Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 22:42
Static task
static1
Behavioral task
behavioral1
Sample
27ba9f5f533535f0db3c4c0e2e9189329324b88ad43f073deaf23df7165246cc.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
27ba9f5f533535f0db3c4c0e2e9189329324b88ad43f073deaf23df7165246cc.exe
Resource
win10v2004-20240611-en
General
-
Target
27ba9f5f533535f0db3c4c0e2e9189329324b88ad43f073deaf23df7165246cc.exe
-
Size
95KB
-
MD5
0d54674853ad3abd2edb0db06e5076d1
-
SHA1
6f4b8e7a41fa7d7664d9de2aeb80f2fc5390f1da
-
SHA256
27ba9f5f533535f0db3c4c0e2e9189329324b88ad43f073deaf23df7165246cc
-
SHA512
4f13600e6de9f8b1ca9d7aea78cdc3d576a379d690d61460f89b21ee9fc06e368ac4b6d5c49d3dcc3b22645d06bbc25e581f95e838fc2fcb570cd63f24bd596f
-
SSDEEP
1536:qfgLdQAQfcfymNvCaL72e/TUoyMVr/B1WbBnXTnF0ajVncmD5Altx:qftffjmNvVL7X9yMVLunF0w5a7
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
27ba9f5f533535f0db3c4c0e2e9189329324b88ad43f073deaf23df7165246cc.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation 27ba9f5f533535f0db3c4c0e2e9189329324b88ad43f073deaf23df7165246cc.exe -
Executes dropped EXE 2 IoCs
Processes:
Logo1_.exe27ba9f5f533535f0db3c4c0e2e9189329324b88ad43f073deaf23df7165246cc.exepid process 4912 Logo1_.exe 2220 27ba9f5f533535f0db3c4c0e2e9189329324b88ad43f073deaf23df7165246cc.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\27ba9f5f533535f0db3c4c0e2e9189329324b88ad43f073deaf23df7165246cc.exe.exe upx behavioral2/memory/2220-19-0x0000000000400000-0x000000000042C000-memory.dmp upx behavioral2/memory/2220-30-0x0000000000400000-0x000000000042C000-memory.dmp upx behavioral2/memory/2220-31-0x0000000000400000-0x000000000042C000-memory.dmp upx -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Logo1_.exedescription ioc process File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
Processes:
Logo1_.exedescription ioc process File created C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\nb-no\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\security\policy\limited\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\es-ES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\it-it\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\root\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Java\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.92\identity_proxy\win10\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-fr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\fi-fi\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fi-fi\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\zh-tw\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\ResiliencyLinks\Locales\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\cgg\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\an\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sv-se\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\uk-ua\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ca-es\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Resources\Fonts\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-ma\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\kn\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\fr-FR\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\cef\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account-select\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\fr-ma\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\en-ae\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-black\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\de-de\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sl-sl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ca-es\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.ZuneMusic_2019.19071.19011.0_neutral_~_8wekyb3d8bbwe\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\nl-nl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\sl-sl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\css\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-white\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\es-ES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-ma\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\es-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\he-il\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-white\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_neutral_~_8wekyb3d8bbwe\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
Processes:
Logo1_.exe27ba9f5f533535f0db3c4c0e2e9189329324b88ad43f073deaf23df7165246cc.exedescription ioc process File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe File created C:\Windows\rundl132.exe 27ba9f5f533535f0db3c4c0e2e9189329324b88ad43f073deaf23df7165246cc.exe File created C:\Windows\Logo1_.exe 27ba9f5f533535f0db3c4c0e2e9189329324b88ad43f073deaf23df7165246cc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
Logo1_.exepid process 4912 Logo1_.exe 4912 Logo1_.exe 4912 Logo1_.exe 4912 Logo1_.exe 4912 Logo1_.exe 4912 Logo1_.exe 4912 Logo1_.exe 4912 Logo1_.exe 4912 Logo1_.exe 4912 Logo1_.exe 4912 Logo1_.exe 4912 Logo1_.exe 4912 Logo1_.exe 4912 Logo1_.exe 4912 Logo1_.exe 4912 Logo1_.exe 4912 Logo1_.exe 4912 Logo1_.exe 4912 Logo1_.exe 4912 Logo1_.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
reg.exedescription pid process Token: SeRestorePrivilege 472 reg.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
27ba9f5f533535f0db3c4c0e2e9189329324b88ad43f073deaf23df7165246cc.exeLogo1_.exenet.execmd.exe27ba9f5f533535f0db3c4c0e2e9189329324b88ad43f073deaf23df7165246cc.execmd.exedescription pid process target process PID 3316 wrote to memory of 2044 3316 27ba9f5f533535f0db3c4c0e2e9189329324b88ad43f073deaf23df7165246cc.exe cmd.exe PID 3316 wrote to memory of 2044 3316 27ba9f5f533535f0db3c4c0e2e9189329324b88ad43f073deaf23df7165246cc.exe cmd.exe PID 3316 wrote to memory of 2044 3316 27ba9f5f533535f0db3c4c0e2e9189329324b88ad43f073deaf23df7165246cc.exe cmd.exe PID 3316 wrote to memory of 4912 3316 27ba9f5f533535f0db3c4c0e2e9189329324b88ad43f073deaf23df7165246cc.exe Logo1_.exe PID 3316 wrote to memory of 4912 3316 27ba9f5f533535f0db3c4c0e2e9189329324b88ad43f073deaf23df7165246cc.exe Logo1_.exe PID 3316 wrote to memory of 4912 3316 27ba9f5f533535f0db3c4c0e2e9189329324b88ad43f073deaf23df7165246cc.exe Logo1_.exe PID 4912 wrote to memory of 4968 4912 Logo1_.exe net.exe PID 4912 wrote to memory of 4968 4912 Logo1_.exe net.exe PID 4912 wrote to memory of 4968 4912 Logo1_.exe net.exe PID 4968 wrote to memory of 2856 4968 net.exe net1.exe PID 4968 wrote to memory of 2856 4968 net.exe net1.exe PID 4968 wrote to memory of 2856 4968 net.exe net1.exe PID 2044 wrote to memory of 2220 2044 cmd.exe 27ba9f5f533535f0db3c4c0e2e9189329324b88ad43f073deaf23df7165246cc.exe PID 2044 wrote to memory of 2220 2044 cmd.exe 27ba9f5f533535f0db3c4c0e2e9189329324b88ad43f073deaf23df7165246cc.exe PID 2044 wrote to memory of 2220 2044 cmd.exe 27ba9f5f533535f0db3c4c0e2e9189329324b88ad43f073deaf23df7165246cc.exe PID 4912 wrote to memory of 3368 4912 Logo1_.exe Explorer.EXE PID 4912 wrote to memory of 3368 4912 Logo1_.exe Explorer.EXE PID 2220 wrote to memory of 5012 2220 27ba9f5f533535f0db3c4c0e2e9189329324b88ad43f073deaf23df7165246cc.exe cmd.exe PID 2220 wrote to memory of 5012 2220 27ba9f5f533535f0db3c4c0e2e9189329324b88ad43f073deaf23df7165246cc.exe cmd.exe PID 2220 wrote to memory of 5012 2220 27ba9f5f533535f0db3c4c0e2e9189329324b88ad43f073deaf23df7165246cc.exe cmd.exe PID 5012 wrote to memory of 2892 5012 cmd.exe reg.exe PID 5012 wrote to memory of 2892 5012 cmd.exe reg.exe PID 5012 wrote to memory of 2892 5012 cmd.exe reg.exe PID 5012 wrote to memory of 472 5012 cmd.exe reg.exe PID 5012 wrote to memory of 472 5012 cmd.exe reg.exe PID 5012 wrote to memory of 472 5012 cmd.exe reg.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3368
-
C:\Users\Admin\AppData\Local\Temp\27ba9f5f533535f0db3c4c0e2e9189329324b88ad43f073deaf23df7165246cc.exe"C:\Users\Admin\AppData\Local\Temp\27ba9f5f533535f0db3c4c0e2e9189329324b88ad43f073deaf23df7165246cc.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3316 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aE06D.bat3⤵
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Users\Admin\AppData\Local\Temp\27ba9f5f533535f0db3c4c0e2e9189329324b88ad43f073deaf23df7165246cc.exe"C:\Users\Admin\AppData\Local\Temp\27ba9f5f533535f0db3c4c0e2e9189329324b88ad43f073deaf23df7165246cc.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\xx.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WPAEvents" /f6⤵PID:2892
-
C:\Windows\SysWOW64\reg.exereg restore "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WPAEvents" xx.hiv6⤵
- Suspicious use of AdjustPrivilegeToken
PID:472 -
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2856
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4224,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=4028 /prefetch:81⤵PID:3600
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exeFilesize
251KB
MD589e2bd6c320fa3ea7a9cb93138db5adc
SHA1096cc798cdb1f0ac1c04efdc4e80c9e566dac4df
SHA2567c4df69da64db61128ce40a9fb94f693457b6fc1291425df53a9c87365946ce7
SHA5120876eed147f4583e97ea49218039e0f5d26846821cffb72006531771fa3e6af0dd3336b99c07460b6986531d1749fc3f9a2e492e0efdadc0d534dbd632fe331e
-
C:\Program Files\7-Zip\7z.exeFilesize
570KB
MD588bba0880cd91c45e3575a0009b314f5
SHA1571e17a66e1f0e9154c46f5782a7181e7aff0e94
SHA2569166fc78aed3bfc84624c5560be9155e66015360a91cd247736823584da19e28
SHA5122836bd3fbcf850023ef192879960f4f5b957da2727c73c925c37c60b89b0ccb5a55309ec4b815d746572964742cf096cf67f449b6d24e5b75b93ce138a8d3a2a
-
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exeFilesize
636KB
MD52500f702e2b9632127c14e4eaae5d424
SHA18726fef12958265214eeb58001c995629834b13a
SHA25682e5b0001f025ca3b8409c98e4fb06c119c68de1e4ef60a156360cb4ef61d19c
SHA512f420c62fa1f6897f51dd7a0f0e910fb54ad14d51973a2d4840eeea0448c860bf83493fb1c07be65f731efc39e19f8a99886c8cfd058cee482fe52d255a33a55c
-
C:\Users\Admin\AppData\Local\Temp\$$aE06D.batFilesize
722B
MD5934a1c8e886c202ca88eee72de3f2ddb
SHA14c9064344a7c8dff97dbc7b1c97cfccce6330da3
SHA256dd672798c7c09ead5232dfe32e119784bad4acc4827a12f1af976833eace8068
SHA5120cc5c9726a0479c914f3ab79d2c8dd874c0125d06868df31a3ecae10a6a4eecff75d35f2a60b5b8e1bc0ffe4f5acff6a087584c256241493e2c71d178fba45d0
-
C:\Users\Admin\AppData\Local\Temp\27ba9f5f533535f0db3c4c0e2e9189329324b88ad43f073deaf23df7165246cc.exe.exeFilesize
68KB
MD5f0d267d6025187615d0cd6e254531747
SHA18d668f9e872390cae5eb175e8e6058411e433a58
SHA256a8973dff9599c80d51353bd1fbeb90d4c6778dcf6a50321d6d3a6b35a20b65b8
SHA512864d8c2ce26774d6788e9302cb9048ba61c85a12cbfe493e495d61b3f1a94be82af1c25561e155e3be36c501fe0f2bde44f499d0c718d05e7fc5bf81eb2f901d
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\xx.batFilesize
240B
MD5eb4282dd6f7b3ec214906b1ddc202f8b
SHA13742a6d44a04538b4851b69f0a220c607a024c1d
SHA256ae3da96838527c3113b60944a65289e96911447015f22415f29770934c041270
SHA512560219077fa09a5a6e9c602f9ac9070fc5afb899d9aebed7ac7e4adfaa64259131bd495c62a952bfe488a99d604992fbf0233783b01f7371d15af0ed18d91c01
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\xx.hivFilesize
8KB
MD584521630b87933732d1ecdbfcf1d0dc2
SHA109b455127e9dc913293d020301acd1996bb6081f
SHA256386407ce1ee90ed9fbe642f44d5521818642b0ff2ecfae913b9f7229fc44e0c4
SHA512e6b5ef8930cd28d8cf1adeac866ba0a4e37b3e6364377b71fcb394bbc6e3f086436913d175cf517c805705aa2f80607ee21f3a6ab7859376ef26da85e3178d1b
-
C:\Windows\Logo1_.exeFilesize
26KB
MD532f77fdf4b3fc5c15a5f715d944ff394
SHA1bc1d64e77162b209ed6993ebadfac5cafbd66a8c
SHA256a383ab4b52d9be1be5bc1247306ec5161b36095640fd9d315842726eee61788c
SHA5120c10c8a8b9e77abd1763003876667b59dec19362071659053bdf37cf1faa3efcc226bd51ac803e806938271d63193d0db70f818dc5ceddfd1252e0300650a419
-
F:\$RECYCLE.BIN\S-1-5-21-3665033694-1447845302-680750983-1000\_desktop.iniFilesize
9B
MD54f2460b507685f7d7bfe6393f335f1c9
SHA1378d42f114b1515872e58de6662373af31ab8c7b
SHA25647a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42
SHA51275dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb
-
memory/2220-30-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/2220-19-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/2220-31-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/3316-10-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/3316-0-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/4912-38-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/4912-48-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/4912-44-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/4912-203-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/4912-1249-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/4912-13-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/4912-4983-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/4912-29-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/4912-5428-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB