001b217cb1bccf97d747408ffe401505c66d93b5d5ecc1900618a71a152b3b39

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2024, 07:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

001b217cb1bccf97d747408ffe401505c66d93b5d5ecc1900618a71a152b3b39.exe
Size

81KB
MD5

0f8761ddc154cdfc675bfcf28967fe7b
SHA1

3880a7becdb7a0e30fd29d4e0c4923a3261ec55b
SHA256

001b217cb1bccf97d747408ffe401505c66d93b5d5ecc1900618a71a152b3b39
SHA512

3a14fc70e5919b7b766a96fdd8553833a0e1003f05009353d50befa0a3755a3505856c4ec94a7d7f5a24cf34b6da3e1d432472eb3744a0bb72982960204b0e78
SSDEEP

1536:OClfgLdQAQfcfymN7H5UX/40gLVNQdwocztTRttqaNB47HxbG:pftffjmN7ZUA3adQ9tfNB4I

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1736	Logo1_.exe
2872	001b217cb1bccf97d747408ffe401505c66d93b5d5ecc1900618a71a152b3b39.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\visualization\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\uk-UA\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ru-ru\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\Diagnostics\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\da-dk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\de-de\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\en-gb\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\plugins\rhp\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\cs-cz\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ru\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ha-Latn-NG\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\lv-LV\View3d\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office 15\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\AppCore\Location\Shifter\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\dc-annotations\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\zh-cn\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\uz-Latn-UZ\View3d\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\da-dk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Crashpad\attachments\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\tr-TR\View3d\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\eu-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\eu-ES\View3d\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\Fonts\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	001b217cb1bccf97d747408ffe401505c66d93b5d5ecc1900618a71a152b3b39.exe
File created	C:\Windows\Logo1_.exe	001b217cb1bccf97d747408ffe401505c66d93b5d5ecc1900618a71a152b3b39.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	001b217cb1bccf97d747408ffe401505c66d93b5d5ecc1900618a71a152b3b39.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1736	Logo1_.exe
1736	Logo1_.exe
1736	Logo1_.exe
1736	Logo1_.exe
1736	Logo1_.exe
1736	Logo1_.exe
1736	Logo1_.exe
1736	Logo1_.exe
1736	Logo1_.exe
1736	Logo1_.exe
1736	Logo1_.exe
1736	Logo1_.exe
1736	Logo1_.exe
1736	Logo1_.exe
1736	Logo1_.exe
1736	Logo1_.exe
1736	Logo1_.exe
1736	Logo1_.exe
1736	Logo1_.exe
1736	Logo1_.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1836 wrote to memory of 1780	1836	001b217cb1bccf97d747408ffe401505c66d93b5d5ecc1900618a71a152b3b39.exe	84
PID 1836 wrote to memory of 1780	1836	001b217cb1bccf97d747408ffe401505c66d93b5d5ecc1900618a71a152b3b39.exe	84
PID 1836 wrote to memory of 1780	1836	001b217cb1bccf97d747408ffe401505c66d93b5d5ecc1900618a71a152b3b39.exe	84
PID 1836 wrote to memory of 1736	1836	001b217cb1bccf97d747408ffe401505c66d93b5d5ecc1900618a71a152b3b39.exe	85
PID 1836 wrote to memory of 1736	1836	001b217cb1bccf97d747408ffe401505c66d93b5d5ecc1900618a71a152b3b39.exe	85
PID 1836 wrote to memory of 1736	1836	001b217cb1bccf97d747408ffe401505c66d93b5d5ecc1900618a71a152b3b39.exe	85
PID 1736 wrote to memory of 208	1736	Logo1_.exe	87
PID 1736 wrote to memory of 208	1736	Logo1_.exe	87
PID 1736 wrote to memory of 208	1736	Logo1_.exe	87
PID 208 wrote to memory of 3412	208	net.exe	89
PID 208 wrote to memory of 3412	208	net.exe	89
PID 208 wrote to memory of 3412	208	net.exe	89
PID 1780 wrote to memory of 2872	1780	cmd.exe	90
PID 1780 wrote to memory of 2872	1780	cmd.exe	90
PID 1780 wrote to memory of 2872	1780	cmd.exe	90
PID 1736 wrote to memory of 3360	1736	Logo1_.exe	55
PID 1736 wrote to memory of 3360	1736	Logo1_.exe	55

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3360
- C:\Users\Admin\AppData\Local\Temp\001b217cb1bccf97d747408ffe401505c66d93b5d5ecc1900618a71a152b3b39.exe
  "C:\Users\Admin\AppData\Local\Temp\001b217cb1bccf97d747408ffe401505c66d93b5d5ecc1900618a71a152b3b39.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1836
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA6CF.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1780
  - - C:\Users\Admin\AppData\Local\Temp\001b217cb1bccf97d747408ffe401505c66d93b5d5ecc1900618a71a152b3b39.exe
      "C:\Users\Admin\AppData\Local\Temp\001b217cb1bccf97d747408ffe401505c66d93b5d5ecc1900618a71a152b3b39.exe"
      4⤵
      Executes dropped EXE
      PID:2872
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1736
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:208
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe

Filesize
244KB

MD5
216411f3d049fb51d19d524554841d86

SHA1
f27e80da107ff2b7d7c8be625f7cf6e74858d45b

SHA256
c905351e376e767d4d6b340dce4fe9a085cc2185eef58242dbc1e55252173168

SHA512
d110a7e7f2074b734e99e10413fadb678dfdb6180f6a384bb5a37248ca7a2520f1b59e761e0a2edfab8e73d0bee404460902aa174e306f81090617317b69b1e8

Download Submit
C:\Program Files\FormatRead.exe

Filesize
481KB

MD5
89411677b6eead094ce614aaa6013495

SHA1
2b84946552e9aef55091300f2795e25ac420b17e

SHA256
997700a782a21223eae4b443fd082d1c10d432049d0d3df479bfb004abe1d509

SHA512
7499853c14bcefbefeca0d61d71dc7661f86521a8da2b1eee89ad77d505e897f4c547445c4dcc30180ad7ebf5f05b3a6fa858244d357652500cc570e642b9148

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
636KB

MD5
2500f702e2b9632127c14e4eaae5d424

SHA1
8726fef12958265214eeb58001c995629834b13a

SHA256
82e5b0001f025ca3b8409c98e4fb06c119c68de1e4ef60a156360cb4ef61d19c

SHA512
f420c62fa1f6897f51dd7a0f0e910fb54ad14d51973a2d4840eeea0448c860bf83493fb1c07be65f731efc39e19f8a99886c8cfd058cee482fe52d255a33a55c

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aA6CF.bat

Filesize
722B

MD5
26b83a32d6a070c30440b2dd7bb97068

SHA1
c705367678e78e7e7bd9032cc0323daea316ae08

SHA256
f67b51e7b061ed2795e57c2c3a3c8e25659f26a7fa6dda75c1567c1a8085847f

SHA512
f66f6b0b63dd53d6cce278856a1126a691c0404462abbe67f217510dcdc6c101c01175c55ae940806f2ee7059a6990c0dcae2847861fbc22e1abb39693ff1dbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\001b217cb1bccf97d747408ffe401505c66d93b5d5ecc1900618a71a152b3b39.exe.exe

Filesize
54KB

MD5
6eb87bdfacf08d072ec1833f6b01ec80

SHA1
bd7431be47845645512fbc3f24a1f00e4e5dfa80

SHA256
cfd622d55dd921cb298359d116f72bceb0685359fe48537ffb07406468d2effc

SHA512
f13d8f26ec03367b0c38c7098793aed9fb7ff0bf156994ab4d6aa917cf40ee7eb300c3a6eb9a10252782cca1213f600466fed003a7f29f555d9ce04ac5a2f193

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
7f68a170ba8add175821c75ea4de3ca9

SHA1
a81b90bcd8961d2d9bc063273298602eadabce97

SHA256
e4da26a8d7b275a600e6ff79cd190bb880472b10a2969efc2949085875184518

SHA512
9e5248be09a6e13c0cf5e6baded7e40fa6a880964a22c489c02607dda14cf92d3f5441ed9e884aa55648ca96fca7d9b65a29c74088615b955780143e151cf7f7

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2045521122-590294423-3465680274-1000\_desktop.ini

Filesize
10B

MD5
291aa08828faa68893c7f89a0dfc158b

SHA1
fcae3d190f0d8c14b44dc2be0b627b0680d2eab9

SHA256
f9e79f635e09441b5a073e6263a1d1de881c2105d7637650b5ec2d20f6a7c841

SHA512
9c80a5e3e37731eb0eba85b496e512dbfe08c77c207bcb41ad429d289e3d348e8e7b83ef00052c445581df37aa60729a4f0c2dd3ed0ed2e5d05a8758a23f1f38

Download Submit
memory/1736-27-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1736-33-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1736-37-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1736-20-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1736-534-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1736-1235-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1736-4786-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1736-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1736-5255-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1836-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1836-10-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download