Analysis Overview
SHA256
44e029dd6210c4906a82e1f16dd5ebed434efd225dafb92fc560e6ff6d1ee948
Threat Level: Known bad
The file ProjectFunding_450726_Jun01.js was found to be: Known bad.
Malicious Activity Summary
Qakbot/Qbot
Blocklisted process makes network request
Loads dropped DLL
Enumerates connected drives
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-06-01 15:42
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-06-01 15:42
Reported
2023-06-01 15:44
Platform
win7-20230220-en
Max time kernel
150s
Max time network
131s
Command Line
Signatures
Qakbot/Qbot
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\INF\setupapi.ev1 | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI2CAB.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\6ca353.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIA535.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\6ca355.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\6ca353.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.ev3 | C:\Windows\system32\DrvInst.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\ProjectFunding_450726_Jun01.js
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "000000000000005C" "0000000000000060"
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\notify.vbs
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next
C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | garokelka.com | udp |
| NL | 217.195.153.225:443 | garokelka.com | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| NL | 88.221.25.153:80 | apps.identrust.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab2964.tmp
| MD5 | fc4666cbca561e864e7fdf883a9e6661 |
| SHA1 | 2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5 |
| SHA256 | 10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b |
| SHA512 | c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 3ac860860707baaf32469fa7cc7c0192 |
| SHA1 | c33c2acdaba0e6fa41fd2f00f186804722477639 |
| SHA256 | d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904 |
| SHA512 | d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c |
C:\Users\Admin\AppData\Local\Temp\Tar2AF1.tmp
| MD5 | 4ff65ad929cd9a367680e0e5b1c08166 |
| SHA1 | c0af0d4396bd1f15c45f39d3b849ba444233b3a2 |
| SHA256 | c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6 |
| SHA512 | f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2d2c22e22cef9b8040bdcac9176fcc23 |
| SHA1 | 21bbd13576b27f6e200dd30f91dd9eb15a17ff48 |
| SHA256 | 67b731009829148d3d84f60d2b0c76c36f7e256cb1daa1c4fc4c7611acc644b6 |
| SHA512 | 20029a5d42e2bb1db89f14840d9e47451a530d70e3c9f65f3adc845a00c2b8931ac67bb98e5c1ec50ebb22fb7ac3f2c5296479b4dbcf5411a87ef5de1020b2eb |
C:\Windows\Installer\MSI2CAB.tmp
| MD5 | 6876b555055b5dd5b911739c99e6401f |
| SHA1 | 5c7c7213622aa6f2be154feb4e6e830d3635ef0e |
| SHA256 | 79a20a0d14fcd3352ee1a1a80973dbcbd39fbd28d10aa893a8d3517ee62ba782 |
| SHA512 | 9db57b35647b03fe4d54cad71e0a21c28cb4b061613931623ef33b7d1d8028a02a1c2d3264c5fcd5e68215fb32749c798d26df8ab23c5d678bb6fd00dfe6ae02 |
C:\Config.Msi\6ca354.rbs
| MD5 | a031ff2a4a80d89ee48b5cfa4f55ff3f |
| SHA1 | 5bfd9e61df1eff9959ec8c10baeb0fe81e7a0cd8 |
| SHA256 | d8b7fdb0b73c1a929e5ec058bb01d801f0c81c7220abda18d34bbaf97a5b1bb5 |
| SHA512 | 94f44df2bca13640be702ae016c13a3f35a061be71136bc7cf493597570b917221613fc299ba0e287d3dc7e9458b27ce4a0b374ada4ddaf36b01a7a83d5db6e5 |
C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll
| MD5 | ae49f7e6272a68c6d9b1fe3093acdd74 |
| SHA1 | a7a5091e98843ef0ea6aa3934219d1309b16ab39 |
| SHA256 | 6e75807718df424cb53352f24beb7354f0161b51f484a35940c57325a195c68f |
| SHA512 | daf9b71739d78501a51fa69715eb6d12f87fd16f1a1e20ff79d35b510a44c3157340caff1ed3167b0f831f1b534d5dbd606c3a2d1e6d738bfbf32dca2106a405 |
C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\notify.vbs
| MD5 | 0d4c9f15ce74465c59ae36a27f98c817 |
| SHA1 | 9cce8eefa4d3d9c5e161c5dbb860cfe1489c6b1a |
| SHA256 | d24e3399060b51f3a1c9d41a67de2601888a35c99da8db70070d757bb3f1913a |
| SHA512 | 9bed0eafc2cf2a2360850ca1070ffb04ac14f04c78379485998a93f45012b5c11cc7f6f68129f65b8b5f90437cb965908c6a1bb9d83a56b068d6bde1d5fdad1f |
\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll
| MD5 | ae49f7e6272a68c6d9b1fe3093acdd74 |
| SHA1 | a7a5091e98843ef0ea6aa3934219d1309b16ab39 |
| SHA256 | 6e75807718df424cb53352f24beb7354f0161b51f484a35940c57325a195c68f |
| SHA512 | daf9b71739d78501a51fa69715eb6d12f87fd16f1a1e20ff79d35b510a44c3157340caff1ed3167b0f831f1b534d5dbd606c3a2d1e6d738bfbf32dca2106a405 |
\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll
| MD5 | ae49f7e6272a68c6d9b1fe3093acdd74 |
| SHA1 | a7a5091e98843ef0ea6aa3934219d1309b16ab39 |
| SHA256 | 6e75807718df424cb53352f24beb7354f0161b51f484a35940c57325a195c68f |
| SHA512 | daf9b71739d78501a51fa69715eb6d12f87fd16f1a1e20ff79d35b510a44c3157340caff1ed3167b0f831f1b534d5dbd606c3a2d1e6d738bfbf32dca2106a405 |
\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll
| MD5 | ae49f7e6272a68c6d9b1fe3093acdd74 |
| SHA1 | a7a5091e98843ef0ea6aa3934219d1309b16ab39 |
| SHA256 | 6e75807718df424cb53352f24beb7354f0161b51f484a35940c57325a195c68f |
| SHA512 | daf9b71739d78501a51fa69715eb6d12f87fd16f1a1e20ff79d35b510a44c3157340caff1ed3167b0f831f1b534d5dbd606c3a2d1e6d738bfbf32dca2106a405 |
\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll
| MD5 | ae49f7e6272a68c6d9b1fe3093acdd74 |
| SHA1 | a7a5091e98843ef0ea6aa3934219d1309b16ab39 |
| SHA256 | 6e75807718df424cb53352f24beb7354f0161b51f484a35940c57325a195c68f |
| SHA512 | daf9b71739d78501a51fa69715eb6d12f87fd16f1a1e20ff79d35b510a44c3157340caff1ed3167b0f831f1b534d5dbd606c3a2d1e6d738bfbf32dca2106a405 |
memory/1644-156-0x0000000000140000-0x0000000000143000-memory.dmp
memory/1644-157-0x0000000000190000-0x00000000001B4000-memory.dmp
\??\PIPE\wkssvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1548-164-0x0000000000080000-0x00000000000A4000-memory.dmp
memory/1548-163-0x00000000000B0000-0x00000000000B2000-memory.dmp
memory/1548-170-0x0000000000080000-0x00000000000A4000-memory.dmp
memory/1548-172-0x0000000000080000-0x00000000000A4000-memory.dmp
memory/1548-173-0x0000000000080000-0x00000000000A4000-memory.dmp
memory/1548-174-0x0000000000080000-0x00000000000A4000-memory.dmp
memory/1548-175-0x0000000000080000-0x00000000000A4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-06-01 15:42
Reported
2023-06-01 15:44
Platform
win10v2004-20230220-en
Max time kernel
150s
Max time network
145s
Command Line
Signatures
Qakbot/Qbot
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\MSIFCB4.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIE05E.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e57dfe2.msi | C:\Windows\system32\msiexec.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000206f4107d723b55a0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000206f41070000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900206f4107000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000206f410700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000206f410700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\ProjectFunding_450726_Jun01.js
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\notify.vbs
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next
C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | garokelka.com | udp |
| NL | 217.195.153.225:443 | garokelka.com | tcp |
| US | 8.8.8.8:53 | 225.153.195.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| IE | 20.50.80.209:443 | tcp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 52.152.110.14:443 | tcp | |
| NL | 84.53.175.11:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 8.8.8.8:53 | 2.77.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.250.217.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.247.210.254:80 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 52.152.110.14:443 | tcp |
Files
C:\Windows\Installer\MSIFCB4.tmp
| MD5 | 9b06cae676c6086192a8ddd303332849 |
| SHA1 | e50c2ee48427547edf22f247b0f16def69eb17d5 |
| SHA256 | d0e8241fa1ea48137aa8683131042f92e4faf8621e02838a83d9fd8d07971d2d |
| SHA512 | 40f486154f3b019450a95c41bd240b2fd34e7e3ce12e9dcb51695a8e69d2226c0ccae5d3cd1283ebb1e146fd374902867284def5b44e0f6d2e58b6d63f1406ca |
C:\Config.Msi\e57dfe1.rbs
| MD5 | 6f8cfe52124f47714b043d07e18e972c |
| SHA1 | 4ac0a41ae8c02759662821c73505095ae2b44475 |
| SHA256 | 4c3b9641b154c519922dbc9a4020aae89b8c8581d5185171f27cb1ccf2dce498 |
| SHA512 | a60aeb6b3a69638f4fb5571167f5355680cfbc3f78b892c4089612c5887404c7cc8262ef4b30d8ad5fc763aceb13806247dc713b7ff521cefff3d50e6fe20dd2 |
C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll
| MD5 | 12b90779ae5dd6239f0cf41c1bc2a2d4 |
| SHA1 | f3e00ea8a86ccdcd0a3d252e98f9e8e194052286 |
| SHA256 | bf8b2a3b17dd1379f749d0b9b709bfce9774ccf889d490a46a97b76632ad8a2f |
| SHA512 | 9bee8bea7f8941f40fa0ef8605fe942d91ae789059023b1fb5878457a7b317b916629a1c194a25f177530cbb677cf91fd946e94b067e245b847189984b4bc4bd |
C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\notify.vbs
| MD5 | 0d4c9f15ce74465c59ae36a27f98c817 |
| SHA1 | 9cce8eefa4d3d9c5e161c5dbb860cfe1489c6b1a |
| SHA256 | d24e3399060b51f3a1c9d41a67de2601888a35c99da8db70070d757bb3f1913a |
| SHA512 | 9bed0eafc2cf2a2360850ca1070ffb04ac14f04c78379485998a93f45012b5c11cc7f6f68129f65b8b5f90437cb965908c6a1bb9d83a56b068d6bde1d5fdad1f |
\??\Volume{07416f20-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{af993a4c-2f1f-4a5f-9aac-c1f32022f0de}_OnDiskSnapshotProp
| MD5 | e7c286efa738a86ee4375c0da9b35f0a |
| SHA1 | c9a129218a2b71b78e5e6385ec0564b69bef3493 |
| SHA256 | 823bc43f8be14c7b046d51de2529c8d6741ec26e1a398195035f101fdf8d56b5 |
| SHA512 | 9787178ab9b0a715c4e888b0f6d965090d0db2be9c2ff0f1e31414af3c1f51c20e54f9bcc7c9e7423ea2ffb528b9f987b21f535c06a6420c02a1afd9b41ba806 |
C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll
| MD5 | 12b90779ae5dd6239f0cf41c1bc2a2d4 |
| SHA1 | f3e00ea8a86ccdcd0a3d252e98f9e8e194052286 |
| SHA256 | bf8b2a3b17dd1379f749d0b9b709bfce9774ccf889d490a46a97b76632ad8a2f |
| SHA512 | 9bee8bea7f8941f40fa0ef8605fe942d91ae789059023b1fb5878457a7b317b916629a1c194a25f177530cbb677cf91fd946e94b067e245b847189984b4bc4bd |
memory/4692-169-0x00000000013C0000-0x00000000013C3000-memory.dmp
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
| MD5 | 131bb42b21e1b4a2aa4223c4d624a446 |
| SHA1 | 2617269ddcee28a3ac7cae97389b9b9357d4d59d |
| SHA256 | 38b78600cca710f164c9dc6828c8d8d4ed87cedac553e2d92da227920894ba49 |
| SHA512 | f56e26f24362bf1900dad0280a791938c80094723357b717ddc29311038fed7c4485cdb9aedf1cb268e9f4cc1940c4df8acf57d232bd822620322d349baf6906 |
memory/4692-171-0x00000000013D0000-0x00000000013F4000-memory.dmp
memory/4928-177-0x0000000000450000-0x0000000000452000-memory.dmp
memory/4928-178-0x0000000000420000-0x0000000000444000-memory.dmp
memory/4928-184-0x0000000000420000-0x0000000000444000-memory.dmp
memory/4928-185-0x0000000000420000-0x0000000000444000-memory.dmp
memory/4928-186-0x0000000000420000-0x0000000000444000-memory.dmp
memory/4928-187-0x0000000000420000-0x0000000000444000-memory.dmp
memory/4928-188-0x0000000000420000-0x0000000000444000-memory.dmp