061ff6f7a949ce8a2da1baea53a4c56e459a805297dac2426943cb8b815791091e4525796a0a5b919aa931eeece3017c6fb042ef

Download Submit
memory/1368-86-0x0000000002B70000-0x0000000002B71000-memory.dmp

Filesize
4KB

Download
memory/2784-16-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2784-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2784-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2788-155-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2788-91-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2788-99-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2788-107-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2788-163-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2788-898-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2788-1919-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2788-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2788-2460-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2788-3381-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2824-92-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2824-29-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3024-25-0x0000000000130000-0x000000000015C000-memory.dmp

Filesize
176KB

Download