8dc760433dc4a4163e71a640c00d3f1cc8cd4e8d233ab0e2bb9670e6601bd820

Analysis

max time kernel
150s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/09/2024, 15:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8dc760433dc4a4163e71a640c00d3f1cc8cd4e8d233ab0e2bb9670e6601bd820.exe
Size

66KB
MD5

ed8b4aff6d8674771bec6a6656ba7930
SHA1

d83e49af5cb9324b8ca4fc9e828e1f7b6c8e2a5a
SHA256

8dc760433dc4a4163e71a640c00d3f1cc8cd4e8d233ab0e2bb9670e6601bd820
SHA512

9d071fa9da7132401a8985d23fcbaa9aef95d616151fa76a3aee3a9623d76fd4e642596c32a3f088c4b6466682aed81010bdb5968ee5bec14d301c87239788be
SSDEEP

1536:pEN3SHuJV9NBriw+d9bHrkT5gUHz7FxtJ:pENkuJVLBrBkfkT5xHzD

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
5048	Logo1_.exe
1536	8dc760433dc4a4163e71a640c00d3f1cc8cd4e8d233ab0e2bb9670e6601bd820.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\locale\cs\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pt_BR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\_Resources\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ar-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sl-sl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\de-de\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Lumia.AppTk.NativeDirect3d.UAP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\pt-br\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ach\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\cs-cz\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\security\policy\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x86__8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\cs-cz\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\keystore\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lg\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-black\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\CortanaApp.ViewElements\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\sl-si\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sv-se\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\cs-cz\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\Simple\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\da-dk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\skins\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\de-de\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Logo1_.exe	8dc760433dc4a4163e71a640c00d3f1cc8cd4e8d233ab0e2bb9670e6601bd820.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	8dc760433dc4a4163e71a640c00d3f1cc8cd4e8d233ab0e2bb9670e6601bd820.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8dc760433dc4a4163e71a640c00d3f1cc8cd4e8d233ab0e2bb9670e6601bd820.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
5048	Logo1_.exe
5048	Logo1_.exe
5048	Logo1_.exe
5048	Logo1_.exe
5048	Logo1_.exe
5048	Logo1_.exe
5048	Logo1_.exe
5048	Logo1_.exe
5048	Logo1_.exe
5048	Logo1_.exe
5048	Logo1_.exe
5048	Logo1_.exe
5048	Logo1_.exe
5048	Logo1_.exe
5048	Logo1_.exe
5048	Logo1_.exe
5048	Logo1_.exe
5048	Logo1_.exe
5048	Logo1_.exe
5048	Logo1_.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 5052 wrote to memory of 3796	5052	8dc760433dc4a4163e71a640c00d3f1cc8cd4e8d233ab0e2bb9670e6601bd820.exe	83
PID 5052 wrote to memory of 3796	5052	8dc760433dc4a4163e71a640c00d3f1cc8cd4e8d233ab0e2bb9670e6601bd820.exe	83
PID 5052 wrote to memory of 3796	5052	8dc760433dc4a4163e71a640c00d3f1cc8cd4e8d233ab0e2bb9670e6601bd820.exe	83
PID 5052 wrote to memory of 5048	5052	8dc760433dc4a4163e71a640c00d3f1cc8cd4e8d233ab0e2bb9670e6601bd820.exe	84
PID 5052 wrote to memory of 5048	5052	8dc760433dc4a4163e71a640c00d3f1cc8cd4e8d233ab0e2bb9670e6601bd820.exe	84
PID 5052 wrote to memory of 5048	5052	8dc760433dc4a4163e71a640c00d3f1cc8cd4e8d233ab0e2bb9670e6601bd820.exe	84
PID 5048 wrote to memory of 2580	5048	Logo1_.exe	86
PID 5048 wrote to memory of 2580	5048	Logo1_.exe	86
PID 5048 wrote to memory of 2580	5048	Logo1_.exe	86
PID 2580 wrote to memory of 4720	2580	net.exe	88
PID 2580 wrote to memory of 4720	2580	net.exe	88
PID 2580 wrote to memory of 4720	2580	net.exe	88
PID 3796 wrote to memory of 1536	3796	cmd.exe	89
PID 3796 wrote to memory of 1536	3796	cmd.exe	89
PID 5048 wrote to memory of 3588	5048	Logo1_.exe	56
PID 5048 wrote to memory of 3588	5048	Logo1_.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3588
- C:\Users\Admin\AppData\Local\Temp\8dc760433dc4a4163e71a640c00d3f1cc8cd4e8d233ab0e2bb9670e6601bd820.exe
  "C:\Users\Admin\AppData\Local\Temp\8dc760433dc4a4163e71a640c00d3f1cc8cd4e8d233ab0e2bb9670e6601bd820.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5052
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7E29.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3796
  - - C:\Users\Admin\AppData\Local\Temp\8dc760433dc4a4163e71a640c00d3f1cc8cd4e8d233ab0e2bb9670e6601bd820.exe
      "C:\Users\Admin\AppData\Local\Temp\8dc760433dc4a4163e71a640c00d3f1cc8cd4e8d233ab0e2bb9670e6601bd820.exe"
      4⤵
      Executes dropped EXE
      PID:1536
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:5048
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2580
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe

Filesize
247KB

MD5
e31894e11e88093ce72dfafb84ddfdf7

SHA1
ac5c5f4b519ad19dccbedb7b8eb1dc8c7fe0a9cf

SHA256
e427c005093f36f72db9ffc86e57dda5a9cc7792489b6c6786d103c494b2d37f

SHA512
773b237482727980067fdee4979c805c1514b22a45bf707448b56e5ac7d9d8ad5ef004859bffe91824139a8caf4accf3ec8550c48f412267623686db9d4a89fe

Download Submit
C:\Program Files\CompareRestore.exe

Filesize
413KB

MD5
f1250f725d66d911a6e896193aafb90c

SHA1
acfefb6dbce53d4bdc9e391b409c87fde8807dba

SHA256
8b1cfe3bc161b17c38cce987176294ce65c88511a28a6d63316d3be43eb2fa0d

SHA512
43165583c7d8dc53d173841171694ecec76933c7a54a648b79315ca90e6d5ed48d7f96ab2cc0fd9f8886c6a9fd3f55b0cf3b3201835490779050d71311738642

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
639KB

MD5
c6d6354b442f8417dc66b1723a800f2f

SHA1
94525ba06431ca98c5b8b58c60b24ac8811b1748

SHA256
848e14757895f1da1da61c8bb06127caaeb36eb3361768b3baf1a7974ad16716

SHA512
49b347afad74e96aeedddaaf3bbf7cb261c5590b4991af35f3fcd5fe2a22954266e5dc84b100590731da608ba49aa04fd5f22c7997d20ca5999cc63103180a5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a7E29.bat

Filesize
722B

MD5
7e46ea56cf703dc77db20830ca629e56

SHA1
46f94fb8ea26ad98169587a5689312bc9bd66a8f

SHA256
2a069172066835ae779ec44a9e30f1541a2ba1f7e075ea3ad3a6d91d981dc863

SHA512
ffe0b95e44d92d9a4c7b9092b9bb7fdaa87767c40a7f0d3ee0d24fd319a6b6ba03910f8823769a84fcaf16a6ed880cb9b6ae953333e2c7be3c728a0c5972924a

Download Submit
C:\Users\Admin\AppData\Local\Temp\8dc760433dc4a4163e71a640c00d3f1cc8cd4e8d233ab0e2bb9670e6601bd820.exe.exe

Filesize
36KB

MD5
9f498971cbe636662f3d210747d619e1

SHA1
44b8e2732fa1e2f204fc70eaa1cb406616250085

SHA256
8adf6748981c3e7b62f5dbca992be6675574fffbce7673743f2d7fe787d56a41

SHA512
b73083c2f7b028d2946cb8f7b4fe2289fedaa4175364a2aac37db0aeff4602aede772ccc9eba7e6dcfcb7276e52604ca45d8021952201b5834485b48bca3dc93

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
502c3c435387c18a85ef272fb21e65c9

SHA1
f881e5115f12ec0e2ab4fee0ebc7696b24234311

SHA256
50dfa1109318a24715883d5d1e08402aa8f613b1fad836487842ff8a8b0e3dfd

SHA512
294a9e291742dbd814dca359ad2ddd730d2ab9226f1637bd53283e5930423a48783a6e14675406c0d18f3ceeeb17c9ec88c5547cef09813e7e83688fa2820d77

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2392887640-1187051047-2909758433-1000\_desktop.ini

Filesize
8B

MD5
24cfb7e9169e3ecbcdf34395dff5aed0

SHA1
64061d8b0afd788fb3d2990e90e61f14010896dd

SHA256
e11477f26e6139dabba6ad5dab927732c6a3785db78f82194ad7ae20323c6578

SHA512
a315d4ab14f15f8df115e35134f0a1eff8018b0c35c5a0283928f2d3f3014215d683973b9aeba1bc74c49437cc929ea4e2fb847b4305da6d5abca235c750e299

Download Submit
memory/5048-27-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5048-33-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5048-37-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5048-20-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5048-733-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5048-1236-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5048-4793-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5048-8-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5048-5238-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5052-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5052-11-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download