f0e567d0ce8f4fffd60612d0e9292df4bd879bacee10122aaa7ad80cd8004909

Analysis

max time kernel
149s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
09/07/2024, 09:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f0e567d0ce8f4fffd60612d0e9292df4bd879bacee10122aaa7ad80cd8004909.exe
Size

70KB
MD5

ef391aab778930d221099b0b1bd87768
SHA1

8c7ce224f789fb8c0913c6edf2ec148f81606748
SHA256

f0e567d0ce8f4fffd60612d0e9292df4bd879bacee10122aaa7ad80cd8004909
SHA512

822f30e77c3877fdfea4616e72c19a65b5533cce1fc16c6785e5bafd0fce812b8d496e84578cc65e2ba780581b29083d422882464b3abb77c7e6eb3917a1f06a
SSDEEP

1536:e8cx1ae9n40g9i/qo6SKHQriw+d9bHrkT5gUHz7FxtJ:e8fZQioJKwrBkfkT5xHzD

Score

7^/10

spyware stealer

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2756	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 2 IoCs

pid	Process
2828	Logo1_.exe
688	f0e567d0ce8f4fffd60612d0e9292df4bd879bacee10122aaa7ad80cd8004909.exe

Loads dropped DLL 1 IoCs

pid	Process
2756	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SPRING\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ms\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Hearts\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ps\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\HostSideAdapters\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\Africa\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\uk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ach\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PROFILE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENFR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\eo\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Journal\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STRTEDGE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\win32\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	f0e567d0ce8f4fffd60612d0e9292df4bd879bacee10122aaa7ad80cd8004909.exe
File created	C:\Windows\Logo1_.exe	f0e567d0ce8f4fffd60612d0e9292df4bd879bacee10122aaa7ad80cd8004909.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

pid	Process
2476	f0e567d0ce8f4fffd60612d0e9292df4bd879bacee10122aaa7ad80cd8004909.exe
2476	f0e567d0ce8f4fffd60612d0e9292df4bd879bacee10122aaa7ad80cd8004909.exe
2476	f0e567d0ce8f4fffd60612d0e9292df4bd879bacee10122aaa7ad80cd8004909.exe
2476	f0e567d0ce8f4fffd60612d0e9292df4bd879bacee10122aaa7ad80cd8004909.exe
2476	f0e567d0ce8f4fffd60612d0e9292df4bd879bacee10122aaa7ad80cd8004909.exe
2476	f0e567d0ce8f4fffd60612d0e9292df4bd879bacee10122aaa7ad80cd8004909.exe
2476	f0e567d0ce8f4fffd60612d0e9292df4bd879bacee10122aaa7ad80cd8004909.exe
2476	f0e567d0ce8f4fffd60612d0e9292df4bd879bacee10122aaa7ad80cd8004909.exe
2476	f0e567d0ce8f4fffd60612d0e9292df4bd879bacee10122aaa7ad80cd8004909.exe
2476	f0e567d0ce8f4fffd60612d0e9292df4bd879bacee10122aaa7ad80cd8004909.exe
2476	f0e567d0ce8f4fffd60612d0e9292df4bd879bacee10122aaa7ad80cd8004909.exe
2476	f0e567d0ce8f4fffd60612d0e9292df4bd879bacee10122aaa7ad80cd8004909.exe
2476	f0e567d0ce8f4fffd60612d0e9292df4bd879bacee10122aaa7ad80cd8004909.exe
2828	Logo1_.exe
2828	Logo1_.exe
2828	Logo1_.exe
2828	Logo1_.exe
2828	Logo1_.exe
2828	Logo1_.exe
2828	Logo1_.exe
2828	Logo1_.exe
2828	Logo1_.exe
2828	Logo1_.exe
2828	Logo1_.exe
2828	Logo1_.exe
2828	Logo1_.exe
2828	Logo1_.exe
2828	Logo1_.exe
2828	Logo1_.exe
2828	Logo1_.exe
2828	Logo1_.exe
2828	Logo1_.exe
2828	Logo1_.exe
2828	Logo1_.exe
2828	Logo1_.exe
2828	Logo1_.exe
2828	Logo1_.exe
2828	Logo1_.exe
2828	Logo1_.exe
2828	Logo1_.exe
2828	Logo1_.exe
2828	Logo1_.exe
2828	Logo1_.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2476 wrote to memory of 2416	2476	f0e567d0ce8f4fffd60612d0e9292df4bd879bacee10122aaa7ad80cd8004909.exe	29
PID 2476 wrote to memory of 2416	2476	f0e567d0ce8f4fffd60612d0e9292df4bd879bacee10122aaa7ad80cd8004909.exe	29
PID 2476 wrote to memory of 2416	2476	f0e567d0ce8f4fffd60612d0e9292df4bd879bacee10122aaa7ad80cd8004909.exe	29
PID 2476 wrote to memory of 2416	2476	f0e567d0ce8f4fffd60612d0e9292df4bd879bacee10122aaa7ad80cd8004909.exe	29
PID 2416 wrote to memory of 2084	2416	net.exe	31
PID 2416 wrote to memory of 2084	2416	net.exe	31
PID 2416 wrote to memory of 2084	2416	net.exe	31
PID 2416 wrote to memory of 2084	2416	net.exe	31
PID 2476 wrote to memory of 2756	2476	f0e567d0ce8f4fffd60612d0e9292df4bd879bacee10122aaa7ad80cd8004909.exe	32
PID 2476 wrote to memory of 2756	2476	f0e567d0ce8f4fffd60612d0e9292df4bd879bacee10122aaa7ad80cd8004909.exe	32
PID 2476 wrote to memory of 2756	2476	f0e567d0ce8f4fffd60612d0e9292df4bd879bacee10122aaa7ad80cd8004909.exe	32
PID 2476 wrote to memory of 2756	2476	f0e567d0ce8f4fffd60612d0e9292df4bd879bacee10122aaa7ad80cd8004909.exe	32
PID 2476 wrote to memory of 2828	2476	f0e567d0ce8f4fffd60612d0e9292df4bd879bacee10122aaa7ad80cd8004909.exe	34
PID 2476 wrote to memory of 2828	2476	f0e567d0ce8f4fffd60612d0e9292df4bd879bacee10122aaa7ad80cd8004909.exe	34
PID 2476 wrote to memory of 2828	2476	f0e567d0ce8f4fffd60612d0e9292df4bd879bacee10122aaa7ad80cd8004909.exe	34
PID 2476 wrote to memory of 2828	2476	f0e567d0ce8f4fffd60612d0e9292df4bd879bacee10122aaa7ad80cd8004909.exe	34
PID 2828 wrote to memory of 2744	2828	Logo1_.exe	35
PID 2828 wrote to memory of 2744	2828	Logo1_.exe	35
PID 2828 wrote to memory of 2744	2828	Logo1_.exe	35
PID 2828 wrote to memory of 2744	2828	Logo1_.exe	35
PID 2744 wrote to memory of 2844	2744	net.exe	37
PID 2744 wrote to memory of 2844	2744	net.exe	37
PID 2744 wrote to memory of 2844	2744	net.exe	37
PID 2744 wrote to memory of 2844	2744	net.exe	37
PID 2756 wrote to memory of 688	2756	cmd.exe	38
PID 2756 wrote to memory of 688	2756	cmd.exe	38
PID 2756 wrote to memory of 688	2756	cmd.exe	38
PID 2756 wrote to memory of 688	2756	cmd.exe	38
PID 2828 wrote to memory of 2800	2828	Logo1_.exe	39
PID 2828 wrote to memory of 2800	2828	Logo1_.exe	39
PID 2828 wrote to memory of 2800	2828	Logo1_.exe	39
PID 2828 wrote to memory of 2800	2828	Logo1_.exe	39
PID 2800 wrote to memory of 2356	2800	net.exe	41
PID 2800 wrote to memory of 2356	2800	net.exe	41
PID 2800 wrote to memory of 2356	2800	net.exe	41
PID 2800 wrote to memory of 2356	2800	net.exe	41
PID 2828 wrote to memory of 1252	2828	Logo1_.exe	20
PID 2828 wrote to memory of 1252	2828	Logo1_.exe	20

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1252
- C:\Users\Admin\AppData\Local\Temp\f0e567d0ce8f4fffd60612d0e9292df4bd879bacee10122aaa7ad80cd8004909.exe
  "C:\Users\Admin\AppData\Local\Temp\f0e567d0ce8f4fffd60612d0e9292df4bd879bacee10122aaa7ad80cd8004909.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2416
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:2084
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a14C8.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Users\Admin\AppData\Local\Temp\f0e567d0ce8f4fffd60612d0e9292df4bd879bacee10122aaa7ad80cd8004909.exe
      "C:\Users\Admin\AppData\Local\Temp\f0e567d0ce8f4fffd60612d0e9292df4bd879bacee10122aaa7ad80cd8004909.exe"
      4⤵
      Executes dropped EXE
      PID:688
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2828
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2744
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2844
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2800
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
258KB

MD5
9546e9ae8c8e5b5f8d651e3b1b233224

SHA1
0821cdef875610dbc6b2a2b174d4889cc849219f

SHA256
15ff73d8df6cc0264065f36b5bf87488a2428ee4b0764a5fc29d50b429444ab2

SHA512
f05e8c8e528299319eae73d577fb95e6ab894187d63df221e6f002f862d15cfcb0d353058736e0482b73b9608c6bcf59f206c0a5f0f12d4a492cb6d9e53bf74a

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
478KB

MD5
79d96b6a2771e7783309bf05ebe7b5c1

SHA1
b19da11278224b17598d5b6de189892a83196708

SHA256
eb38a47ec49f3f376f53aff58def8c3a0e095bad67e2887d3f58bb4a3c71a19e

SHA512
72e30060fd922fc37662d762bc647bf85938986d810057926fe86a1622e1b05fc841bab9ee06ee7855071ed27da3d8fe20d41f03ae68c4c76cc720a7e56d4d68

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a14C8.bat

Filesize
722B

MD5
528a1c30fd375b0ca19ccac399e30971

SHA1
75758e0144ce79333b24254e1aeb9993b7489a28

SHA256
8ca3c9c3faa96f467a1b175ede16fa6922495c2e59e6ee142b6a90ad3aa9fdeb

SHA512
ad7062ada36e19ec0060bef5ad0301a519222ab2303c00d6c9dc45e53342c5c27bc25c0357d9acd4d4be470f9e329b496624f014f6103fbf2e287ce3651ef511

Download Submit
C:\Users\Admin\AppData\Local\Temp\f0e567d0ce8f4fffd60612d0e9292df4bd879bacee10122aaa7ad80cd8004909.exe.exe

Filesize
36KB

MD5
9f498971cbe636662f3d210747d619e1

SHA1
44b8e2732fa1e2f204fc70eaa1cb406616250085

SHA256
8adf6748981c3e7b62f5dbca992be6675574fffbce7673743f2d7fe787d56a41

SHA512
b73083c2f7b028d2946cb8f7b4fe2289fedaa4175364a2aac37db0aeff4602aede772ccc9eba7e6dcfcb7276e52604ca45d8021952201b5834485b48bca3dc93

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
ca3dc0fcaad3c989a4751cedef27edb0

SHA1
79710f6a3d257400fc7d6960b64cf134e08111f8

SHA256
7a7e092711c0b2d515ff4787f8c4abe0c7fe1ea6a325eb5885b2cd061637a191

SHA512
ddc2f8fbf8940f317c4bd92c235c5c1744fa78c61d7817c6b88fbaae863d603e43ffdaab387e7d87d927e00f52a22e3a2e311d058f725dc25312ba88a2b6a64b

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2212144002-1172735686-1556890956-1000\_desktop.ini

Filesize
8B

MD5
d8dca68320777bb03e3a6dbdb7624c4f

SHA1
094cbdfea49743824e2aaf9c66082c25da2157b1

SHA256
ebe46a39e49fe879afd1b4ac0de5c6c62e8e90342cd71aaaf3ec1d84269e9c6e

SHA512
9097e8a3df0ae12235002caaef04951ab586d84ea9db1b9952e684b5ab570a033ba1bf047598fca329652cab23a5ec1516e6cd6dbcbd979fd32b9b8afbdf88cc

Download Submit
memory/1252-29-0x0000000002A70000-0x0000000002A71000-memory.dmp

Filesize
4KB

Download
memory/2476-17-0x0000000000230000-0x000000000026D000-memory.dmp

Filesize
244KB

Download
memory/2476-18-0x0000000000230000-0x000000000026D000-memory.dmp

Filesize
244KB

Download
memory/2476-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2476-20-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2828-33-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2828-19-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2828-2335-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2828-5881-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2828-6348-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download