d0cdc133ccb1908bece8c6059ba207f87b85d15e69a08bf1b362f99bd2c072ff

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
13-05-2024 18:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d0cdc133ccb1908bece8c6059ba207f87b85d15e69a08bf1b362f99bd2c072ff.exe
Size

724KB
MD5

61fdbd5ba84727f09603668996f18a4b
SHA1

9aaefe6405b2230a16a96bc2e9ff999548b554c6
SHA256

d0cdc133ccb1908bece8c6059ba207f87b85d15e69a08bf1b362f99bd2c072ff
SHA512

4e5ece2a33414a5de41fdd5dbacbe2abd8559f9010de9b27cf17f5b23fbe7bc49c55dd0d29d269388d176a7b3dce4ce989c3573102ca5478646650276f570833
SSDEEP

12288:LaSfC6Aj+TN5uixZN+8rKhUdTC/wE1ZD0Ca5ZIXV:L7LOS2opPIXV

Score

7^/10

spyware stealer

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1880	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2584	Logo1_.exe
2784	d0cdc133ccb1908bece8c6059ba207f87b85d15e69a08bf1b362f99bd2c072ff.exe
1196	Explorer.EXE

Loads dropped DLL 2 IoCs

pid	Process
1880	cmd.exe
1880	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LEVEL\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zh_TW\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\keystore\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnscfg.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EDGE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Uninstall Information\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\HWRCustomization\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fi\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\css\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	d0cdc133ccb1908bece8c6059ba207f87b85d15e69a08bf1b362f99bd2c072ff.exe
File created	C:\Windows\Logo1_.exe	d0cdc133ccb1908bece8c6059ba207f87b85d15e69a08bf1b362f99bd2c072ff.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

pid	Process
1256	d0cdc133ccb1908bece8c6059ba207f87b85d15e69a08bf1b362f99bd2c072ff.exe
1256	d0cdc133ccb1908bece8c6059ba207f87b85d15e69a08bf1b362f99bd2c072ff.exe
1256	d0cdc133ccb1908bece8c6059ba207f87b85d15e69a08bf1b362f99bd2c072ff.exe
1256	d0cdc133ccb1908bece8c6059ba207f87b85d15e69a08bf1b362f99bd2c072ff.exe
1256	d0cdc133ccb1908bece8c6059ba207f87b85d15e69a08bf1b362f99bd2c072ff.exe
1256	d0cdc133ccb1908bece8c6059ba207f87b85d15e69a08bf1b362f99bd2c072ff.exe
1256	d0cdc133ccb1908bece8c6059ba207f87b85d15e69a08bf1b362f99bd2c072ff.exe
1256	d0cdc133ccb1908bece8c6059ba207f87b85d15e69a08bf1b362f99bd2c072ff.exe
1256	d0cdc133ccb1908bece8c6059ba207f87b85d15e69a08bf1b362f99bd2c072ff.exe
1256	d0cdc133ccb1908bece8c6059ba207f87b85d15e69a08bf1b362f99bd2c072ff.exe
1256	d0cdc133ccb1908bece8c6059ba207f87b85d15e69a08bf1b362f99bd2c072ff.exe
1256	d0cdc133ccb1908bece8c6059ba207f87b85d15e69a08bf1b362f99bd2c072ff.exe
1256	d0cdc133ccb1908bece8c6059ba207f87b85d15e69a08bf1b362f99bd2c072ff.exe
2584	Logo1_.exe
2584	Logo1_.exe
2584	Logo1_.exe
2584	Logo1_.exe
2584	Logo1_.exe
2584	Logo1_.exe
2584	Logo1_.exe
2584	Logo1_.exe
2584	Logo1_.exe
2584	Logo1_.exe
2584	Logo1_.exe
2584	Logo1_.exe
2584	Logo1_.exe
2584	Logo1_.exe
2584	Logo1_.exe
2584	Logo1_.exe
2584	Logo1_.exe
2584	Logo1_.exe
2584	Logo1_.exe
2584	Logo1_.exe
2584	Logo1_.exe
2584	Logo1_.exe
2584	Logo1_.exe
2584	Logo1_.exe
2584	Logo1_.exe
2584	Logo1_.exe
2584	Logo1_.exe
2584	Logo1_.exe
2584	Logo1_.exe
2584	Logo1_.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 1256 wrote to memory of 1804	1256	d0cdc133ccb1908bece8c6059ba207f87b85d15e69a08bf1b362f99bd2c072ff.exe	28
PID 1256 wrote to memory of 1804	1256	d0cdc133ccb1908bece8c6059ba207f87b85d15e69a08bf1b362f99bd2c072ff.exe	28
PID 1256 wrote to memory of 1804	1256	d0cdc133ccb1908bece8c6059ba207f87b85d15e69a08bf1b362f99bd2c072ff.exe	28
PID 1256 wrote to memory of 1804	1256	d0cdc133ccb1908bece8c6059ba207f87b85d15e69a08bf1b362f99bd2c072ff.exe	28
PID 1804 wrote to memory of 2276	1804	net.exe	30
PID 1804 wrote to memory of 2276	1804	net.exe	30
PID 1804 wrote to memory of 2276	1804	net.exe	30
PID 1804 wrote to memory of 2276	1804	net.exe	30
PID 1256 wrote to memory of 1880	1256	d0cdc133ccb1908bece8c6059ba207f87b85d15e69a08bf1b362f99bd2c072ff.exe	31
PID 1256 wrote to memory of 1880	1256	d0cdc133ccb1908bece8c6059ba207f87b85d15e69a08bf1b362f99bd2c072ff.exe	31
PID 1256 wrote to memory of 1880	1256	d0cdc133ccb1908bece8c6059ba207f87b85d15e69a08bf1b362f99bd2c072ff.exe	31
PID 1256 wrote to memory of 1880	1256	d0cdc133ccb1908bece8c6059ba207f87b85d15e69a08bf1b362f99bd2c072ff.exe	31
PID 1256 wrote to memory of 2584	1256	d0cdc133ccb1908bece8c6059ba207f87b85d15e69a08bf1b362f99bd2c072ff.exe	32
PID 1256 wrote to memory of 2584	1256	d0cdc133ccb1908bece8c6059ba207f87b85d15e69a08bf1b362f99bd2c072ff.exe	32
PID 1256 wrote to memory of 2584	1256	d0cdc133ccb1908bece8c6059ba207f87b85d15e69a08bf1b362f99bd2c072ff.exe	32
PID 1256 wrote to memory of 2584	1256	d0cdc133ccb1908bece8c6059ba207f87b85d15e69a08bf1b362f99bd2c072ff.exe	32
PID 2584 wrote to memory of 2592	2584	Logo1_.exe	34
PID 2584 wrote to memory of 2592	2584	Logo1_.exe	34
PID 2584 wrote to memory of 2592	2584	Logo1_.exe	34
PID 2584 wrote to memory of 2592	2584	Logo1_.exe	34
PID 2592 wrote to memory of 872	2592	net.exe	36
PID 2592 wrote to memory of 872	2592	net.exe	36
PID 2592 wrote to memory of 872	2592	net.exe	36
PID 2592 wrote to memory of 872	2592	net.exe	36
PID 1880 wrote to memory of 2784	1880	cmd.exe	37
PID 1880 wrote to memory of 2784	1880	cmd.exe	37
PID 1880 wrote to memory of 2784	1880	cmd.exe	37
PID 1880 wrote to memory of 2784	1880	cmd.exe	37
PID 2584 wrote to memory of 2604	2584	Logo1_.exe	38
PID 2584 wrote to memory of 2604	2584	Logo1_.exe	38
PID 2584 wrote to memory of 2604	2584	Logo1_.exe	38
PID 2584 wrote to memory of 2604	2584	Logo1_.exe	38
PID 2604 wrote to memory of 2676	2604	net.exe	40
PID 2604 wrote to memory of 2676	2604	net.exe	40
PID 2604 wrote to memory of 2676	2604	net.exe	40
PID 2604 wrote to memory of 2676	2604	net.exe	40
PID 2584 wrote to memory of 1196	2584	Logo1_.exe	21
PID 2584 wrote to memory of 1196	2584	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
PID:1196
- C:\Users\Admin\AppData\Local\Temp\d0cdc133ccb1908bece8c6059ba207f87b85d15e69a08bf1b362f99bd2c072ff.exe
  "C:\Users\Admin\AppData\Local\Temp\d0cdc133ccb1908bece8c6059ba207f87b85d15e69a08bf1b362f99bd2c072ff.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1256
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1804
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:2276
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a1120.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1880
  - - C:\Users\Admin\AppData\Local\Temp\d0cdc133ccb1908bece8c6059ba207f87b85d15e69a08bf1b362f99bd2c072ff.exe
      "C:\Users\Admin\AppData\Local\Temp\d0cdc133ccb1908bece8c6059ba207f87b85d15e69a08bf1b362f99bd2c072ff.exe"
      4⤵
      Executes dropped EXE
      PID:2784
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2592
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:872
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2604
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
265KB

MD5
f5a0d1969590cd0d691dfef630d98854

SHA1
40a2f5c65ba9031ef45aaf0b2e4a6c01031aac07

SHA256
c660bc04ff79575160df60760a020cd0056b6225cb51095cb9d79e8829308932

SHA512
92d21d3ebe13b008ff3ab31a049098697132b2b1049a29b9196b66ce4e78f6590de9b6b32a5dd6a1634400cc655fcef1e50da5adde98975594f105b88cb34de1

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
485KB

MD5
3ac7773258fe0684e8a28f3793a74ed3

SHA1
316fba91c21ea13e4576a5eeec832fd585c31ca0

SHA256
9f41dbbbdf4edcf63ba6262af0ae0d9a13874d0e008522af866f12f3e71b198f

SHA512
8d2647018107b940fe80b5ab979570b9f255764195976272b8c2ee8640b0e91493d5e7fa598b4ce29bda8f87cf495c6c71fd62734d51761b04bb5127eb5b2b4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a1120.bat

Filesize
722B

MD5
f59ff9badd4f2d55a37d87a8fccf611d

SHA1
75bbeff467ce18732c6fbab814be9a5a1bc223ac

SHA256
c360ced777cb1e5af165f3670107378c341d433ae7ce61cf1e1c0697988f28dc

SHA512
7bdf34d8ead80023fc6474a7fcf42a72bf6ff86c71d2695e351cbda66b982278fb6ad9db36c5e585dc4e684396f78947f385b33c55808a715e154354bc3d301a

Download Submit
C:\Users\Admin\AppData\Local\Temp\d0cdc133ccb1908bece8c6059ba207f87b85d15e69a08bf1b362f99bd2c072ff.exe.exe

Filesize
684KB

MD5
50f289df0c19484e970849aac4e6f977

SHA1
3dc77c8830836ab844975eb002149b66da2e10be

SHA256
b9b179b305c5268ad428b6ae59de10b4fe99cf0199bbc89b7017181905e97305

SHA512
877d852ea1062b90e2fd2f3c4dc7d05d9697e9a9b2929c830a770b62741f6a11e06de73275eb871113f11143faf1cb40d99f7c247862ffb778d26833ed5d7e38

Download Submit
C:\Windows\Logo1_.exe

Filesize
40KB

MD5
61af7e0a0b034f3f32742adc10967081

SHA1
57fc8937f45f9fc2616464ee757b1e73cb06e8dc

SHA256
637999fa57f8a28fc4b093eb68da2753375daee61d26f84c6b4d50be7e503d54

SHA512
bd2d493dcecc8485f6c783f0c192e10c760ba301295762c3c44f223e9d917329530db121dc71f7ee2d13cdcc716a5defe58b3bd77294c1c02b4036c93a4de665

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2248906074-2862704502-246302768-1000\_desktop.ini

Filesize
9B

MD5
392ab9dcf5a9daf53626ea1f2e61d0b9

SHA1
0a2cdc7f8f9edf33f9fde3f8b90e0020190c8fb7

SHA256
9bbc94aad502d7d7a7f502ddb9cbd93b1c89eff13e445971c94ac09215ada67d

SHA512
5d1fea63a7793a65dc63c32cfe3ab2e1af941ded8e760f08fbe991e5b30433f86f920d717235a635020740c8f6f7996b4b8e8147e331b29141fcbb7bdc68144d

Download Submit
memory/1196-31-0x0000000002E80000-0x0000000002E81000-memory.dmp

Filesize
4KB

Download
memory/1256-17-0x0000000000310000-0x000000000034F000-memory.dmp

Filesize
252KB

Download
memory/1256-19-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1256-15-0x0000000000310000-0x000000000034F000-memory.dmp

Filesize
252KB

Download
memory/1256-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2584-20-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2584-34-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2584-3325-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2584-4144-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download