1d5346b4c7cfc3f3ba126487e84063263462f2d35124f337afb766638fc2ccfe

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/09/2024, 09:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d5346b4c7cfc3f3ba126487e84063263462f2d35124f337afb766638fc2ccfe.exe
Size

1.3MB
MD5

a61cfc6c4c203311d43ab8b08cd3f087
SHA1

25133ed1bb80ccf9f17b60e09e14de6a79c7b1f2
SHA256

1d5346b4c7cfc3f3ba126487e84063263462f2d35124f337afb766638fc2ccfe
SHA512

66416012e51dce8be66150d0213c8edf5c51c3783cea4c0ee6443178aeaf445bf7d5ea82f83dd920b8e1b65a9dc4e20638ed1ce769913fda40b6cf592b43791c
SSDEEP

24576:M79OdZfkO6+EFFKBqM8C9uU0N4ryz4EAX6pipxX6:M79wEoUZ5N4rREAX64pxX6

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
404	Logo1_.exe
4572	1d5346b4c7cfc3f3ba126487e84063263462f2d35124f337afb766638fc2ccfe.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Pester\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\de-de\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Images\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-cn\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\it-it\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sl-si\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-us\jscripts\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ko-kr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\plugins\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\versions\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-black\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\plugins\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\de-de\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\en-gb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Google\Update\Install\{4896B57A-BA2E-425E-ACC6-3260D1FD1C27}\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\eo\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ka\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\fonts\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_neutral_~_8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ru-ru\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\de-de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\nb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\da-dk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\zh-cn\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\de-de\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\uk-ua\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	1d5346b4c7cfc3f3ba126487e84063263462f2d35124f337afb766638fc2ccfe.exe
File created	C:\Windows\Logo1_.exe	1d5346b4c7cfc3f3ba126487e84063263462f2d35124f337afb766638fc2ccfe.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1d5346b4c7cfc3f3ba126487e84063263462f2d35124f337afb766638fc2ccfe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1d5346b4c7cfc3f3ba126487e84063263462f2d35124f337afb766638fc2ccfe.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
404	Logo1_.exe
404	Logo1_.exe
404	Logo1_.exe
404	Logo1_.exe
404	Logo1_.exe
404	Logo1_.exe
404	Logo1_.exe
404	Logo1_.exe
404	Logo1_.exe
404	Logo1_.exe
404	Logo1_.exe
404	Logo1_.exe
404	Logo1_.exe
404	Logo1_.exe
404	Logo1_.exe
404	Logo1_.exe
404	Logo1_.exe
404	Logo1_.exe
404	Logo1_.exe
404	Logo1_.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeBackupPrivilege	4572	1d5346b4c7cfc3f3ba126487e84063263462f2d35124f337afb766638fc2ccfe.exe
Token: SeDebugPrivilege	4572	1d5346b4c7cfc3f3ba126487e84063263462f2d35124f337afb766638fc2ccfe.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3880 wrote to memory of 3680	3880	1d5346b4c7cfc3f3ba126487e84063263462f2d35124f337afb766638fc2ccfe.exe	83
PID 3880 wrote to memory of 3680	3880	1d5346b4c7cfc3f3ba126487e84063263462f2d35124f337afb766638fc2ccfe.exe	83
PID 3880 wrote to memory of 3680	3880	1d5346b4c7cfc3f3ba126487e84063263462f2d35124f337afb766638fc2ccfe.exe	83
PID 3880 wrote to memory of 404	3880	1d5346b4c7cfc3f3ba126487e84063263462f2d35124f337afb766638fc2ccfe.exe	84
PID 3880 wrote to memory of 404	3880	1d5346b4c7cfc3f3ba126487e84063263462f2d35124f337afb766638fc2ccfe.exe	84
PID 3880 wrote to memory of 404	3880	1d5346b4c7cfc3f3ba126487e84063263462f2d35124f337afb766638fc2ccfe.exe	84
PID 404 wrote to memory of 4112	404	Logo1_.exe	85
PID 404 wrote to memory of 4112	404	Logo1_.exe	85
PID 404 wrote to memory of 4112	404	Logo1_.exe	85
PID 4112 wrote to memory of 4756	4112	net.exe	88
PID 4112 wrote to memory of 4756	4112	net.exe	88
PID 4112 wrote to memory of 4756	4112	net.exe	88
PID 3680 wrote to memory of 4572	3680	cmd.exe	89
PID 3680 wrote to memory of 4572	3680	cmd.exe	89
PID 3680 wrote to memory of 4572	3680	cmd.exe	89
PID 404 wrote to memory of 3472	404	Logo1_.exe	56
PID 404 wrote to memory of 3472	404	Logo1_.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3472
- C:\Users\Admin\AppData\Local\Temp\1d5346b4c7cfc3f3ba126487e84063263462f2d35124f337afb766638fc2ccfe.exe
  "C:\Users\Admin\AppData\Local\Temp\1d5346b4c7cfc3f3ba126487e84063263462f2d35124f337afb766638fc2ccfe.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB258.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3680
  - - C:\Users\Admin\AppData\Local\Temp\1d5346b4c7cfc3f3ba126487e84063263462f2d35124f337afb766638fc2ccfe.exe
      "C:\Users\Admin\AppData\Local\Temp\1d5346b4c7cfc3f3ba126487e84063263462f2d35124f337afb766638fc2ccfe.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4572
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:404
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4112
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe

Filesize
244KB

MD5
eda97e2bff8a53be06025304152892c1

SHA1
7acc3b17f6c62690f42519ee9dc4706221165f67

SHA256
52277041a1ae6cb4ddf4e0db7d1e8239b5d93cdc5930941c3904a2b5999609d7

SHA512
e2daca195d81fa8a9a44ce4f338650b641a9459ad2e4612cd0bb53ccdee3d2f326eba3cdf216fcdd983aa936eb6f22165b7d2c3ac0ac876cd5205406b3bad0f1

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
570KB

MD5
ce7e43d72e4a3de460ea0c3c25d52c72

SHA1
16781c2100cb6095607fbe18c69ce30c3d2a6786

SHA256
d14f142663a8442e596ce805c3d1b694a9caf9db7f9d8174f5c9251c45957661

SHA512
c50b9b37c31a3316cbfad52089497e6770980259c7600dded7ebaa25894c20fa6614bc75a009dcb8b7b603e03662244b4121e0d9771ce8bf8ff06e48ae3d355c

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
636KB

MD5
82168b5f40194e6e86457c2b534cfc21

SHA1
3e2702a384a03243e98ee6866e09f6d5df9b5de5

SHA256
c2f452c90356d0070c71ce17da69c4245dc24f46e1215eca22748567e48279d9

SHA512
6d041166b41e4608aa46b1724322a22d49e5d709f4b1bf89d2c6819282a813c88cd74ba6167f337d4d36a741ae53830b04e58e92fbfc597f85cd7f763284c774

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aB258.bat

Filesize
722B

MD5
6b5d9a03cacd4426229e98e76b3574b9

SHA1
14479ace9950be1c3bdf289e1cf554a873df8cc1

SHA256
14680f0c4c9af7ca2cd23e6c69933b1c46ebe23b5b9a430424a72040eb66d5ce

SHA512
59929dd2c5da4ee5b5bf406d5bf1b4f4721424cd985f85bf8350a5c45ff62c64587bc041a23eef75355ab76f9ee8a8a7cf1654253f10fd9d27683e19ba9c50ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\1d5346b4c7cfc3f3ba126487e84063263462f2d35124f337afb766638fc2ccfe.exe.exe

Filesize
1.3MB

MD5
ce73e5b504434e95869a276c0b908a6e

SHA1
abadfe6f48fcbca375021b34bd7483bb6428b699

SHA256
6bf251b9615a53f84b2ecbd19f146b8b977aae3bc6a7abadfefe30eca6ec64e2

SHA512
395066d444ef8bdb9d6bfb56e729b75517855ec5e8ec123e2f0fd6d4994aa26b126dc5f6c733767880063c599d270c9e26499f2d41fd2eef9062127bbaffc2ad

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
dd889a3e0c7516d8e3ba89a8b6b98232

SHA1
5a7733c34782590a34e9931221cdf8654c3e465e

SHA256
21af4733e7b12937ef11a44607a9dbe649d6ab3af8b296eef08f0a42c4802f2f

SHA512
a9ce858ca0b5972bcdadf3bc06dd6fcc323cd0178dc2a24949f736b947832de0a629a7f63a171823377d49e391fc8beb5f0d9b73358ac931c8273d8e3cfbf266

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2392887640-1187051047-2909758433-1000\_desktop.ini

Filesize
8B

MD5
646a1be8fae9210cfba53ee1aab14c96

SHA1
8677ff347131a9c8304f10b48012ebd8b075030c

SHA256
660d57a3dc71884e70a9cbd6ca26d02872f4706abeb098c6d35f6b217462edf5

SHA512
812b716a422628d486a4c78c66a85c641f13976537fbd452e14fab9a6c440b442632df04de8437c485c9c8164e3b3499201d3dbe681b36fe6bec749df1ab75e4

Download Submit
memory/404-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/404-34-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/404-38-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/404-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/404-620-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/404-1235-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/404-4792-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/404-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/404-5237-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3880-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3880-11-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download