58faaee4e16ba3ff9936d8758dab2e512230353face6febdcf129ab963e039a4

Analysis

max time kernel
150s
max time network
19s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/09/2024, 14:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58faaee4e16ba3ff9936d8758dab2e512230353face6febdcf129ab963e039a4.exe
Size

321KB
MD5

c9c9cad523a202bcdb77e3660fc39b41
SHA1

31e407b3a16965a5e3a541044db7607fb902a3b4
SHA256

58faaee4e16ba3ff9936d8758dab2e512230353face6febdcf129ab963e039a4
SHA512

7eb53cfed4b262d414111d08953415c56b24674adba17f149905713a09753d5ef6b1c884fbed0e0d0695d486d9ef47182c18168708c193a819367061ad6b5e2c
SSDEEP

1536:xHe+Zk77RNYjLBcae2/sJ9aJfXgY1zUTyr5hVM:xHe+aX38yae+XgTTSje

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2748	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 1 IoCs

pid	Process
2768	Logo1_.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EURO\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fa\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Media Player\Visualizations\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Mahjong\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kab\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Defender\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	Logo1_.exe
File created	C:\Program Files\Windows Defender\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECHO\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kn\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Journal\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\Contracts\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\More Games\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ach\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\es-ES\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	58faaee4e16ba3ff9936d8758dab2e512230353face6febdcf129ab963e039a4.exe
File created	C:\Windows\Logo1_.exe	58faaee4e16ba3ff9936d8758dab2e512230353face6febdcf129ab963e039a4.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	58faaee4e16ba3ff9936d8758dab2e512230353face6febdcf129ab963e039a4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

pid	Process
2168	58faaee4e16ba3ff9936d8758dab2e512230353face6febdcf129ab963e039a4.exe
2168	58faaee4e16ba3ff9936d8758dab2e512230353face6febdcf129ab963e039a4.exe
2168	58faaee4e16ba3ff9936d8758dab2e512230353face6febdcf129ab963e039a4.exe
2168	58faaee4e16ba3ff9936d8758dab2e512230353face6febdcf129ab963e039a4.exe
2168	58faaee4e16ba3ff9936d8758dab2e512230353face6febdcf129ab963e039a4.exe
2168	58faaee4e16ba3ff9936d8758dab2e512230353face6febdcf129ab963e039a4.exe
2168	58faaee4e16ba3ff9936d8758dab2e512230353face6febdcf129ab963e039a4.exe
2168	58faaee4e16ba3ff9936d8758dab2e512230353face6febdcf129ab963e039a4.exe
2168	58faaee4e16ba3ff9936d8758dab2e512230353face6febdcf129ab963e039a4.exe
2168	58faaee4e16ba3ff9936d8758dab2e512230353face6febdcf129ab963e039a4.exe
2168	58faaee4e16ba3ff9936d8758dab2e512230353face6febdcf129ab963e039a4.exe
2168	58faaee4e16ba3ff9936d8758dab2e512230353face6febdcf129ab963e039a4.exe
2168	58faaee4e16ba3ff9936d8758dab2e512230353face6febdcf129ab963e039a4.exe
2768	Logo1_.exe
2768	Logo1_.exe
2768	Logo1_.exe
2768	Logo1_.exe
2768	Logo1_.exe
2768	Logo1_.exe
2768	Logo1_.exe
2768	Logo1_.exe
2768	Logo1_.exe
2768	Logo1_.exe
2768	Logo1_.exe
2768	Logo1_.exe
2768	Logo1_.exe
2768	Logo1_.exe
2768	Logo1_.exe
2768	Logo1_.exe
2768	Logo1_.exe
2768	Logo1_.exe
2768	Logo1_.exe
2768	Logo1_.exe
2768	Logo1_.exe
2768	Logo1_.exe
2768	Logo1_.exe
2768	Logo1_.exe
2768	Logo1_.exe
2768	Logo1_.exe
2768	Logo1_.exe
2768	Logo1_.exe
2768	Logo1_.exe
2768	Logo1_.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 2292	2168	58faaee4e16ba3ff9936d8758dab2e512230353face6febdcf129ab963e039a4.exe	29
PID 2168 wrote to memory of 2292	2168	58faaee4e16ba3ff9936d8758dab2e512230353face6febdcf129ab963e039a4.exe	29
PID 2168 wrote to memory of 2292	2168	58faaee4e16ba3ff9936d8758dab2e512230353face6febdcf129ab963e039a4.exe	29
PID 2168 wrote to memory of 2292	2168	58faaee4e16ba3ff9936d8758dab2e512230353face6febdcf129ab963e039a4.exe	29
PID 2292 wrote to memory of 2872	2292	net.exe	31
PID 2292 wrote to memory of 2872	2292	net.exe	31
PID 2292 wrote to memory of 2872	2292	net.exe	31
PID 2292 wrote to memory of 2872	2292	net.exe	31
PID 2168 wrote to memory of 2748	2168	58faaee4e16ba3ff9936d8758dab2e512230353face6febdcf129ab963e039a4.exe	32
PID 2168 wrote to memory of 2748	2168	58faaee4e16ba3ff9936d8758dab2e512230353face6febdcf129ab963e039a4.exe	32
PID 2168 wrote to memory of 2748	2168	58faaee4e16ba3ff9936d8758dab2e512230353face6febdcf129ab963e039a4.exe	32
PID 2168 wrote to memory of 2748	2168	58faaee4e16ba3ff9936d8758dab2e512230353face6febdcf129ab963e039a4.exe	32
PID 2168 wrote to memory of 2768	2168	58faaee4e16ba3ff9936d8758dab2e512230353face6febdcf129ab963e039a4.exe	34
PID 2168 wrote to memory of 2768	2168	58faaee4e16ba3ff9936d8758dab2e512230353face6febdcf129ab963e039a4.exe	34
PID 2168 wrote to memory of 2768	2168	58faaee4e16ba3ff9936d8758dab2e512230353face6febdcf129ab963e039a4.exe	34
PID 2168 wrote to memory of 2768	2168	58faaee4e16ba3ff9936d8758dab2e512230353face6febdcf129ab963e039a4.exe	34
PID 2768 wrote to memory of 2544	2768	Logo1_.exe	35
PID 2768 wrote to memory of 2544	2768	Logo1_.exe	35
PID 2768 wrote to memory of 2544	2768	Logo1_.exe	35
PID 2768 wrote to memory of 2544	2768	Logo1_.exe	35
PID 2544 wrote to memory of 2740	2544	net.exe	37
PID 2544 wrote to memory of 2740	2544	net.exe	37
PID 2544 wrote to memory of 2740	2544	net.exe	37
PID 2544 wrote to memory of 2740	2544	net.exe	37
PID 2768 wrote to memory of 2868	2768	Logo1_.exe	38
PID 2768 wrote to memory of 2868	2768	Logo1_.exe	38
PID 2768 wrote to memory of 2868	2768	Logo1_.exe	38
PID 2768 wrote to memory of 2868	2768	Logo1_.exe	38
PID 2868 wrote to memory of 1752	2868	net.exe	40
PID 2868 wrote to memory of 1752	2868	net.exe	40
PID 2868 wrote to memory of 1752	2868	net.exe	40
PID 2868 wrote to memory of 1752	2868	net.exe	40
PID 2768 wrote to memory of 1268	2768	Logo1_.exe	20
PID 2768 wrote to memory of 1268	2768	Logo1_.exe	20

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1268
- C:\Users\Admin\AppData\Local\Temp\58faaee4e16ba3ff9936d8758dab2e512230353face6febdcf129ab963e039a4.exe
  "C:\Users\Admin\AppData\Local\Temp\58faaee4e16ba3ff9936d8758dab2e512230353face6febdcf129ab963e039a4.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2292
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2872
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a2433.bat
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2748
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2544
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2740
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2868
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
258KB

MD5
946ef88164c84cf4afd633befc8327ac

SHA1
534a32a75e4f01757deecb2ff6d1631d6d5f830f

SHA256
b3725df35745187cb73641ee87c19ded286e57b0ef98d81aff4b3b7ecf497a4e

SHA512
79f937e4fcb88d5b73db3525f3384a22e4850a70aa4a23487962d7b27965c0c3a770f46b9e8af4ef2613cc15fc4077111d4aaac9dc834d0484798aa33c545af9

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
478KB

MD5
aca7c167ac0b287aaf64c7a0e90b55ea

SHA1
5e79edea9c86fe70af0e337f05fb2a221b238294

SHA256
adcd795e674078d9209b99d472cb4930c17d650a7606fcd490950a699c69751f

SHA512
f6e9d12d5043d8e1eae307dbe2bb1486d17be4b34fed500b2b4199d8fd644d7b66b5cc354ddd3d63fc0c1b6250e972a0fd514ce14604668a4f46a16046bce974

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a2433.bat

Filesize
722B

MD5
b0306f8cb604cc02343d9a77af93c7b8

SHA1
e5c31ab9d4c410adc9697c44e651a6cb14b38513

SHA256
df12ecee7afa9fed4160ee5df29d701ba636dde61a1d60dd52fccf4d8aeb8b2e

SHA512
826315cfec37782d6da68f11895f20062a4e3725550d7784294457eeacddaab3c1bacc99e7f3626165eaf142d702f9835759937ff91901b7c927ecbf055e4b46

Download Submit
C:\Users\Admin\AppData\Local\Temp\58faaee4e16ba3ff9936d8758dab2e512230353face6febdcf129ab963e039a4.exe.exe

Filesize
288KB

MD5
01bbe782a1da233c59881ed2d18f4f06

SHA1
723d4dfdab2b477633455d4775e32bd52f081c7b

SHA256
7ded5e3c9c066789a50305a048639afeab4dffcc9673ae7f1092e5af7c6a91b1

SHA512
492b202ab850c4f120c4ac7854bf7e7acc865505679d8973736ed3ea28f4b77b645c8a15d806805064ebc81ebd1b4bf07e1fd4023307673d3ce4b81d49c7d175

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
fac489180a927456fde29aa70b6c863c

SHA1
b7638615678d7137f7c9a8ab01952fd6266730d0

SHA256
e888702980111bdea63056293f56946432701aac652c474a5f8614a137e021d7

SHA512
cbe953def68f48b32003143d8980b0443c46373395d31ceab62192cb0d2a97d45428e950f54f03b507b9e39b12770c9701e2b5de6e1fda1ce763a9aede7e6682

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-457978338-2990298471-2379561640-1000\_desktop.ini

Filesize
9B

MD5
5412111268dd2c1fb1cf8697bfab9b6c

SHA1
16d0b289e83c74cb50a004edd7c5750ac706f321

SHA256
f3aa35be7048ddbf11fc581e5f9476745d75bcf097e121ba2915614e360a0cdc

SHA512
13fc5bf11faaf5471fde8a1bafdcc6d27521bad796e5e532c94d9c8232dd70088e70b6d5ac60c4c15d13e59926ac38e9a9e01b4dd4694a77d70bdd1ae7005ccf

Download Submit
memory/1268-27-0x0000000002BC0000-0x0000000002BC1000-memory.dmp

Filesize
4KB

Download
memory/2168-17-0x00000000002E0000-0x000000000031F000-memory.dmp

Filesize
252KB

Download
memory/2168-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2168-20-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2168-15-0x00000000002E0000-0x000000000031F000-memory.dmp

Filesize
252KB

Download
memory/2768-31-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2768-18-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2768-1859-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2768-5016-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2768-9325-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download