998dbf404219d64228ef17e7ea8d0f3c91fc1ea5adef267f4f4ae9ac2c670085

Analysis

max time kernel
199s
max time network
213s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
18/04/2024, 00:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

998dbf404219d64228ef17e7ea8d0f3c91fc1ea5adef267f4f4ae9ac2c670085.exe
Size

2.6MB
MD5

468f2a8822e72abbd40916941c5b8503
SHA1

9800a6ef9a5d92fb495f4612c3dcc37378347b68
SHA256

998dbf404219d64228ef17e7ea8d0f3c91fc1ea5adef267f4f4ae9ac2c670085
SHA512

666fb147d0726e561c094261068263d90f5f866cbe4b9932361a55da7aacfb9a33a9402a6741aa542a19d0bddbdd676d6d8e12d1f4a35e99ba1be1c60812d402
SSDEEP

49152:/7M8jxPN5HmPJhtG6ToOK0+Hy5zlBiB55oTZeyiLmSW6Ir42/rTmJ7kgHgOK:AYPB0Z5zlBiH5oIyiLmHw2OhkgQ

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Control Panel\International\Geo\Nation	998dbf404219d64228ef17e7ea8d0f3c91fc1ea5adef267f4f4ae9ac2c670085.exe

Executes dropped EXE 2 IoCs

pid	Process
116	Logo1_.exe
4948	998dbf404219d64228ef17e7ea8d0f3c91fc1ea5adef267f4f4ae9ac2c670085.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\VisualElements\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\_desktop.ini	Logo1_.exe
File created	C:\Program Files\7-Zip\Lang\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\default_apps\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\host\fxr\6.0.27\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\host\fxr\7.0.16\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Extensions\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\management\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\host\fxr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\WidevineCdm\_platform_specific\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\management\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\_desktop.ini	Logo1_.exe
File created	C:\Program Files\7-Zip\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\jfr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\legal\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\host\fxr\8.0.2\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\host\fxr\7.0.16\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\default_apps\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Logo1_.exe	998dbf404219d64228ef17e7ea8d0f3c91fc1ea5adef267f4f4ae9ac2c670085.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	998dbf404219d64228ef17e7ea8d0f3c91fc1ea5adef267f4f4ae9ac2c670085.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 21 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31101226"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{A2A2C8A3-FD1D-11EE-A3F9-52D91C800120}.dat = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2099486102"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31101226"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{A2A2C8A1-FD1D-11EE-A3F9-52D91C800120} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Software\Microsoft\Internet Explorer\Recovery\PendingDelete	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2099486102"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Software\Microsoft\Internet Explorer\MINIE	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
116	Logo1_.exe
116	Logo1_.exe
116	Logo1_.exe
116	Logo1_.exe
116	Logo1_.exe
116	Logo1_.exe
116	Logo1_.exe
116	Logo1_.exe
116	Logo1_.exe
116	Logo1_.exe
116	Logo1_.exe
116	Logo1_.exe
116	Logo1_.exe
116	Logo1_.exe
116	Logo1_.exe
116	Logo1_.exe
116	Logo1_.exe
116	Logo1_.exe
116	Logo1_.exe
116	Logo1_.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2628	IEXPLORE.EXE
2628	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 560 wrote to memory of 3312	560	998dbf404219d64228ef17e7ea8d0f3c91fc1ea5adef267f4f4ae9ac2c670085.exe	93
PID 560 wrote to memory of 3312	560	998dbf404219d64228ef17e7ea8d0f3c91fc1ea5adef267f4f4ae9ac2c670085.exe	93
PID 560 wrote to memory of 3312	560	998dbf404219d64228ef17e7ea8d0f3c91fc1ea5adef267f4f4ae9ac2c670085.exe	93
PID 560 wrote to memory of 116	560	998dbf404219d64228ef17e7ea8d0f3c91fc1ea5adef267f4f4ae9ac2c670085.exe	95
PID 560 wrote to memory of 116	560	998dbf404219d64228ef17e7ea8d0f3c91fc1ea5adef267f4f4ae9ac2c670085.exe	95
PID 560 wrote to memory of 116	560	998dbf404219d64228ef17e7ea8d0f3c91fc1ea5adef267f4f4ae9ac2c670085.exe	95
PID 116 wrote to memory of 712	116	Logo1_.exe	96
PID 116 wrote to memory of 712	116	Logo1_.exe	96
PID 116 wrote to memory of 712	116	Logo1_.exe	96
PID 712 wrote to memory of 5020	712	net.exe	99
PID 712 wrote to memory of 5020	712	net.exe	99
PID 712 wrote to memory of 5020	712	net.exe	99
PID 3312 wrote to memory of 4948	3312	cmd.exe	100
PID 3312 wrote to memory of 4948	3312	cmd.exe	100
PID 3312 wrote to memory of 4948	3312	cmd.exe	100
PID 116 wrote to memory of 3360	116	Logo1_.exe	56
PID 116 wrote to memory of 3360	116	Logo1_.exe	56
PID 4948 wrote to memory of 3928	4948	998dbf404219d64228ef17e7ea8d0f3c91fc1ea5adef267f4f4ae9ac2c670085.exe	103
PID 4948 wrote to memory of 3928	4948	998dbf404219d64228ef17e7ea8d0f3c91fc1ea5adef267f4f4ae9ac2c670085.exe	103
PID 4948 wrote to memory of 3928	4948	998dbf404219d64228ef17e7ea8d0f3c91fc1ea5adef267f4f4ae9ac2c670085.exe	103
PID 3928 wrote to memory of 2628	3928	iexplore.exe	104
PID 3928 wrote to memory of 2628	3928	iexplore.exe	104
PID 2628 wrote to memory of 2204	2628	IEXPLORE.EXE	105
PID 2628 wrote to memory of 2204	2628	IEXPLORE.EXE	105
PID 2628 wrote to memory of 2204	2628	IEXPLORE.EXE	105

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3360
- C:\Users\Admin\AppData\Local\Temp\998dbf404219d64228ef17e7ea8d0f3c91fc1ea5adef267f4f4ae9ac2c670085.exe
  "C:\Users\Admin\AppData\Local\Temp\998dbf404219d64228ef17e7ea8d0f3c91fc1ea5adef267f4f4ae9ac2c670085.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aFBD0.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3312
  - - C:\Users\Admin\AppData\Local\Temp\998dbf404219d64228ef17e7ea8d0f3c91fc1ea5adef267f4f4ae9ac2c670085.exe
      "C:\Users\Admin\AppData\Local\Temp\998dbf404219d64228ef17e7ea8d0f3c91fc1ea5adef267f4f4ae9ac2c670085.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4948
    - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://se.360.cn/
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3928
      - C:\Program Files\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://se.360.cn/
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2628 CREDAT:17410 /prefetch:2
        7⤵
        
        PID:2204
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:116
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:712
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:5020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.exe

Filesize
570KB

MD5
abc39bb762c9fdd1df9c48340d1239ca

SHA1
af372f979fc9ca1c41de73510dfa05f3cd89f887

SHA256
1b722ae85b8c09e3a993db4b39131a4c4aba3bf86549b48e94f3f4e1f5d6c506

SHA512
3eff4ded8371184869f407a347765d0574281634f33ae99b96bc28c405fafe2f721c9969eba56a22815a4fce7a4fc478b32b1f16ce4be99e10d6d548f3a552e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aFBD0.bat

Filesize
722B

MD5
ef40df2b192d8f9db0c581c09c53ab56

SHA1
f038797ddf3e99ad084f2b1ac59dbe53a5d524ed

SHA256
283ae244e5117ccff75ed6bf26e51175b560a97c53d7d6c6a90fd702450e4bc8

SHA512
5b3389e48994650fcc3a03e30159d6bdcfcfcb97bbee069067841187150ae57af57717f0d3e0389f6b75b747aae9b63cbf9827afb2c2ad1d038d05742ba440e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\998dbf404219d64228ef17e7ea8d0f3c91fc1ea5adef267f4f4ae9ac2c670085.exe.exe

Filesize
2.6MB

MD5
78e059cdb97de787e780109e42edc055

SHA1
43e35ab547d9ef8cb978cbc5bfbef89b4f6aea53

SHA256
61b7d31fa80f3c9fd584c454c9c70e6ce1f101864abcd3fd1cdb22d8b344dbd4

SHA512
426cd43d00ce9d6c850b57159c4934ed88731ce3ad56107be65d95d200c9616517967b3c7b7c2cf1b42eda4e58b6a28383cfce52a11258422eb093ee489e69ab

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
6ff88aed67261a9080c1e62fd8bd0504

SHA1
14aed18f7ccd0e479389f111b63e79f2578001b1

SHA256
ee50a980fa1e7b2d29fc3adfa8acdeeda2cfd4937f4efe6346bfd9d0dac37a45

SHA512
4eac127c6e81a6c5c91b5276cd4a059c1fc3d78f8b5911d1c4b8fb77cb355d61f32b22c8230d55c6ac61f7ef52062dffe76f9b98dd0d18331e26a8c7eb070172

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1230272463-3683322193-511842230-1000\_desktop.ini

Filesize
9B

MD5
72b7e38c6ba037d117f32b55c07b1a9c

SHA1
35e2435e512e17ca2be885e17d75913f06b90361

SHA256
e9719e3c653627668046bac84b77097bfb0cd018d68465c17130ed31d6d6eca6

SHA512
2bebd814b81ad2dc547802d42891d833caaad81d004758ec4373f9c7af2971eb822f0a559d2d5d4fca499912fea95e25bab22e92cb0c149d6a4c692eee6ee46a

Download Submit
memory/116-14-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/116-20-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/116-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/116-30-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/116-35-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/116-38-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/116-57-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/116-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/116-92-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/116-194-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/560-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/560-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download