Analysis Overview
SHA256
3290ebf23a0f763607fa8c7a64b84da516d015adf663380dea9bf5ac19929543
Threat Level: Known bad
The file 06343599.js was found to be: Known bad.
Malicious Activity Summary
Qakbot/Qbot
Blocklisted process makes network request
Loads dropped DLL
Enumerates connected drives
Drops file in Windows directory
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Checks SCSI registry key(s)
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-06-02 11:58
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-06-02 11:58
Reported
2023-06-02 12:00
Platform
win7-20230220-en
Max time kernel
150s
Max time network
129s
Command Line
Signatures
Qakbot/Qbot
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\MSI6BFC.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\6d6a6a.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIBC3.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\Installer\6d6a68.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.ev3 | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.ev1 | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\Installer\6d6a68.ipi | C:\Windows\system32\msiexec.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\06343599.js
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003A0" "00000000000004A8"
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\notify.vbs
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next
C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | garokelka.com | udp |
| NL | 217.195.153.225:443 | garokelka.com | tcp |
| US | 8.8.8.8:53 | lakirasa.com | udp |
| BR | 216.238.111.194:443 | lakirasa.com | tcp |
| US | 8.8.8.8:53 | tofinka.com | udp |
| IR | 185.235.138.66:443 | tofinka.com | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| NL | 88.221.25.169:80 | apps.identrust.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab7FF.tmp
| MD5 | fc4666cbca561e864e7fdf883a9e6661 |
| SHA1 | 2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5 |
| SHA256 | 10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b |
| SHA512 | c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 3ac860860707baaf32469fa7cc7c0192 |
| SHA1 | c33c2acdaba0e6fa41fd2f00f186804722477639 |
| SHA256 | d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904 |
| SHA512 | d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c |
C:\Users\Admin\AppData\Local\Temp\TarA38.tmp
| MD5 | 4ff65ad929cd9a367680e0e5b1c08166 |
| SHA1 | c0af0d4396bd1f15c45f39d3b849ba444233b3a2 |
| SHA256 | c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6 |
| SHA512 | f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b4b20b76542b8a4e170e72a3de7ebce0 |
| SHA1 | 0f168d4ffc3a7d72d07e16373eb4a0f9d1730a45 |
| SHA256 | cb5e7b827d285c2160980486a3fac382532d749bb95a88c47aedd54b53b41c77 |
| SHA512 | 4082550269eebffd5bc3b5325de5de264e188fdfb5bd07d3e9eaf5cfd82b2e90847035179a62cebec045ceb0c30ac20b89f2ec84e02eaeb81c5d4d54daeaa39e |
C:\Windows\Installer\MSIBC3.tmp
| MD5 | 84105d5f389717c68139918269d4461d |
| SHA1 | 5e0a7530f5a9dfb8b72ae6a29a71cd6829f15351 |
| SHA256 | ee3cda5ebcda50cf08c43d3ed8463677152ba7af99490764afecc0379fc8cd1b |
| SHA512 | 298ebd4d41bbcafd28a4d49e1108540c05c3c0d83e38be0304dbf7579e0af06503fb503a414d93359fb1e4f9a1d46b343488da4bbea0a4fd1efe4df9fad4d2b4 |
C:\Config.Msi\6d6a69.rbs
| MD5 | d458f0fd64a8f3fda3913b3e70abbab3 |
| SHA1 | 7261b2ae681cd022bba260e3bab6da26df29e331 |
| SHA256 | b5c9b7dfebb9ce94407815b040d54ebc46a423faa62615715fd3536ac3cfccff |
| SHA512 | ce2dcf0b3a8ccce0655e7a7ca4cb00e3d5f2f96f6e1e3a56642dbf8bec479f7c4913b5aaefcf571e9f07d489d2b122df708922a4bea01f8f7f7e61ad198fe21a |
C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll
| MD5 | e5508d90adc69e16aeee0d1f9aa33968 |
| SHA1 | b2d3544b2307e8b10c3b8dc8e519d217edf62c0c |
| SHA256 | e5ecfab1dba2cddc9402e78185f43e6955eec82cbf3b0980ea67d4b30ed123d8 |
| SHA512 | 881037155f63b98216785df9655fb497c36b2005c5f83a50d7b2486f870fba0764e11ff80d40c9723a441d904694f4ee4c99dd6ee9653350506b7dd3d6d34a16 |
C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\notify.vbs
| MD5 | 0d4c9f15ce74465c59ae36a27f98c817 |
| SHA1 | 9cce8eefa4d3d9c5e161c5dbb860cfe1489c6b1a |
| SHA256 | d24e3399060b51f3a1c9d41a67de2601888a35c99da8db70070d757bb3f1913a |
| SHA512 | 9bed0eafc2cf2a2360850ca1070ffb04ac14f04c78379485998a93f45012b5c11cc7f6f68129f65b8b5f90437cb965908c6a1bb9d83a56b068d6bde1d5fdad1f |
\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll
| MD5 | e5508d90adc69e16aeee0d1f9aa33968 |
| SHA1 | b2d3544b2307e8b10c3b8dc8e519d217edf62c0c |
| SHA256 | e5ecfab1dba2cddc9402e78185f43e6955eec82cbf3b0980ea67d4b30ed123d8 |
| SHA512 | 881037155f63b98216785df9655fb497c36b2005c5f83a50d7b2486f870fba0764e11ff80d40c9723a441d904694f4ee4c99dd6ee9653350506b7dd3d6d34a16 |
\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll
| MD5 | e5508d90adc69e16aeee0d1f9aa33968 |
| SHA1 | b2d3544b2307e8b10c3b8dc8e519d217edf62c0c |
| SHA256 | e5ecfab1dba2cddc9402e78185f43e6955eec82cbf3b0980ea67d4b30ed123d8 |
| SHA512 | 881037155f63b98216785df9655fb497c36b2005c5f83a50d7b2486f870fba0764e11ff80d40c9723a441d904694f4ee4c99dd6ee9653350506b7dd3d6d34a16 |
\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll
| MD5 | e5508d90adc69e16aeee0d1f9aa33968 |
| SHA1 | b2d3544b2307e8b10c3b8dc8e519d217edf62c0c |
| SHA256 | e5ecfab1dba2cddc9402e78185f43e6955eec82cbf3b0980ea67d4b30ed123d8 |
| SHA512 | 881037155f63b98216785df9655fb497c36b2005c5f83a50d7b2486f870fba0764e11ff80d40c9723a441d904694f4ee4c99dd6ee9653350506b7dd3d6d34a16 |
memory/1176-155-0x00000000001D0000-0x00000000001F4000-memory.dmp
memory/1176-154-0x00000000001C0000-0x00000000001C3000-memory.dmp
\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll
| MD5 | e5508d90adc69e16aeee0d1f9aa33968 |
| SHA1 | b2d3544b2307e8b10c3b8dc8e519d217edf62c0c |
| SHA256 | e5ecfab1dba2cddc9402e78185f43e6955eec82cbf3b0980ea67d4b30ed123d8 |
| SHA512 | 881037155f63b98216785df9655fb497c36b2005c5f83a50d7b2486f870fba0764e11ff80d40c9723a441d904694f4ee4c99dd6ee9653350506b7dd3d6d34a16 |
memory/1304-161-0x00000000000F0000-0x00000000000F2000-memory.dmp
memory/1304-162-0x00000000000C0000-0x00000000000E4000-memory.dmp
memory/1304-168-0x00000000000C0000-0x00000000000E4000-memory.dmp
memory/1304-169-0x00000000000C0000-0x00000000000E4000-memory.dmp
memory/1304-170-0x00000000000C0000-0x00000000000E4000-memory.dmp
memory/1304-171-0x00000000000C0000-0x00000000000E4000-memory.dmp
memory/1304-172-0x00000000000C0000-0x00000000000E4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-06-02 11:58
Reported
2023-06-02 12:00
Platform
win10v2004-20230221-en
Max time kernel
151s
Max time network
154s
Command Line
Signatures
Qakbot/Qbot
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Installer\e5797dd.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI2CCD.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9878.tmp | C:\Windows\system32\msiexec.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000008ccb747e6bc781e30000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800008ccb747e0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff0000000007000100006809008ccb747e000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000008ccb747e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000008ccb747e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wscript.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\06343599.js
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\notify.vbs
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next
C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | garokelka.com | udp |
| NL | 217.195.153.225:443 | garokelka.com | tcp |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | 123.108.74.40.in-addr.arpa | udp |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lakirasa.com | udp |
| BR | 216.238.111.194:443 | lakirasa.com | tcp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.177.238.8.in-addr.arpa | udp |
| US | 52.242.101.226:443 | tcp | |
| US | 52.182.143.210:443 | tcp | |
| US | 8.8.8.8:53 | tofinka.com | udp |
| IR | 185.235.138.66:443 | tofinka.com | tcp |
| US | 8.8.8.8:53 | 66.138.235.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 52.242.101.226:443 | tcp | |
| US | 8.8.8.8:53 | 64.13.109.52.in-addr.arpa | udp |
| US | 209.197.3.8:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.3.40.23.in-addr.arpa | udp |
| US | 52.242.101.226:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 52.242.101.226:443 | tcp |
Files
C:\Windows\Installer\MSI2CCD.tmp
| MD5 | 485d28c1a4dbd1c2ebf7a3b4518d7b43 |
| SHA1 | db920a3eb784c86c5fdf0ef25841c2fbd26466ab |
| SHA256 | 897a4b6be5d1ab3643756b547fda2e5064380c7f305c4ac6ba9883194f2776f1 |
| SHA512 | 771aaaf626ac0cbfbb07c39d6c577374b34ba51cb2c56258cc82e78ac74f2f9512535e32326c28f4bcd263aa4384389ce8b01d96bc15130b0d32403264870b51 |
C:\Config.Msi\e5797dc.rbs
| MD5 | 1b942b8814e57cff213ffa119524ee46 |
| SHA1 | 69ca95b362e42ddd2ac3958dce771ac273024aa8 |
| SHA256 | 1f3c35bb316542815fe9512e1fedb33b83c37548e653081cb933741ce869ca04 |
| SHA512 | 143e3e4b99864557e6d49a97736e49aaeeb652d92a71662d7cc168c67ebdf3c9b04aa29e9a540524ad77b3de4ebc46e6fda9fa31ffc552b69cab2ece2600c876 |
C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll
| MD5 | 7ef6522096f05d2144bf938010551774 |
| SHA1 | 4f0884a7326db0610b5520ece1a4a64d666e84cf |
| SHA256 | 7f64a81bd4b2d686f7abe3f0b58097f2b2792d7c32eea5fa225753e45eab1efa |
| SHA512 | 8f39c3c0fbb066394d15256aab3f005ba3099a38d7e6c05992d99595dbf8e146493bf5b7141f731e7b88c5097861c59343ab32215195bb6d408a75619699ce4c |
C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\notify.vbs
| MD5 | 0d4c9f15ce74465c59ae36a27f98c817 |
| SHA1 | 9cce8eefa4d3d9c5e161c5dbb860cfe1489c6b1a |
| SHA256 | d24e3399060b51f3a1c9d41a67de2601888a35c99da8db70070d757bb3f1913a |
| SHA512 | 9bed0eafc2cf2a2360850ca1070ffb04ac14f04c78379485998a93f45012b5c11cc7f6f68129f65b8b5f90437cb965908c6a1bb9d83a56b068d6bde1d5fdad1f |
C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll
| MD5 | 7ef6522096f05d2144bf938010551774 |
| SHA1 | 4f0884a7326db0610b5520ece1a4a64d666e84cf |
| SHA256 | 7f64a81bd4b2d686f7abe3f0b58097f2b2792d7c32eea5fa225753e45eab1efa |
| SHA512 | 8f39c3c0fbb066394d15256aab3f005ba3099a38d7e6c05992d99595dbf8e146493bf5b7141f731e7b88c5097861c59343ab32215195bb6d408a75619699ce4c |
memory/932-165-0x0000000001390000-0x0000000001393000-memory.dmp
memory/932-166-0x0000000002D80000-0x0000000002DA4000-memory.dmp
memory/2340-171-0x00000000004D0000-0x00000000004D2000-memory.dmp
memory/2340-172-0x00000000004A0000-0x00000000004C4000-memory.dmp
memory/2340-178-0x00000000004A0000-0x00000000004C4000-memory.dmp
memory/2340-179-0x00000000004A0000-0x00000000004C4000-memory.dmp
memory/2340-180-0x00000000004A0000-0x00000000004C4000-memory.dmp
memory/2340-181-0x00000000004A0000-0x00000000004C4000-memory.dmp
memory/2340-182-0x00000000004A0000-0x00000000004C4000-memory.dmp
\??\Volume{7e74cb8c-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{bca989e5-5e7c-4ac7-a443-b9bad2b1e36c}_OnDiskSnapshotProp
| MD5 | c1a8c4bea19e73349a96d92b7424eecc |
| SHA1 | c0170b3ec70f9ccdfffa7434dec0c3fe164e6cb1 |
| SHA256 | e89ead2b1ca7278d5629621288bbada404326e10e88a68fef8eda6134f2abd86 |
| SHA512 | fba09e745366bb6c2e814f5f2fd58018115e378a36b4c96a55bf42335fd923d0e3db78e93270cfa85d821f8aab0166a91f0baa9f18725c5da0479ba947a6c166 |
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
| MD5 | 34bcc6767127e917e5b4c7ec2a321938 |
| SHA1 | 919ac3745e43a8239e05af585656fbb65cad9320 |
| SHA256 | 2623dd5fe62b4c25f2ec7bfd32971c55e1e97d161b8497a1337d62ca8f306bbc |
| SHA512 | 3f7726fdca0ecab689d1c7387dea9fe359e0a59820650c7356aafbf7e1b5190cc8e009d50af9aac651207dbbc626104fe81153802412bafc9eaa2d112fdda6f0 |