d7d5fc6e948e133dc2735b31643bbaa56125ec13f708d680d8766d1f56117fba

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
01/05/2024, 14:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d7d5fc6e948e133dc2735b31643bbaa56125ec13f708d680d8766d1f56117fba.exe
Size

970KB
MD5

dd1ba9501a33a15cb1a03f3c87574bbf
SHA1

c8bd088ecd8605a500ac0d5271b3241de9f258b2
SHA256

d7d5fc6e948e133dc2735b31643bbaa56125ec13f708d680d8766d1f56117fba
SHA512

cf381035b0435bba00a183cc63b93470feba39bb83ef57cc6fd6618fc705edba08b771b863b888e5abf2928b5ecdc3b1ae47386185fde1de9338c48c0d274e41
SSDEEP

12288:f+azbvURKcv8Nh7py6Rmi78gkPH3aPI9vyVg/0paQuj3IdD02fKBjtp/:fBzbRBpDRmi78gkPXlyo0G/jr

Score

7^/10

spyware stealer

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2960	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2496	Logo1_.exe
2968	d7d5fc6e948e133dc2735b31643bbaa56125ec13f708d680d8766d1f56117fba.exe

Loads dropped DLL 2 IoCs

pid	Process
2960	cmd.exe
2960	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\FreeCell.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access_output\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\control\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\HWRCustomization\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\FreeCell\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\he\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\uk\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\or\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RADIAL\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STRTEDGE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\wa\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\wa\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\defaults\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\management\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mn\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\EURO\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	d7d5fc6e948e133dc2735b31643bbaa56125ec13f708d680d8766d1f56117fba.exe
File created	C:\Windows\Logo1_.exe	d7d5fc6e948e133dc2735b31643bbaa56125ec13f708d680d8766d1f56117fba.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

pid	Process
2196	d7d5fc6e948e133dc2735b31643bbaa56125ec13f708d680d8766d1f56117fba.exe
2196	d7d5fc6e948e133dc2735b31643bbaa56125ec13f708d680d8766d1f56117fba.exe
2196	d7d5fc6e948e133dc2735b31643bbaa56125ec13f708d680d8766d1f56117fba.exe
2196	d7d5fc6e948e133dc2735b31643bbaa56125ec13f708d680d8766d1f56117fba.exe
2196	d7d5fc6e948e133dc2735b31643bbaa56125ec13f708d680d8766d1f56117fba.exe
2196	d7d5fc6e948e133dc2735b31643bbaa56125ec13f708d680d8766d1f56117fba.exe
2196	d7d5fc6e948e133dc2735b31643bbaa56125ec13f708d680d8766d1f56117fba.exe
2196	d7d5fc6e948e133dc2735b31643bbaa56125ec13f708d680d8766d1f56117fba.exe
2196	d7d5fc6e948e133dc2735b31643bbaa56125ec13f708d680d8766d1f56117fba.exe
2196	d7d5fc6e948e133dc2735b31643bbaa56125ec13f708d680d8766d1f56117fba.exe
2196	d7d5fc6e948e133dc2735b31643bbaa56125ec13f708d680d8766d1f56117fba.exe
2196	d7d5fc6e948e133dc2735b31643bbaa56125ec13f708d680d8766d1f56117fba.exe
2196	d7d5fc6e948e133dc2735b31643bbaa56125ec13f708d680d8766d1f56117fba.exe
2496	Logo1_.exe
2496	Logo1_.exe
2496	Logo1_.exe
2496	Logo1_.exe
2496	Logo1_.exe
2496	Logo1_.exe
2496	Logo1_.exe
2496	Logo1_.exe
2496	Logo1_.exe
2496	Logo1_.exe
2496	Logo1_.exe
2496	Logo1_.exe
2496	Logo1_.exe
2496	Logo1_.exe
2496	Logo1_.exe
2496	Logo1_.exe
2496	Logo1_.exe
2496	Logo1_.exe
2496	Logo1_.exe
2496	Logo1_.exe
2496	Logo1_.exe
2496	Logo1_.exe
2496	Logo1_.exe
2496	Logo1_.exe
2496	Logo1_.exe
2496	Logo1_.exe
2496	Logo1_.exe
2496	Logo1_.exe
2496	Logo1_.exe
2496	Logo1_.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2968	d7d5fc6e948e133dc2735b31643bbaa56125ec13f708d680d8766d1f56117fba.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	2968	d7d5fc6e948e133dc2735b31643bbaa56125ec13f708d680d8766d1f56117fba.exe
Token: 35	2968	d7d5fc6e948e133dc2735b31643bbaa56125ec13f708d680d8766d1f56117fba.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 2088	2196	d7d5fc6e948e133dc2735b31643bbaa56125ec13f708d680d8766d1f56117fba.exe	28
PID 2196 wrote to memory of 2088	2196	d7d5fc6e948e133dc2735b31643bbaa56125ec13f708d680d8766d1f56117fba.exe	28
PID 2196 wrote to memory of 2088	2196	d7d5fc6e948e133dc2735b31643bbaa56125ec13f708d680d8766d1f56117fba.exe	28
PID 2196 wrote to memory of 2088	2196	d7d5fc6e948e133dc2735b31643bbaa56125ec13f708d680d8766d1f56117fba.exe	28
PID 2088 wrote to memory of 2252	2088	net.exe	30
PID 2088 wrote to memory of 2252	2088	net.exe	30
PID 2088 wrote to memory of 2252	2088	net.exe	30
PID 2088 wrote to memory of 2252	2088	net.exe	30
PID 2196 wrote to memory of 2960	2196	d7d5fc6e948e133dc2735b31643bbaa56125ec13f708d680d8766d1f56117fba.exe	31
PID 2196 wrote to memory of 2960	2196	d7d5fc6e948e133dc2735b31643bbaa56125ec13f708d680d8766d1f56117fba.exe	31
PID 2196 wrote to memory of 2960	2196	d7d5fc6e948e133dc2735b31643bbaa56125ec13f708d680d8766d1f56117fba.exe	31
PID 2196 wrote to memory of 2960	2196	d7d5fc6e948e133dc2735b31643bbaa56125ec13f708d680d8766d1f56117fba.exe	31
PID 2196 wrote to memory of 2496	2196	d7d5fc6e948e133dc2735b31643bbaa56125ec13f708d680d8766d1f56117fba.exe	33
PID 2196 wrote to memory of 2496	2196	d7d5fc6e948e133dc2735b31643bbaa56125ec13f708d680d8766d1f56117fba.exe	33
PID 2196 wrote to memory of 2496	2196	d7d5fc6e948e133dc2735b31643bbaa56125ec13f708d680d8766d1f56117fba.exe	33
PID 2196 wrote to memory of 2496	2196	d7d5fc6e948e133dc2735b31643bbaa56125ec13f708d680d8766d1f56117fba.exe	33
PID 2496 wrote to memory of 2588	2496	Logo1_.exe	34
PID 2496 wrote to memory of 2588	2496	Logo1_.exe	34
PID 2496 wrote to memory of 2588	2496	Logo1_.exe	34
PID 2496 wrote to memory of 2588	2496	Logo1_.exe	34
PID 2960 wrote to memory of 2968	2960	cmd.exe	36
PID 2960 wrote to memory of 2968	2960	cmd.exe	36
PID 2960 wrote to memory of 2968	2960	cmd.exe	36
PID 2960 wrote to memory of 2968	2960	cmd.exe	36
PID 2588 wrote to memory of 344	2588	net.exe	37
PID 2588 wrote to memory of 344	2588	net.exe	37
PID 2588 wrote to memory of 344	2588	net.exe	37
PID 2588 wrote to memory of 344	2588	net.exe	37
PID 2496 wrote to memory of 2388	2496	Logo1_.exe	38
PID 2496 wrote to memory of 2388	2496	Logo1_.exe	38
PID 2496 wrote to memory of 2388	2496	Logo1_.exe	38
PID 2496 wrote to memory of 2388	2496	Logo1_.exe	38
PID 2388 wrote to memory of 2452	2388	net.exe	40
PID 2388 wrote to memory of 2452	2388	net.exe	40
PID 2388 wrote to memory of 2452	2388	net.exe	40
PID 2388 wrote to memory of 2452	2388	net.exe	40
PID 2496 wrote to memory of 1068	2496	Logo1_.exe	18
PID 2496 wrote to memory of 1068	2496	Logo1_.exe	18

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1068
- C:\Users\Admin\AppData\Local\Temp\d7d5fc6e948e133dc2735b31643bbaa56125ec13f708d680d8766d1f56117fba.exe
  "C:\Users\Admin\AppData\Local\Temp\d7d5fc6e948e133dc2735b31643bbaa56125ec13f708d680d8766d1f56117fba.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2088
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:2252
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a1FE0.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2960
  - - C:\Users\Admin\AppData\Local\Temp\d7d5fc6e948e133dc2735b31643bbaa56125ec13f708d680d8766d1f56117fba.exe
      "C:\Users\Admin\AppData\Local\Temp\d7d5fc6e948e133dc2735b31643bbaa56125ec13f708d680d8766d1f56117fba.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:2968
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2496
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2588
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:344
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2388
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
484KB

MD5
79d4fd1cb70f3844796aa1ea18a238e2

SHA1
78d207a7de2aeb85eefc185d894b0b7626e1e1f3

SHA256
ccaacc3965c1bdfce8cd1e934895a4563dddf082016e56846966c250bed87d5b

SHA512
7a0167cbce49f09ea39e490862b8c371eacf8ce3d74d6a6054e7f0e1df4b307019f5adee03603fcb9d4db2b17841cbc9cf129e9480d70b20c266fe82b3979b33

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a1FE0.bat

Filesize
722B

MD5
70492412b3d49376d285de935ee74238

SHA1
89414b9010a65d69dc3c207dfbace38d94155289

SHA256
e8da6ec33e99274b8ec32b07f9c761a684959a2b6c274ee23e7a664550bff989

SHA512
43955b2209ebd362b921ae3ea481f2ca93e52ef6c85ff2ab8c0617da3fb817b2dac3686f8f68717cf6ec5507dbe1cb035768bf6bf8f3160da42a9a9397a3351c

Download Submit
C:\Users\Admin\AppData\Local\Temp\d7d5fc6e948e133dc2735b31643bbaa56125ec13f708d680d8766d1f56117fba.exe.exe

Filesize
930KB

MD5
30ac0b832d75598fb3ec37b6f2a8c86a

SHA1
6f47dbfd6ff36df7ba581a4cef024da527dc3046

SHA256
1ea0839c8dc95ad2c060af7d042c40c0daed58ce8e4524c0fba12fd73e4afb74

SHA512
505870601a4389b7ed2c8fecf85835adfd2944cbc10801f74bc4e08f5a0d6ecc9a52052fc37e216304cd1655129021862294a698ed36b3b43d428698f7263057

Download Submit
C:\Windows\Logo1_.exe

Filesize
39KB

MD5
9baf4f78ddf22479a13eb3697ec716c3

SHA1
07f0697d06257229f3037aee747c3b9c739625f4

SHA256
4e55900657c0f76aa22f59ee18f4b27276a58da7cb117db46d7deebd8e448e22

SHA512
f13ab1c6aa4bf9976d2e937fb6c3cb5070db77aeefd620e93a8fdf4c39b12ef262ee7cf3743dca03daccef904b11c09f303136e1e8b84a9929e3a0124bfb9d23

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2721934792-624042501-2768869379-1000\_desktop.ini

Filesize
8B

MD5
35a8ee2041a708d5071bff39818311c3

SHA1
31114ee16a39b8ada4130a94c1c36ed74a563d2a

SHA256
b2405b086204a9155a2dabf58717e53695089ece5d0af208cb960473ba350f8b

SHA512
f17fa8c794a47b0134ac4d8e83010e8dce1a0f2ab74a400c571d6470737e386f4eb1351be6c5b153dc063c49d333b69ddf67871d2e0ffb3c02d243be0015f1f0

Download Submit
memory/1068-28-0x0000000002E80000-0x0000000002E81000-memory.dmp

Filesize
4KB

Download
memory/2196-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2196-17-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2496-18-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2496-31-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2496-3318-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2496-4140-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download