a4c923c61e07e1213f8aa8965aae331c22642827fb59fd309d9354cd453f45bf

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17/04/2024, 13:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a4c923c61e07e1213f8aa8965aae331c22642827fb59fd309d9354cd453f45bf.exe
Size

68KB
MD5

33e2bb5d4d0967473ea2d56d61bc7c45
SHA1

8df2c9d4e3aa33ad8e24e8fc651a62cc9bf8cb9e
SHA256

a4c923c61e07e1213f8aa8965aae331c22642827fb59fd309d9354cd453f45bf
SHA512

5627f73b0cc522645914e45a30bb289ef41309dc957981bc6ab9f1f8c3b8234a45d2584c7534c456c9d589057a6953a5dc1c84fdbf9d6210737a5e566a85e3ed
SSDEEP

768:q11ODKAaDMG8H92RwZNQSw+JnbmQj3FZJ9Vs9XnsDwx5RJm:cfgLdQAQfwt7FZJ92Bsc33m

Score

7^/10

microsoft phishing

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4352	Logo1_.exe
3728	a4c923c61e07e1213f8aa8965aae331c22642827fb59fd309d9354cd453f45bf.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe

Detected potential entity reuse from brand microsoft.
phishing microsoft

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\he-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\is-IS\View3d\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\en-GB\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ru-RU\View3d\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sv-se\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\pt-br\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sl-si\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Mutable\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\it-it\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zh_CN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\cs-cz\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\es_MX\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\he-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_2019.19071.19011.0_neutral_~_8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\cef\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\uk-ua\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\cpdf\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\de-de\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ko-kr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\_desktop.ini	Logo1_.exe
File created	C:\Program Files\ModifiableWindowsApps\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\root\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ar\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\zh-cn\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\it-it\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe\ARM\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	a4c923c61e07e1213f8aa8965aae331c22642827fb59fd309d9354cd453f45bf.exe
File created	C:\Windows\Logo1_.exe	a4c923c61e07e1213f8aa8965aae331c22642827fb59fd309d9354cd453f45bf.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
4352	Logo1_.exe
4352	Logo1_.exe
4352	Logo1_.exe
4352	Logo1_.exe
4352	Logo1_.exe
4352	Logo1_.exe
4352	Logo1_.exe
4352	Logo1_.exe
4352	Logo1_.exe
4352	Logo1_.exe
4352	Logo1_.exe
4352	Logo1_.exe
4352	Logo1_.exe
4352	Logo1_.exe
4352	Logo1_.exe
4352	Logo1_.exe
4352	Logo1_.exe
4352	Logo1_.exe
4352	Logo1_.exe
4352	Logo1_.exe
1736	msedge.exe
1736	msedge.exe
2252	msedge.exe
2252	msedge.exe
2156	identity_helper.exe
2156	identity_helper.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4076 wrote to memory of 516	4076	a4c923c61e07e1213f8aa8965aae331c22642827fb59fd309d9354cd453f45bf.exe	86
PID 4076 wrote to memory of 516	4076	a4c923c61e07e1213f8aa8965aae331c22642827fb59fd309d9354cd453f45bf.exe	86
PID 4076 wrote to memory of 516	4076	a4c923c61e07e1213f8aa8965aae331c22642827fb59fd309d9354cd453f45bf.exe	86
PID 4076 wrote to memory of 4352	4076	a4c923c61e07e1213f8aa8965aae331c22642827fb59fd309d9354cd453f45bf.exe	87
PID 4076 wrote to memory of 4352	4076	a4c923c61e07e1213f8aa8965aae331c22642827fb59fd309d9354cd453f45bf.exe	87
PID 4076 wrote to memory of 4352	4076	a4c923c61e07e1213f8aa8965aae331c22642827fb59fd309d9354cd453f45bf.exe	87
PID 4352 wrote to memory of 3612	4352	Logo1_.exe	89
PID 4352 wrote to memory of 3612	4352	Logo1_.exe	89
PID 4352 wrote to memory of 3612	4352	Logo1_.exe	89
PID 3612 wrote to memory of 5060	3612	net.exe	91
PID 3612 wrote to memory of 5060	3612	net.exe	91
PID 3612 wrote to memory of 5060	3612	net.exe	91
PID 516 wrote to memory of 3728	516	cmd.exe	92
PID 516 wrote to memory of 3728	516	cmd.exe	92
PID 4352 wrote to memory of 3376	4352	Logo1_.exe	55
PID 4352 wrote to memory of 3376	4352	Logo1_.exe	55
PID 3728 wrote to memory of 2252	3728	a4c923c61e07e1213f8aa8965aae331c22642827fb59fd309d9354cd453f45bf.exe	98
PID 3728 wrote to memory of 2252	3728	a4c923c61e07e1213f8aa8965aae331c22642827fb59fd309d9354cd453f45bf.exe	98
PID 2252 wrote to memory of 916	2252	msedge.exe	99
PID 2252 wrote to memory of 916	2252	msedge.exe	99
PID 2252 wrote to memory of 3892	2252	msedge.exe	100
PID 2252 wrote to memory of 3892	2252	msedge.exe	100
PID 2252 wrote to memory of 3892	2252	msedge.exe	100
PID 2252 wrote to memory of 3892	2252	msedge.exe	100
PID 2252 wrote to memory of 3892	2252	msedge.exe	100
PID 2252 wrote to memory of 3892	2252	msedge.exe	100
PID 2252 wrote to memory of 3892	2252	msedge.exe	100
PID 2252 wrote to memory of 3892	2252	msedge.exe	100
PID 2252 wrote to memory of 3892	2252	msedge.exe	100
PID 2252 wrote to memory of 3892	2252	msedge.exe	100
PID 2252 wrote to memory of 3892	2252	msedge.exe	100
PID 2252 wrote to memory of 3892	2252	msedge.exe	100
PID 2252 wrote to memory of 3892	2252	msedge.exe	100
PID 2252 wrote to memory of 3892	2252	msedge.exe	100
PID 2252 wrote to memory of 3892	2252	msedge.exe	100
PID 2252 wrote to memory of 3892	2252	msedge.exe	100
PID 2252 wrote to memory of 3892	2252	msedge.exe	100
PID 2252 wrote to memory of 3892	2252	msedge.exe	100
PID 2252 wrote to memory of 3892	2252	msedge.exe	100
PID 2252 wrote to memory of 3892	2252	msedge.exe	100
PID 2252 wrote to memory of 3892	2252	msedge.exe	100
PID 2252 wrote to memory of 3892	2252	msedge.exe	100
PID 2252 wrote to memory of 3892	2252	msedge.exe	100
PID 2252 wrote to memory of 3892	2252	msedge.exe	100
PID 2252 wrote to memory of 3892	2252	msedge.exe	100
PID 2252 wrote to memory of 3892	2252	msedge.exe	100
PID 2252 wrote to memory of 3892	2252	msedge.exe	100
PID 2252 wrote to memory of 3892	2252	msedge.exe	100
PID 2252 wrote to memory of 3892	2252	msedge.exe	100
PID 2252 wrote to memory of 3892	2252	msedge.exe	100
PID 2252 wrote to memory of 3892	2252	msedge.exe	100
PID 2252 wrote to memory of 3892	2252	msedge.exe	100
PID 2252 wrote to memory of 3892	2252	msedge.exe	100
PID 2252 wrote to memory of 3892	2252	msedge.exe	100
PID 2252 wrote to memory of 3892	2252	msedge.exe	100
PID 2252 wrote to memory of 3892	2252	msedge.exe	100
PID 2252 wrote to memory of 3892	2252	msedge.exe	100
PID 2252 wrote to memory of 3892	2252	msedge.exe	100
PID 2252 wrote to memory of 3892	2252	msedge.exe	100
PID 2252 wrote to memory of 3892	2252	msedge.exe	100
PID 2252 wrote to memory of 1736	2252	msedge.exe	101
PID 2252 wrote to memory of 1736	2252	msedge.exe	101
PID 2252 wrote to memory of 4428	2252	msedge.exe	102
PID 2252 wrote to memory of 4428	2252	msedge.exe	102

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3376
- C:\Users\Admin\AppData\Local\Temp\a4c923c61e07e1213f8aa8965aae331c22642827fb59fd309d9354cd453f45bf.exe
  "C:\Users\Admin\AppData\Local\Temp\a4c923c61e07e1213f8aa8965aae331c22642827fb59fd309d9354cd453f45bf.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:4076
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a56AB.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:516
  - - C:\Users\Admin\AppData\Local\Temp\a4c923c61e07e1213f8aa8965aae331c22642827fb59fd309d9354cd453f45bf.exe
      "C:\Users\Admin\AppData\Local\Temp\a4c923c61e07e1213f8aa8965aae331c22642827fb59fd309d9354cd453f45bf.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3728
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=a4c923c61e07e1213f8aa8965aae331c22642827fb59fd309d9354cd453f45bf.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
        5⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2252
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb220846f8,0x7ffb22084708,0x7ffb22084718
        6⤵
        
        PID:916
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2232,4517218950730905390,9379446096263709570,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2244 /prefetch:2
        6⤵
        
        PID:3892
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2232,4517218950730905390,9379446096263709570,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1736
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2232,4517218950730905390,9379446096263709570,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8
        6⤵
        
        PID:4428
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,4517218950730905390,9379446096263709570,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
        6⤵
        
        PID:3484
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,4517218950730905390,9379446096263709570,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
        6⤵
        
        PID:1920
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,4517218950730905390,9379446096263709570,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:1
        6⤵
        
        PID:4260
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2232,4517218950730905390,9379446096263709570,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 /prefetch:8
        6⤵
        
        PID:4820
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2232,4517218950730905390,9379446096263709570,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 /prefetch:8
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2156
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,4517218950730905390,9379446096263709570,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1
        6⤵
        
        PID:4320
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,4517218950730905390,9379446096263709570,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
        6⤵
        
        PID:4976
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,4517218950730905390,9379446096263709570,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
        6⤵
        
        PID:388
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,4517218950730905390,9379446096263709570,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
        6⤵
        
        PID:3712
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,4517218950730905390,9379446096263709570,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
        6⤵
        
        PID:4296
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,4517218950730905390,9379446096263709570,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1
        6⤵
        
        PID:4676
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2232,4517218950730905390,9379446096263709570,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4948 /prefetch:2
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3412
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=a4c923c61e07e1213f8aa8965aae331c22642827fb59fd309d9354cd453f45bf.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
        5⤵
        
        PID:2064
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb220846f8,0x7ffb22084708,0x7ffb22084718
        6⤵
        
        PID:3240
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4352
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3612
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:5060

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4768

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
7e6e7ba916c50f31ee0f62efba0ce4dc

SHA1
23e010038b850f2271961285cddb5cc79ca5cde2

SHA256
d74096fb8a13abcb4460081ae5f05fbb3cefbf1ad60a5949084d520e9a911f7d

SHA512
1b2d74f660ae02bc5c533114d0befdf17af802290d3738c1458913595e0eee263c9dceca35670c48b574a4e3b85783bf824bcc3a364cf85df74ff391b576c493

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
570KB

MD5
07c358280bcaea68a999220dae7e9f3b

SHA1
31e1af54fb6da8f40f015edc714be55be4a069e5

SHA256
5275934daa35ad2a76ccdcfa28a3aaa0a70a4abbef3f09bbd6aa4e6565e7775e

SHA512
fb01288bf1781f4fd52a94800b6401ac6b25c5a851e9a9d893930af78813f8be19f4c6bdc45067f71c6bb037bb1a4303860d817e8756316d6dd7dc71c741ddbe

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
636KB

MD5
26f10ae795ba6df10c2779f4a535b449

SHA1
f00986886ad07550c909b9f02b7b3a9c310e8b0f

SHA256
996761040fa3726dbdda9dd94f543e7d0f26f58b5c7a122e900e56b2dacdc7b8

SHA512
5f5ea3a050876256571610eec85456ac6b3469ddaa10a6c62d621081718cf8eeedc21cf6381c49c835c6b61690b7c41107b357bb14c044ace1dfe7f827baa93c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cb138796dbfb37877fcae3430bb1e2a7

SHA1
82bb82178c07530e42eca6caf3178d66527558bc

SHA256
50c55ba7baeebe1fa4573118edbca59010d659ea42761148618fb3af8a1c9bdd

SHA512
287471cccbe33e08015d6fc35e0bcdca0ec79bebc3a58f6a340b7747b5b2257b33651574bc83ed529aef2ba94be6e68968e59d2a8ef5f733dce9df6404ad7cc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
efc06d98cacaba6550ee45bd084a55d8

SHA1
5afab3f6c3b4f19421bd652b2f883c8ccde14a06

SHA256
4574f060f5ca3d996c8d67922c0213d52c6a111ef2e25089ef45f87ddb9cf61e

SHA512
9a21173df69a57ec9018d39dafedb01eacd32cb740a67382698d535cfec3238c0a78f95f7d6b7cf73ab6da2f038208c56396818aebe88e2d8b08d4c1014c8704

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
437B

MD5
05592d6b429a6209d372dba7629ce97c

SHA1
b4d45e956e3ec9651d4e1e045b887c7ccbdde326

SHA256
3aacb982b8861c38a392829ee3156d05dfdd46b0ecb46154f0ea9374557bc0fd

SHA512
caa85bdccabea9250e8a5291f987b8d54362a7b3eec861c56f79cebb06277aa35d411e657ec632079f46affd4d6730e82115e7b317fbda55dacc16378528abaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
57ab9077d96c56d790cb5293b7d42af9

SHA1
376357004c166d879e8e8c7a39f49654651f850c

SHA256
3f76edac640617a9e1b3510e09f60ef5c4968534e2915776256d144b4ffdb114

SHA512
65fe6b4052f7f72f695c1ab0a2de4d0ccdc609c623b8493c25536e4d124decface63b35924effc8526f67e48cdbc5f83984f18d18eead74fee56a0a809f327e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
47f346df1cb11fdc1145dabc36a7c35d

SHA1
087e0c9d8237941dce22b11286f827d5d229b3f4

SHA256
61513e578c6ee007e6319422553df45e58eae8adda4484f2a85af48cf460a4da

SHA512
c535ef88e2d752befff10aa751801270590b416091ba5b506d53401ae1de8e3833f0a34f7923aae323e4977b8f280b8443cdf7b5a1645d39c85278fc335ebb31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5033b74c0440f280d9ff907f82474b02

SHA1
4048740fd8fa4404567ba64848fa368c75ddd987

SHA256
684b63b112dae7f698d1446f271c59a8c4c29eee524ed238588f394e8f1a9f99

SHA512
b8b5c4afc316cc43979b0b9e408b0f54db6030067ebc83f8b8eaa6dcaea143f0ef2b8ab29209e94af9656360438f8b013b8d9190fa0a4bc0e48b9caaf61ad674

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
5ff8b16219f50e006d0b156d39c668df

SHA1
c3849b7f89d7f530616a60262b8d6a0d45206a69

SHA256
f1b51a11f1dedf90872ba4199d1787d12a18c1439b1470d40149fb0ce9769e9a

SHA512
1fe7497bbd495ae8b19726b191f341f74426d22d5ab45c4ba1d7a3faa7ad2dc83bd3ea4f6267a12c5e38243ef8312aaf1b3338a3392a8f12f6ef6e55aa4e07f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57caa3.TMP

Filesize
371B

MD5
82ec771ac9a8d808b17e792dbcf06ada

SHA1
6032e9f46b2da45c9536a3d59cd0a04f8ff354ed

SHA256
bb045aa9e787655cc309ca4f9c5d58bf20432a912ba4b00dbc1ea14512e740b6

SHA512
b539868d593e8c4def198d297e18595560ed21b7492bd3bd99f52995237434e6379add932aeee0e4eb239f51cf28be9dc36bea2f3ead00b674441adc0b0603c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c15ab4d404d553e355212a7439d1c700

SHA1
1d4b3f029027a477d378f81c974fee7c19d5de34

SHA256
9da5d3ad778f81e0d18407794f4142c06ec4ad0949aeca396584132b76a0cff4

SHA512
f282e966966b7eb69fbe42e5d9691f7635c424eeb16fb0d9eb40e0e5e1a4a7956d2a324edcd200266abad40d72978f4be65aabb533eab0909607d868f4d47a9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a56AB.bat

Filesize
722B

MD5
30d38e2879dd5301c33bcf897f4c7009

SHA1
6050e44d0749d3a6ed5dd4a54341fd7cf55edfce

SHA256
d0692fb3366fd6684730dcf77e94e541cc3d5a0185863b2ff8fd989f08e53409

SHA512
2e860c85096fdedc5bd19d772f3d66e06bcd150014e2a535d38bd92a25442dc21c7690d773ea1aa2f0c05f5c5c2155fb4e938eda8ce2f2e32a2916b5bae98831

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4c923c61e07e1213f8aa8965aae331c22642827fb59fd309d9354cd453f45bf.exe.exe

Filesize
42KB

MD5
a4cb70816e2548ccb1c9cc998069e8a7

SHA1
198136ca0c88faef962d471c1bcc6af6618dced8

SHA256
6d18e20920fb1e4da066006bc91f25a9915f5afb6f643a5c8400ad80b8671897

SHA512
0e64682d13f9d7049c1b30ad1da04c74c34f84a0952aa605007839aa9d26a7c339ab706c9f454ca9bc0335ff5e6dcc7be8cc1eb8ee092b87ec76c70adda11351

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
062e9ac4cd0d9881793982c6a70957ac

SHA1
e8fd0d16c910ce5dbc58b1468569088a62ba4930

SHA256
d042b18870bab6c7f7d07f6f5595bf049f9d651e3162bf9fa2f9131986bc0d96

SHA512
567aa44d2dd8b75230be444dc6504de1946f287b182f73b4ba8ceced7c3c837820d252741e9f1f23a77fad74a4b9177f45e78c35a217fe198fda921de08fc638

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-4084619521-2220719027-1909462854-1000\_desktop.ini

Filesize
9B

MD5
2be02af4dacf3254e321ffba77f0b1c6

SHA1
d8349307ec08d45f2db9c9735bde8f13e27a551d

SHA256
766fe9c47ca710d9a00c08965550ee7de9cba2d32d67e4901e8cec7e33151d16

SHA512
57f61e1b939ed98e6db460ccdbc36a1460b727a99baac0e3b041666dedcef11fcd72a486d91ec7f0ee6e1aec40465719a6a5c22820c28be1066fe12fcd47ddd0

Download Submit
memory/3728-101-0x00000000006C0000-0x00000000006D0000-memory.dmp

Filesize
64KB

Download
memory/3728-18-0x00000000006C0000-0x00000000006D0000-memory.dmp

Filesize
64KB

Download
memory/4076-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4076-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4352-149-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4352-187-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4352-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4352-78-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4352-632-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4352-1420-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4352-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4352-4983-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4352-5424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download