d557d828479d62958fbb20a8f6e3de68eeb486aa4b6527ea30cf29a540a7bb35

Analysis

max time kernel
149s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/09/2024, 07:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d557d828479d62958fbb20a8f6e3de68eeb486aa4b6527ea30cf29a540a7bb35.exe
Size

173KB
MD5

a566a02be16418d355af128c760c08ea
SHA1

9ee43e37d8ce13078cecc031bed9c0b26072c9cf
SHA256

d557d828479d62958fbb20a8f6e3de68eeb486aa4b6527ea30cf29a540a7bb35
SHA512

494e47e38afab10a8cfbcb1645aa8dc97fa85cc42466fa94cdf7d99e6735426e24526959a0c217699f6c005007899a881cd3b132177d3b47f00f7cde83aa8fbb
SSDEEP

3072:peJkuJVLIDfByOpGjAvb3eLG2FmDDSrDVTFooWZet3:PuJCpyOpGcj3UFmDDSrDVTSBQ3

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3692	Logo1_.exe
3912	d557d828479d62958fbb20a8f6e3de68eeb486aa4b6527ea30cf29a540a7bb35.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-gb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\en-gb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\da-dk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ca-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ca-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Defender\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ca-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\eu-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ar\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\de-de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\it-it\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\_platform_specific\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\meta\art\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\en-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ar-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\pt-br\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\nb-no\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\sv-se\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\1.1.1\Diagnostics\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\Me\MeControl\offline\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\cs-cz\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ca-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\eu-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\stickers\word_art\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\dev\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\root\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\iadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Views\Utilities\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\he-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example1.Diagnostics\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\km-KH\View3d\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	d557d828479d62958fbb20a8f6e3de68eeb486aa4b6527ea30cf29a540a7bb35.exe
File created	C:\Windows\Logo1_.exe	d557d828479d62958fbb20a8f6e3de68eeb486aa4b6527ea30cf29a540a7bb35.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d557d828479d62958fbb20a8f6e3de68eeb486aa4b6527ea30cf29a540a7bb35.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
3692	Logo1_.exe
3692	Logo1_.exe
3692	Logo1_.exe
3692	Logo1_.exe
3692	Logo1_.exe
3692	Logo1_.exe
3692	Logo1_.exe
3692	Logo1_.exe
3692	Logo1_.exe
3692	Logo1_.exe
3692	Logo1_.exe
3692	Logo1_.exe
3692	Logo1_.exe
3692	Logo1_.exe
3692	Logo1_.exe
3692	Logo1_.exe
3692	Logo1_.exe
3692	Logo1_.exe
3692	Logo1_.exe
3692	Logo1_.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4996 wrote to memory of 1368	4996	d557d828479d62958fbb20a8f6e3de68eeb486aa4b6527ea30cf29a540a7bb35.exe	83
PID 4996 wrote to memory of 1368	4996	d557d828479d62958fbb20a8f6e3de68eeb486aa4b6527ea30cf29a540a7bb35.exe	83
PID 4996 wrote to memory of 1368	4996	d557d828479d62958fbb20a8f6e3de68eeb486aa4b6527ea30cf29a540a7bb35.exe	83
PID 4996 wrote to memory of 3692	4996	d557d828479d62958fbb20a8f6e3de68eeb486aa4b6527ea30cf29a540a7bb35.exe	84
PID 4996 wrote to memory of 3692	4996	d557d828479d62958fbb20a8f6e3de68eeb486aa4b6527ea30cf29a540a7bb35.exe	84
PID 4996 wrote to memory of 3692	4996	d557d828479d62958fbb20a8f6e3de68eeb486aa4b6527ea30cf29a540a7bb35.exe	84
PID 3692 wrote to memory of 4948	3692	Logo1_.exe	86
PID 3692 wrote to memory of 4948	3692	Logo1_.exe	86
PID 3692 wrote to memory of 4948	3692	Logo1_.exe	86
PID 4948 wrote to memory of 1796	4948	net.exe	88
PID 4948 wrote to memory of 1796	4948	net.exe	88
PID 4948 wrote to memory of 1796	4948	net.exe	88
PID 1368 wrote to memory of 3912	1368	cmd.exe	89
PID 1368 wrote to memory of 3912	1368	cmd.exe	89
PID 3692 wrote to memory of 3408	3692	Logo1_.exe	56
PID 3692 wrote to memory of 3408	3692	Logo1_.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3408
- C:\Users\Admin\AppData\Local\Temp\d557d828479d62958fbb20a8f6e3de68eeb486aa4b6527ea30cf29a540a7bb35.exe
  "C:\Users\Admin\AppData\Local\Temp\d557d828479d62958fbb20a8f6e3de68eeb486aa4b6527ea30cf29a540a7bb35.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6CC4.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1368
  - - C:\Users\Admin\AppData\Local\Temp\d557d828479d62958fbb20a8f6e3de68eeb486aa4b6527ea30cf29a540a7bb35.exe
      "C:\Users\Admin\AppData\Local\Temp\d557d828479d62958fbb20a8f6e3de68eeb486aa4b6527ea30cf29a540a7bb35.exe"
      4⤵
      Executes dropped EXE
      PID:3912
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3692
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4948
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe

Filesize
247KB

MD5
7ec52ed75f36e9c33b70aea7680b2d0c

SHA1
3785037b48c3eabfe1c788770101fb8babad1397

SHA256
bba091b2d7cb12b2ff0e6152615652370092a0746208c956509876c1f04d620a

SHA512
bab64bcaf30b49a35cbaa2b4cd2e976365dc43462ff7b9dd8a02c128bfa999b70cf67ec4cc867be67da657bdd60010255dcb0c21747695d2ddc12f5a2b51cde1

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
573KB

MD5
224886c0d598bcfa2c77d2edcc9cb0ee

SHA1
55fb30a4360b64f5fea518d03bb6f09451d5983b

SHA256
477691461800bd52a3e755a873e69976f468a058ab409cf001b66fab86cdd566

SHA512
6d74624ba46dc1be4ef8607804b6a726385ed2a17481499799e90a9b270894db24c9764357018c1782c9c59b12dd8d26d9cfcd38ad647c1eba7acf729fca44f9

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
639KB

MD5
ad5a7e5eb1a1cdd791957e07c93748ae

SHA1
6e4f8c5f4d791327e11d0d68ca6f514554af8481

SHA256
cfee92d916fbbb95d8282c3264d3708ad1ddfdd9db4daaf00e0c96a22854c4dc

SHA512
a8acd191aec48dac8d5808a93ee973ea52793140e318b4d870fb10e4e8ba0756fe95654134dd1c175168375a0f7caebfd8a7d46a9b3dc71006f830b53dd9fefe

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a6CC4.bat

Filesize
722B

MD5
a4b673ae0af1c2048f06cc5130e7e98a

SHA1
b116cbb6693e81d5a98006a8f7d0514a76bd70fb

SHA256
3e80330c693917430ffb22d6496b74b9a7dd81110a7bcb59feceb254dfe772b8

SHA512
728d9fbc15d9319c732ec3f0ed7901c4b008aa1ff554a9734d240e6d7c99c27ebaee5b3c6780f20fb19860c73955a292ce14477013fbe35dd101ddb2725845f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\d557d828479d62958fbb20a8f6e3de68eeb486aa4b6527ea30cf29a540a7bb35.exe.exe

Filesize
143KB

MD5
33b4c87f18b4c49114d7a8980241657a

SHA1
254c67b915e45ad8584434a4af5e06ca730baa3b

SHA256
587296f3ff624295079471e529104385e5c30ddc46462096d343c76515e1d662

SHA512
42b48b4dcd76a8b2200cfafddc064c053a9d1a4b91b81dee9153322c0b2269e4d75f340c1bf7e7750351fb656445efaf1e1fe0f7e543497b247dd3f83f0c86f9

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
4ec2047773672aa95997b5e9bfe029b9

SHA1
cc75c24092829cddba5ca4672a607e037acca4ca

SHA256
bedc248003e0af924d9bfdac50741f22955ac912be17efc6bf8385c782525c02

SHA512
d131935964fcdcd97c8c04bbb56800800a69ede9d702f5a33d3dd776275a32871842c9f5cc8cd1e747807ec102ca7fab6a9b7343341e1bcf0b691c7135f12fd7

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2718105630-359604950-2820636825-1000\_desktop.ini

Filesize
8B

MD5
24cfb7e9169e3ecbcdf34395dff5aed0

SHA1
64061d8b0afd788fb3d2990e90e61f14010896dd

SHA256
e11477f26e6139dabba6ad5dab927732c6a3785db78f82194ad7ae20323c6578

SHA512
a315d4ab14f15f8df115e35134f0a1eff8018b0c35c5a0283928f2d3f3014215d683973b9aeba1bc74c49437cc929ea4e2fb847b4305da6d5abca235c750e299

Download Submit
memory/3692-27-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3692-33-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3692-37-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3692-20-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3692-583-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3692-1234-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3692-4792-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3692-8-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3692-5237-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4996-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4996-11-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download