7f0532e31738e042bc42c63b19d2a6660bb62e684c3c2ebe09aa162d19234da6

Analysis

max time kernel
149s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-09-2024 19:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f0532e31738e042bc42c63b19d2a6660bb62e684c3c2ebe09aa162d19234da6.exe
Size

694KB
MD5

2631cc61a8502963ea8782a366641b2b
SHA1

2118f3a9cfa867276af640a639eae097f57c6965
SHA256

7f0532e31738e042bc42c63b19d2a6660bb62e684c3c2ebe09aa162d19234da6
SHA512

dde8a6affac62da52dd7eb130b57fe93794b9331fe6f9576c04ace8ab3c25ea19b80faa6a31eb7927873b792de5b596efa561cf53f02dc2315c83dc07d026840
SSDEEP

12288:K7+TNcKAEJ6RLtx4c8PF39A55nJTuxGfqseVF+J92QpCgGy9RTPq6xy3NhYhYUnK:K7uNcKAEJ6Rpx4c8PF39A55nJMGfqse3

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1468	Logo1_.exe
1236	7f0532e31738e042bc42c63b19d2a6660bb62e684c3c2ebe09aa162d19234da6.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\SlowMotionEditor\UserControls\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\pt-br\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ca-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\pt-br\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\it-it\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\da-dk\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.2.2_2.2.27405.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\he-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\en-gb\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Fonts\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files-select\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Shell\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\zh-cn\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\onboarding\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pt-br\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\te\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\whatsnewsrc\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_2019.716.2313.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\root\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\intf\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\kk-KZ\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\da-dk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\hi-IN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\TCUI-App.exe	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	7f0532e31738e042bc42c63b19d2a6660bb62e684c3c2ebe09aa162d19234da6.exe
File created	C:\Windows\Logo1_.exe	7f0532e31738e042bc42c63b19d2a6660bb62e684c3c2ebe09aa162d19234da6.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7f0532e31738e042bc42c63b19d2a6660bb62e684c3c2ebe09aa162d19234da6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7f0532e31738e042bc42c63b19d2a6660bb62e684c3c2ebe09aa162d19234da6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1468	Logo1_.exe
1468	Logo1_.exe
1468	Logo1_.exe
1468	Logo1_.exe
1468	Logo1_.exe
1468	Logo1_.exe
1468	Logo1_.exe
1468	Logo1_.exe
1468	Logo1_.exe
1468	Logo1_.exe
1468	Logo1_.exe
1468	Logo1_.exe
1468	Logo1_.exe
1468	Logo1_.exe
1468	Logo1_.exe
1468	Logo1_.exe
1468	Logo1_.exe
1468	Logo1_.exe
1468	Logo1_.exe
1468	Logo1_.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 4788	2292	7f0532e31738e042bc42c63b19d2a6660bb62e684c3c2ebe09aa162d19234da6.exe	82
PID 2292 wrote to memory of 4788	2292	7f0532e31738e042bc42c63b19d2a6660bb62e684c3c2ebe09aa162d19234da6.exe	82
PID 2292 wrote to memory of 4788	2292	7f0532e31738e042bc42c63b19d2a6660bb62e684c3c2ebe09aa162d19234da6.exe	82
PID 2292 wrote to memory of 1468	2292	7f0532e31738e042bc42c63b19d2a6660bb62e684c3c2ebe09aa162d19234da6.exe	83
PID 2292 wrote to memory of 1468	2292	7f0532e31738e042bc42c63b19d2a6660bb62e684c3c2ebe09aa162d19234da6.exe	83
PID 2292 wrote to memory of 1468	2292	7f0532e31738e042bc42c63b19d2a6660bb62e684c3c2ebe09aa162d19234da6.exe	83
PID 1468 wrote to memory of 4436	1468	Logo1_.exe	85
PID 1468 wrote to memory of 4436	1468	Logo1_.exe	85
PID 1468 wrote to memory of 4436	1468	Logo1_.exe	85
PID 4436 wrote to memory of 3500	4436	net.exe	87
PID 4436 wrote to memory of 3500	4436	net.exe	87
PID 4436 wrote to memory of 3500	4436	net.exe	87
PID 4788 wrote to memory of 1236	4788	cmd.exe	88
PID 4788 wrote to memory of 1236	4788	cmd.exe	88
PID 4788 wrote to memory of 1236	4788	cmd.exe	88
PID 1468 wrote to memory of 3464	1468	Logo1_.exe	55
PID 1468 wrote to memory of 3464	1468	Logo1_.exe	55

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3464
- C:\Users\Admin\AppData\Local\Temp\7f0532e31738e042bc42c63b19d2a6660bb62e684c3c2ebe09aa162d19234da6.exe
  "C:\Users\Admin\AppData\Local\Temp\7f0532e31738e042bc42c63b19d2a6660bb62e684c3c2ebe09aa162d19234da6.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2292
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a900B.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4788
  - - C:\Users\Admin\AppData\Local\Temp\7f0532e31738e042bc42c63b19d2a6660bb62e684c3c2ebe09aa162d19234da6.exe
      "C:\Users\Admin\AppData\Local\Temp\7f0532e31738e042bc42c63b19d2a6660bb62e684c3c2ebe09aa162d19234da6.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1236
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1468
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4436
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe

Filesize
244KB

MD5
1a620203319a48f8b67fc76e00d8bff2

SHA1
4c6ffd7e0c272cccad11b26ee1a990f94c372e7a

SHA256
cfeb12d3b8d8d59f5e4195cf1df05c81028efea4aa2ad7eb87b459caea3710c0

SHA512
62ffbdf9174653e7dd037a45a13a3fa58076e3332c766815c01aba2afc42e505d718f20ef25427d6df12395a5432d5bd05e1e8f635b9612fc73254e1e63f45b9

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
570KB

MD5
2eed969a23f79dbdde894d66123607c3

SHA1
6545534b62dd0bc1b08bb357361d12d4651895be

SHA256
fda1c80e56c9ad06d854df2028c73e87d605c2fa2f5815916f38296b0ea06971

SHA512
148943a5ffd347852883d0995933b07ef80dbf8ce9856902f6191c990c4da8e556a8331ae8f6c7ca8282924d0e2a5481f63dba8410e302bb8fba961ea1adc89f

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
636KB

MD5
2500f702e2b9632127c14e4eaae5d424

SHA1
8726fef12958265214eeb58001c995629834b13a

SHA256
82e5b0001f025ca3b8409c98e4fb06c119c68de1e4ef60a156360cb4ef61d19c

SHA512
f420c62fa1f6897f51dd7a0f0e910fb54ad14d51973a2d4840eeea0448c860bf83493fb1c07be65f731efc39e19f8a99886c8cfd058cee482fe52d255a33a55c

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a900B.bat

Filesize
722B

MD5
49b160e36092bc7722d0457bc09e73d3

SHA1
3a3ac43f071a8dd69e0c988b4685baa86c7578ee

SHA256
492b6e7d4795cc267f7bbddfab6a69ae0ffd246cacfc90e096c86cba640d64e1

SHA512
027f0c6b506c67fed3075d287d6dc8c597dcc938c7101962fa77d1a5dd3f210c6f5f3ba03ad54a70593e536956f4865e8c339b16685a73f821616e64bf84e0aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7f0532e31738e042bc42c63b19d2a6660bb62e684c3c2ebe09aa162d19234da6.exe.exe

Filesize
667KB

MD5
1611f32d75807a5902e1b63b94fc3c1c

SHA1
4b46b4d1ec8f5ea453367f5d7e3ed28265c894bd

SHA256
5e32c717f224489d63a8e91729a24a29f5bcfbdb8f299cd2c4f13f8606166f8a

SHA512
8d9e3c99fe3da058be4a04be6d4522454810ce2e0b05dc8ec63ea2b8b422cdb57107f30c80bb12dc39250e957823dcd98508087581507d81ad2abbb9796ce13e

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
7abd02dcc99ac564591c6d671469d226

SHA1
9138a0572b4a24df05eafd110bb951fec6d7d567

SHA256
d0ddcb7aa3267af033685eaf85453a27fef494460499c42b58ad06edfadbf408

SHA512
06c8302cb301043d708c3f93eabfef90abbedb0cfb2e4f799b3dab12ee8d6c852eb5c63b51ecc7054e99007fb0ef471adf1c6d7dde939e561625fc424178a191

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-945322488-2060912225-3527527000-1000\_desktop.ini

Filesize
9B

MD5
e02899454c67c7d6d1af854fdcb53b67

SHA1
26fb213f7c299c2a4d8c4afd234ee0b751d7a30e

SHA256
0e67e90646d3ba7b46f935b205c9f89e8bff2dca7aeda3cd5dfb93868b262315

SHA512
e1519bebf62ab4cb28e630a201312812e04f815ec0663f7b68b478da97c0bf7c7c2238a8632540d3d1f37acbe83919fb198b39ebeb222c19faa2130ab65ffffa

Download Submit
memory/1236-23-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1236-19-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1468-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1468-30-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1468-38-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1468-44-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1468-1244-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1468-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1468-4807-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1468-5254-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2292-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2292-11-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download