443edd4fc269c02a56b2b7e0c00c601c40b0cc211ea50b6c1d92837e4c4fb319

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
01/08/2024, 22:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

443edd4fc269c02a56b2b7e0c00c601c40b0cc211ea50b6c1d92837e4c4fb319.exe
Size

183KB
MD5

68b23c7a625878dc787c9a4c2b50dbc4
SHA1

716904640829aa71e3db077d32fda9f35d291d77
SHA256

443edd4fc269c02a56b2b7e0c00c601c40b0cc211ea50b6c1d92837e4c4fb319
SHA512

f0c9778c5fc1f559123e85f35cca16bf1f98ce9b12f1ef6b25ff97c0d732baf101a9b402b120b60bcbc0827b074f4b0be6ad93fa163c804b72a6752eb9784e40
SSDEEP

3072:bKftffjmNAwLEVbLoEZlKk7611VBzNkDqrB5bGEAd9/E3e7IFxt:bKVfjmNARuk7611VBzhEEu83n

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2948	Logo1_.exe
4864	443edd4fc269c02a56b2b7e0c00c601c40b0cc211ea50b6c1d92837e4c4fb319.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sk-sk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\da-dk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kab\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pa\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Mail\wabmig.exe	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sv-se\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\de-de\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\Diagnostics\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fi-fi\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ca-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fur\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\meta\art\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00.UWPDesktop_14.0.27629.0_x64__8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.513.0_neutral_~_8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\en-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ca-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\en-gb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\AppxMetadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\root\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.UI.Xaml.2.0_2.1810.18004.0_x64__8wekyb3d8bbwe\Microsoft.UI.Xaml\Assets\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\da-dk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sv-se\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\codecpacks.VP9.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\microsoft.system.package.metadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_2019.807.41.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\collect_feedback\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\pt-br\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ar\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\CortanaApp.ViewElements\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\themes\dark\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\eu-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hi\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\Attribution\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\vi-VN\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\whatsnewsrc\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	443edd4fc269c02a56b2b7e0c00c601c40b0cc211ea50b6c1d92837e4c4fb319.exe
File created	C:\Windows\Logo1_.exe	443edd4fc269c02a56b2b7e0c00c601c40b0cc211ea50b6c1d92837e4c4fb319.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	443edd4fc269c02a56b2b7e0c00c601c40b0cc211ea50b6c1d92837e4c4fb319.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2948	Logo1_.exe
2948	Logo1_.exe
2948	Logo1_.exe
2948	Logo1_.exe
2948	Logo1_.exe
2948	Logo1_.exe
2948	Logo1_.exe
2948	Logo1_.exe
2948	Logo1_.exe
2948	Logo1_.exe
2948	Logo1_.exe
2948	Logo1_.exe
2948	Logo1_.exe
2948	Logo1_.exe
2948	Logo1_.exe
2948	Logo1_.exe
2948	Logo1_.exe
2948	Logo1_.exe
2948	Logo1_.exe
2948	Logo1_.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4300 wrote to memory of 2060	4300	443edd4fc269c02a56b2b7e0c00c601c40b0cc211ea50b6c1d92837e4c4fb319.exe	83
PID 4300 wrote to memory of 2060	4300	443edd4fc269c02a56b2b7e0c00c601c40b0cc211ea50b6c1d92837e4c4fb319.exe	83
PID 4300 wrote to memory of 2060	4300	443edd4fc269c02a56b2b7e0c00c601c40b0cc211ea50b6c1d92837e4c4fb319.exe	83
PID 4300 wrote to memory of 2948	4300	443edd4fc269c02a56b2b7e0c00c601c40b0cc211ea50b6c1d92837e4c4fb319.exe	84
PID 4300 wrote to memory of 2948	4300	443edd4fc269c02a56b2b7e0c00c601c40b0cc211ea50b6c1d92837e4c4fb319.exe	84
PID 4300 wrote to memory of 2948	4300	443edd4fc269c02a56b2b7e0c00c601c40b0cc211ea50b6c1d92837e4c4fb319.exe	84
PID 2948 wrote to memory of 3312	2948	Logo1_.exe	86
PID 2948 wrote to memory of 3312	2948	Logo1_.exe	86
PID 2948 wrote to memory of 3312	2948	Logo1_.exe	86
PID 3312 wrote to memory of 340	3312	net.exe	88
PID 3312 wrote to memory of 340	3312	net.exe	88
PID 3312 wrote to memory of 340	3312	net.exe	88
PID 2060 wrote to memory of 4864	2060	cmd.exe	89
PID 2060 wrote to memory of 4864	2060	cmd.exe	89
PID 2948 wrote to memory of 3424	2948	Logo1_.exe	56
PID 2948 wrote to memory of 3424	2948	Logo1_.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3424
- C:\Users\Admin\AppData\Local\Temp\443edd4fc269c02a56b2b7e0c00c601c40b0cc211ea50b6c1d92837e4c4fb319.exe
  "C:\Users\Admin\AppData\Local\Temp\443edd4fc269c02a56b2b7e0c00c601c40b0cc211ea50b6c1d92837e4c4fb319.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4300
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a952B.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2060
  - - C:\Users\Admin\AppData\Local\Temp\443edd4fc269c02a56b2b7e0c00c601c40b0cc211ea50b6c1d92837e4c4fb319.exe
      "C:\Users\Admin\AppData\Local\Temp\443edd4fc269c02a56b2b7e0c00c601c40b0cc211ea50b6c1d92837e4c4fb319.exe"
      4⤵
      Executes dropped EXE
      PID:4864
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2948
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3312
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe

Filesize
244KB

MD5
cc9351ff9ceaca029b0cbd773ecb396a

SHA1
7d3e328e5d90b87aeddd3f5005e5e31c7b077b31

SHA256
07e4302ed0ef49fa08ebf7805dfac160433dcb2d8e6f1f92c764494c83b9b5ce

SHA512
ecabf72146acee1876285307fe5e14944a9c3331226ef975f1762c85e91ab6378c026eca17823af29723a280558a05c11b3c5d73d1cc57752b3d54a9cd78f578

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
570KB

MD5
4df32ac677faa26463bc075dfe3d98e2

SHA1
70c7a0f32ca60f9e2a4093575d18762e7f9cd826

SHA256
898560ab297f574ba1b3b439ffe67108b03c726a5a363428141cf86fb524e32f

SHA512
a9b816cc8ac1adb2f7a6eb57bbc2a5307825abd8bf79c2e7d4691cd1312b4f2790c7855320bddf2add2762cb8b3f649c357cd9b8d109c992598419717deba6be

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
636KB

MD5
2500f702e2b9632127c14e4eaae5d424

SHA1
8726fef12958265214eeb58001c995629834b13a

SHA256
82e5b0001f025ca3b8409c98e4fb06c119c68de1e4ef60a156360cb4ef61d19c

SHA512
f420c62fa1f6897f51dd7a0f0e910fb54ad14d51973a2d4840eeea0448c860bf83493fb1c07be65f731efc39e19f8a99886c8cfd058cee482fe52d255a33a55c

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a952B.bat

Filesize
722B

MD5
b292b4dc6005c8177d3f013d83099eaa

SHA1
e2b623227d253eac0347cc273ba4ad5d912c9f87

SHA256
10ae1523c0aa1a95d9f349dd779ae833e4d6dba3e1f4258d684ba74eb6ae2589

SHA512
6b6aaddaa84f11e540cf514a97d8051ca8d4a5135d1ac7fcca095c0d79357564aac09230c9ef52be5cb8efeaef9e22fddc5971717ee7de1240f6e4255fdcd3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\443edd4fc269c02a56b2b7e0c00c601c40b0cc211ea50b6c1d92837e4c4fb319.exe.exe

Filesize
156KB

MD5
bc85df197807ca7bf4db6dc95d880eda

SHA1
de6968c16941cd9e61bee24fb18597c775ef3e44

SHA256
38284cf5dcb2fc6b523feb1f5f74988a264ab25ca86ab303f34ae3ac338e1879

SHA512
f89ab64fa49702acb91d514f13921e53cf31dde007457f6dd3fd8ff02ef9a602802bf8742ebeab9ad6cc8a26c716de58294d5ca937921244fe9c671a0c17b256

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
013b3ba135ea23f5d8c21d3bca2be7af

SHA1
ce56fde9f0f8aa0c28fd14ebe2e6c90b3f659993

SHA256
5846917027617f7167fdf3f71d0aaefc2f66cdedd36b98c227b40d337af7cf69

SHA512
f9e7c8b6db1cdb04b748420bc92ec1b3d543edbeddba1c7e321faefc3fa7275e2a12fd9566a3ba698453c14ac14a748f46e320b725e388028d79617238b94c05

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2721909339-1374969515-2476821579-1000\_desktop.ini

Filesize
8B

MD5
34f94fcbc939d25f54e986fe97a87522

SHA1
dcde2a11c5631b5dbd93ce97e503d0ff42a6f341

SHA256
47f454cb045cab0f9ee28683942faddf984b88986cb761e4caa639f91ac4cdd7

SHA512
aad5abbdc495f19e0997d67d3daad417eb18f3e3061de2515d3870cc6c2c417aef366de938c8c98d3b62b81ec44f5a16e1227118e28b4624c99b2c1546e1c678

Download Submit
memory/2948-27-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2948-33-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2948-37-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2948-20-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2948-1233-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2948-11-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2948-4792-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2948-5241-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4300-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4300-10-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download