Analysis
-
max time kernel
149s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 10:19
Static task
static1
Behavioral task
behavioral1
Sample
16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe
Resource
win7-20240221-en
General
-
Target
16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe
-
Size
963KB
-
MD5
ad550ecc833880ec939711174909e484
-
SHA1
e345af1d66acaab2b879643f5711d6923d234621
-
SHA256
16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede
-
SHA512
00e9c6e1e47b5d87a002e7a008c7187b3ef53aebfc677cfffc06c8bd783de70e8ef9a6c9411cdb885a5c76c8ce4af53a00ce81cd2b711714e037918b98cdb32f
-
SSDEEP
12288:O+ayRKcv8Nh7py6Rmi78gkPH3aPI9vyVg/0paQuj3IdD02fKBjtp/:OBbBpDRmi78gkPXlyo0G/jr
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2600 cmd.exe -
Executes dropped EXE 2 IoCs
Processes:
Logo1_.exe16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exepid process 2616 Logo1_.exe 2428 16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 2600 cmd.exe 2600 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Logo1_.exedescription ioc process File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
Processes:
Logo1_.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe Logo1_.exe File created C:\Program Files\Java\jre7\lib\zi\Australia\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EVRGREEN\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe Logo1_.exe File opened for modification C:\Program Files\Windows Photo Viewer\ImagingDevices.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DAO\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Media Player\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\is\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA6\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Media Player\es-ES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Minesweeper\de-DE\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\lt\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Photo Viewer\it-IT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\css\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RICEPAPR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Defender\it-IT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Triedit\fr-FR\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Mail\wab.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\INDUST\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\intf\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe Logo1_.exe File created C:\Program Files (x86)\Windows Photo Viewer\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Shared Gadgets\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Defender\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\it-IT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\Purble Place\es-ES\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
Processes:
16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exeLogo1_.exedescription ioc process File created C:\Windows\rundl132.exe 16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe File created C:\Windows\Logo1_.exe 16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\Dll.dll Logo1_.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 43 IoCs
Processes:
16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exeLogo1_.exepid process 1908 16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe 1908 16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe 1908 16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe 1908 16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe 1908 16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe 1908 16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe 1908 16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe 1908 16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe 1908 16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe 1908 16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe 1908 16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe 1908 16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe 1908 16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe 2616 Logo1_.exe 2616 Logo1_.exe 2616 Logo1_.exe 2616 Logo1_.exe 2616 Logo1_.exe 2616 Logo1_.exe 2616 Logo1_.exe 2616 Logo1_.exe 2616 Logo1_.exe 2616 Logo1_.exe 2616 Logo1_.exe 2616 Logo1_.exe 2616 Logo1_.exe 2616 Logo1_.exe 2616 Logo1_.exe 2616 Logo1_.exe 2616 Logo1_.exe 2616 Logo1_.exe 2616 Logo1_.exe 2616 Logo1_.exe 2616 Logo1_.exe 2616 Logo1_.exe 2616 Logo1_.exe 2616 Logo1_.exe 2616 Logo1_.exe 2616 Logo1_.exe 2616 Logo1_.exe 2616 Logo1_.exe 2616 Logo1_.exe 2616 Logo1_.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exepid process 2428 16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exedescription pid process Token: SeRestorePrivilege 2428 16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe Token: 35 2428 16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exenet.exeLogo1_.exenet.execmd.exenet.exedescription pid process target process PID 1908 wrote to memory of 2052 1908 16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe net.exe PID 1908 wrote to memory of 2052 1908 16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe net.exe PID 1908 wrote to memory of 2052 1908 16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe net.exe PID 1908 wrote to memory of 2052 1908 16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe net.exe PID 2052 wrote to memory of 2476 2052 net.exe net1.exe PID 2052 wrote to memory of 2476 2052 net.exe net1.exe PID 2052 wrote to memory of 2476 2052 net.exe net1.exe PID 2052 wrote to memory of 2476 2052 net.exe net1.exe PID 1908 wrote to memory of 2600 1908 16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe cmd.exe PID 1908 wrote to memory of 2600 1908 16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe cmd.exe PID 1908 wrote to memory of 2600 1908 16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe cmd.exe PID 1908 wrote to memory of 2600 1908 16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe cmd.exe PID 1908 wrote to memory of 2616 1908 16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe Logo1_.exe PID 1908 wrote to memory of 2616 1908 16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe Logo1_.exe PID 1908 wrote to memory of 2616 1908 16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe Logo1_.exe PID 1908 wrote to memory of 2616 1908 16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe Logo1_.exe PID 2616 wrote to memory of 2528 2616 Logo1_.exe net.exe PID 2616 wrote to memory of 2528 2616 Logo1_.exe net.exe PID 2616 wrote to memory of 2528 2616 Logo1_.exe net.exe PID 2616 wrote to memory of 2528 2616 Logo1_.exe net.exe PID 2528 wrote to memory of 1584 2528 net.exe net1.exe PID 2528 wrote to memory of 1584 2528 net.exe net1.exe PID 2528 wrote to memory of 1584 2528 net.exe net1.exe PID 2528 wrote to memory of 1584 2528 net.exe net1.exe PID 2600 wrote to memory of 2428 2600 cmd.exe 16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe PID 2600 wrote to memory of 2428 2600 cmd.exe 16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe PID 2600 wrote to memory of 2428 2600 cmd.exe 16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe PID 2600 wrote to memory of 2428 2600 cmd.exe 16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe PID 2616 wrote to memory of 1748 2616 Logo1_.exe net.exe PID 2616 wrote to memory of 1748 2616 Logo1_.exe net.exe PID 2616 wrote to memory of 1748 2616 Logo1_.exe net.exe PID 2616 wrote to memory of 1748 2616 Logo1_.exe net.exe PID 1748 wrote to memory of 2508 1748 net.exe net1.exe PID 1748 wrote to memory of 2508 1748 net.exe net1.exe PID 1748 wrote to memory of 2508 1748 net.exe net1.exe PID 1748 wrote to memory of 2508 1748 net.exe net1.exe PID 2616 wrote to memory of 1192 2616 Logo1_.exe Explorer.EXE PID 2616 wrote to memory of 1192 2616 Logo1_.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1192
-
C:\Users\Admin\AppData\Local\Temp\16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe"C:\Users\Admin\AppData\Local\Temp\16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵PID:2476
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$$aA296.bat3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Users\Admin\AppData\Local\Temp\16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe"C:\Users\Admin\AppData\Local\Temp\16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2428 -
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:1584
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2508
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exeFilesize
258KB
MD59ac10f2289f81d00cb5315e30a25967d
SHA143f3ec8b12b8ef26c5e0151a50e708edd8a3e979
SHA256a978211529b28a3b66408c32636b82ef4405121d57e90a911c60f3810be3c0cc
SHA512211d2c4d98509e4b0df64c0b31331431486886ae40c106ca1af496a2573fcfce3737d3574f6f41e39b02cf35b67859c14e46d58b30cf59062f8b68ec76dc1a77
-
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exeFilesize
478KB
MD5f01e1e0718ca3110b117e544489e3839
SHA16c19ce81349add991c3a88926d586b3de6ff9548
SHA256b044da00ae636042dc22870432b28488014098b7e01350031e82a361d45b588d
SHA512ee9a34b33e30eed3ef7676c7c86c88f748886527fe61d2133a8f3365d11848de66b1c118ea4d3a05f97363d6dc829c4490e839e20a16847a651cc915b47b5a93
-
C:\Users\Admin\AppData\Local\Temp\$$aA296.batFilesize
722B
MD5a1db5addf870023b9ef98833b689d05c
SHA1ffc7268e0401cd69f4f172d9e4e59fbff49d4eca
SHA256c72a8a302d4c07bf2721e6e8b0d724584159ce3be87f8eb4080d839fde99da61
SHA51207aaaf7703f7f3ac74cf40cdbe710db2dc14a0cc05a947e41ffc457c180f9fb6271bb7e2e31736a592ffe8e0a41947af64c71dbaea1780b408fce7415aa4df82
-
C:\Users\Admin\AppData\Local\Temp\16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe.exeFilesize
930KB
MD530ac0b832d75598fb3ec37b6f2a8c86a
SHA16f47dbfd6ff36df7ba581a4cef024da527dc3046
SHA2561ea0839c8dc95ad2c060af7d042c40c0daed58ce8e4524c0fba12fd73e4afb74
SHA512505870601a4389b7ed2c8fecf85835adfd2944cbc10801f74bc4e08f5a0d6ecc9a52052fc37e216304cd1655129021862294a698ed36b3b43d428698f7263057
-
C:\Windows\Logo1_.exeFilesize
33KB
MD5beaa56a0e4764dd95329202a0a92e326
SHA11e18f4051244e4aa8eabbddc7001ffcdc2adc055
SHA25602424a4ca6ac65d66c89b79493d30a0c54c46da6ec225ef5ae1c724913451a08
SHA512fc65d6da1e1f112abbb37c5227823980d644b6436cec5d44a75de9e97ba9e709010fc6edb064c592ce931412612010c7254bc5eb6c4aec004510786525276e25
-
F:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\_desktop.iniFilesize
9B
MD531874817e0fb055be8d2c971c0e3bbde
SHA1ee8a35d6a86cb6d13f354d67d912e194bb09c74b
SHA25694de8b492bc2db9a9592f7c9433547eb7f80826ed67f48d2bb7e22db9d49f544
SHA51255747c69ae50fa212576d095f60cf33b42e26789cf8c34fc5120a45b1988aae95f91d9e37cb17298c5ac5243b2e4c40e1d0e084ce7fe14bceb4ebb318c65c944
-
memory/1192-30-0x0000000002BF0000-0x0000000002BF1000-memory.dmpFilesize
4KB
-
memory/1908-16-0x00000000005D0000-0x000000000060F000-memory.dmpFilesize
252KB
-
memory/1908-0-0x0000000000400000-0x000000000043F000-memory.dmpFilesize
252KB
-
memory/1908-17-0x00000000005D0000-0x000000000060F000-memory.dmpFilesize
252KB
-
memory/1908-19-0x0000000000400000-0x000000000043F000-memory.dmpFilesize
252KB
-
memory/2616-33-0x0000000000400000-0x000000000043F000-memory.dmpFilesize
252KB
-
memory/2616-1837-0x0000000000400000-0x000000000043F000-memory.dmpFilesize
252KB
-
memory/2616-20-0x0000000000400000-0x000000000043F000-memory.dmpFilesize
252KB
-
memory/2616-3810-0x0000000000400000-0x000000000043F000-memory.dmpFilesize
252KB
-
memory/2616-4082-0x0000000000400000-0x000000000043F000-memory.dmpFilesize
252KB