a4f6bac28ce905dcf1c5a4c3d07a1b5edc3c5a412db15463e9980c8223b37157

Analysis

max time kernel
120s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-01-2025 09:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a4f6bac28ce905dcf1c5a4c3d07a1b5edc3c5a412db15463e9980c8223b37157.exe
Size

337KB
MD5

49d0eacdd73f421461da2c5529464d1c
SHA1

698449fbd9426a9e839493d4a1966f746e7d3e1e
SHA256

a4f6bac28ce905dcf1c5a4c3d07a1b5edc3c5a412db15463e9980c8223b37157
SHA512

20402c7a7b63d34e001757a9571ccc9b818603b44ad2077af2fea49e8b427032eae058f4f0e8f3747bba5205e3f78f90d57d655d69b00c23e7b3ef4215942edc
SSDEEP

6144:nVfjmNa3QxfAjg8CSFwq++b+s8snHA+ZwUKkfCSFwq++b+s8s:V7+ioX+b+sBngywEoX+b+sp

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4324	Logo1_.exe
4852	a4f6bac28ce905dcf1c5a4c3d07a1b5edc3c5a412db15463e9980c8223b37157.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\plugins\rhp\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\eu-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\hrtfs\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ca-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\da-dk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\da-dk\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_neutral_~_8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Speech\en-GB\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Examples\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\root\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\host\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-125_8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\es-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\it-it\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\es\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\iadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-white\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\tr-TR\View3d\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hu\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Fonts\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\be-BY\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\plugins\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\host\fxr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\VisualElements\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Videos\SmartSelect\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_splitter\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-black\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\it-it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pt_BR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_2019.904.1644.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\he-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\cs-cz\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\cs-cz\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ku_IQ\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Microsoft.MicrosoftSolitaireCollection.exe	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\WinMetadata\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\plugins\rhp\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\en-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\es-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	a4f6bac28ce905dcf1c5a4c3d07a1b5edc3c5a412db15463e9980c8223b37157.exe
File created	C:\Windows\Logo1_.exe	a4f6bac28ce905dcf1c5a4c3d07a1b5edc3c5a412db15463e9980c8223b37157.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a4f6bac28ce905dcf1c5a4c3d07a1b5edc3c5a412db15463e9980c8223b37157.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a4f6bac28ce905dcf1c5a4c3d07a1b5edc3c5a412db15463e9980c8223b37157.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
4324	Logo1_.exe
4324	Logo1_.exe
4324	Logo1_.exe
4324	Logo1_.exe
4324	Logo1_.exe
4324	Logo1_.exe
4324	Logo1_.exe
4324	Logo1_.exe
4324	Logo1_.exe
4324	Logo1_.exe
4324	Logo1_.exe
4324	Logo1_.exe
4324	Logo1_.exe
4324	Logo1_.exe
4324	Logo1_.exe
4324	Logo1_.exe
4324	Logo1_.exe
4324	Logo1_.exe
4324	Logo1_.exe
4324	Logo1_.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 4376	2520	a4f6bac28ce905dcf1c5a4c3d07a1b5edc3c5a412db15463e9980c8223b37157.exe	82
PID 2520 wrote to memory of 4376	2520	a4f6bac28ce905dcf1c5a4c3d07a1b5edc3c5a412db15463e9980c8223b37157.exe	82
PID 2520 wrote to memory of 4376	2520	a4f6bac28ce905dcf1c5a4c3d07a1b5edc3c5a412db15463e9980c8223b37157.exe	82
PID 2520 wrote to memory of 4324	2520	a4f6bac28ce905dcf1c5a4c3d07a1b5edc3c5a412db15463e9980c8223b37157.exe	83
PID 2520 wrote to memory of 4324	2520	a4f6bac28ce905dcf1c5a4c3d07a1b5edc3c5a412db15463e9980c8223b37157.exe	83
PID 2520 wrote to memory of 4324	2520	a4f6bac28ce905dcf1c5a4c3d07a1b5edc3c5a412db15463e9980c8223b37157.exe	83
PID 4324 wrote to memory of 2744	4324	Logo1_.exe	85
PID 4324 wrote to memory of 2744	4324	Logo1_.exe	85
PID 4324 wrote to memory of 2744	4324	Logo1_.exe	85
PID 2744 wrote to memory of 3184	2744	net.exe	87
PID 2744 wrote to memory of 3184	2744	net.exe	87
PID 2744 wrote to memory of 3184	2744	net.exe	87
PID 4376 wrote to memory of 4852	4376	cmd.exe	88
PID 4376 wrote to memory of 4852	4376	cmd.exe	88
PID 4376 wrote to memory of 4852	4376	cmd.exe	88
PID 4324 wrote to memory of 3504	4324	Logo1_.exe	56
PID 4324 wrote to memory of 3504	4324	Logo1_.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3504
- C:\Users\Admin\AppData\Local\Temp\a4f6bac28ce905dcf1c5a4c3d07a1b5edc3c5a412db15463e9980c8223b37157.exe
  "C:\Users\Admin\AppData\Local\Temp\a4f6bac28ce905dcf1c5a4c3d07a1b5edc3c5a412db15463e9980c8223b37157.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8E17.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4376
  - - C:\Users\Admin\AppData\Local\Temp\a4f6bac28ce905dcf1c5a4c3d07a1b5edc3c5a412db15463e9980c8223b37157.exe
      "C:\Users\Admin\AppData\Local\Temp\a4f6bac28ce905dcf1c5a4c3d07a1b5edc3c5a412db15463e9980c8223b37157.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4852
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4324
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2744
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe

Filesize
244KB

MD5
6ff583181082c5ea118d02d54f171be2

SHA1
f90dfe07b73e3728ee4a97cecb003e0ce0ad266b

SHA256
0c6bc96aa2801f66385f5625ebe5158acd48203a98ec096c5c8d7fd0ad8731e0

SHA512
efca17f4db99239481b7ffe2b917c7ce6c30dfbc139ecc4a8ff0615a9f6ed0f8c8a5fe5b4668101bdc8e1c167f9eac2a9080ccbf8030e7ae920e0c50ffc57acc

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
570KB

MD5
8bbc9df9a5073c867871e7d66f2bdc49

SHA1
5ba2b71158fd38ab467b6be2bec0b83e88ff4aad

SHA256
e531dd4879c8974a4e0b01217a716c4639cdea86ff2cd157c76f78c246674b79

SHA512
3aa5b9dd2fb9a7913b9be69d4e9ec840ace04fdbfa2acf2f08a383fed9f491e31136b4b49b87dd38dd2ce1615bae99006ae0e138130df30f7e85226d460e367d

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a8E17.bat

Filesize
722B

MD5
9b39d902e4bffa10bff3a4feb23456fc

SHA1
1e7e263571311cff296db1c9cd538200c925f0c8

SHA256
f95b043fcced052806ba1303d2c36a5a3dbb59f6974d88ac6b410f2ee88d7a05

SHA512
2b1389d1c4e16ca8416b9def106fb3d4fcfc8ca493e8b8b096412e89c41938865d9f67d4a183cee96ce020ad69d2acee7eedd4d0cfbed71eb9a7b10a898b87c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4f6bac28ce905dcf1c5a4c3d07a1b5edc3c5a412db15463e9980c8223b37157.exe.exe

Filesize
311KB

MD5
4fb7bab8644e827b14185267102161af

SHA1
9621c1a86dbd7f9f80c5c4feddce60044224d097

SHA256
cf7d06ed150dafb79bd893c49398e6bcd4251989d638c15d9f4a19872f79e8da

SHA512
28c44808bd9c86aae4e98c8c7f115487adc14252448c2eb1ca2abd78cd368aa3223221e3a6fd60cc8586d6a36e0e80cfdf72eb97e7eb35a533d867156951e9f2

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
2da5a57d1ba2ed4b46bc3c9817948557

SHA1
8b28792220f874e0abd68de5d946c3ae111f6abb

SHA256
e3c3821d97d831fe32ef85bf7e78b397eba5cd839568aeae330e28e702eb662f

SHA512
29940a2b80714d8f816a0d6b4f5d93cfb4aeae5e0303f6f06d5091a3e0dc405ae1a1def41ea5e2e709ed6c20d4f4fd8f1d9527ca6eb4eb6d6cf1bc5fce4a7e91

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-4089630652-1596403869-279772308-1000\_desktop.ini

Filesize
9B

MD5
fab21c95fbd55d3e60870bf676b4142d

SHA1
c0cf5adfcf077785f612e9f9b040a53f07fed748

SHA256
fc0efc960939c89e478c1cbcf51dbbc0246b44b55db924d6b5c57d4e2d58e2ce

SHA512
09eb68e511b40ee51d5d4e585422bcd09a0ecf70f2ddcf32c6a1f1c4a61c4ead0981bf03b670aa6b73e405808c68ca18ae0094a3a5a3a98a80771d3ace97baa2

Download Submit
memory/2520-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2520-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4324-1246-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4324-10-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4324-188-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4324-4797-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4324-49-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4324-45-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4324-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4324-29-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4852-19-0x00000000746CE000-0x00000000746CF000-memory.dmp

Filesize
4KB

Download
memory/4852-32-0x00000000746C0000-0x0000000074E70000-memory.dmp

Filesize
7.7MB

Download
memory/4852-30-0x00000000746CE000-0x00000000746CF000-memory.dmp

Filesize
4KB

Download
memory/4852-27-0x00000000746C0000-0x0000000074E70000-memory.dmp

Filesize
7.7MB

Download
memory/4852-26-0x00000000055A0000-0x00000000055F6000-memory.dmp

Filesize
344KB

Download
memory/4852-25-0x0000000005470000-0x000000000547A000-memory.dmp

Filesize
40KB

Download
memory/4852-24-0x00000000746C0000-0x0000000074E70000-memory.dmp

Filesize
7.7MB

Download
memory/4852-23-0x00000000054A0000-0x0000000005532000-memory.dmp

Filesize
584KB

Download
memory/4852-22-0x00000000059B0000-0x0000000005F54000-memory.dmp

Filesize
5.6MB

Download
memory/4852-21-0x0000000005310000-0x00000000053AC000-memory.dmp

Filesize
624KB

Download
memory/4852-20-0x0000000000980000-0x00000000009D4000-memory.dmp

Filesize
336KB

Download