Analysis
-
max time kernel
76s -
max time network
89s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02/03/2024, 16:35
Static task
static1
General
-
Target
-
Size
775KB
-
MD5
f49bcb5336b1e1212ae82cbb98f8dfe4
-
SHA1
fc87518aee297f9c18e40f4604ea048aec0342c4
-
SHA256
1501affdcf557a9dcb73ae34d43365d5301532a48328564160fdc1f3acb01e2e
-
SHA512
51a4b1a5ede81e4dbeb9a335fe3a370e6ae452a46d4f4ce8753b37d6e399b00e0de3b066921febf1b5b20f5e3356e0d93da5df366acd2002b792ecb7eb32a7e4
-
SSDEEP
12288:msCyG0JUuqby8mkxhZZIQUopL1UnDs1WxWM1W0pdNkFGNjB7tDWYK:j/kxX/ZLwo1WgMPACBv
Malware Config
Signatures
-
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" svchost.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\FirewallOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusOverride = "1" svchost.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\userinit\ImagePath = "\\\\.\\globalroot\\systemroot\\system32\\usеrinit.exe" usеrinit.exe -
Deletes itself 1 IoCs
pid Process 2068 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2484 usеrinit.exe -
Loads dropped DLL 1 IoCs
pid Process 2612 [email protected] -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"exefile\" /shell <%1> %*" svchost.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\S: svchost.exe File opened (read-only) \??\B: svchost.exe File opened (read-only) \??\Z: svchost.exe File opened (read-only) \??\Y: svchost.exe File opened (read-only) \??\X: svchost.exe File opened (read-only) \??\V: svchost.exe File opened (read-only) \??\U: svchost.exe File opened (read-only) \??\R: svchost.exe File opened (read-only) \??\Q: svchost.exe File opened (read-only) \??\L: svchost.exe File opened (read-only) \??\G: svchost.exe File opened (read-only) \??\A: svchost.exe File opened (read-only) \??\W: svchost.exe File opened (read-only) \??\P: svchost.exe File opened (read-only) \??\N: svchost.exe File opened (read-only) \??\K: svchost.exe File opened (read-only) \??\J: svchost.exe File opened (read-only) \??\E: svchost.exe File opened (read-only) \??\T: svchost.exe File opened (read-only) \??\O: svchost.exe File opened (read-only) \??\M: svchost.exe File opened (read-only) \??\I: svchost.exe File opened (read-only) \??\H: svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT usеrinit.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx Process not Found -
Suspicious use of NtCreateThreadExHideFromDebugger 8 IoCs
pid Process 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe -
Suspicious use of SetThreadContext 49 IoCs
description pid Process procid_target PID 2612 set thread context of 2068 2612 [email protected] 28 PID 2680 set thread context of 328 2680 svchost.exe 16 PID 2680 set thread context of 328 2680 svchost.exe 16 PID 2680 set thread context of 328 2680 svchost.exe 16 PID 2680 set thread context of 328 2680 svchost.exe 16 PID 2680 set thread context of 328 2680 svchost.exe 16 PID 2680 set thread context of 328 2680 svchost.exe 16 PID 2680 set thread context of 328 2680 svchost.exe 16 PID 2680 set thread context of 328 2680 svchost.exe 16 PID 2680 set thread context of 328 2680 svchost.exe 16 PID 2680 set thread context of 328 2680 svchost.exe 16 PID 2680 set thread context of 328 2680 svchost.exe 16 PID 2680 set thread context of 328 2680 svchost.exe 16 PID 2680 set thread context of 328 2680 svchost.exe 16 PID 2680 set thread context of 328 2680 svchost.exe 16 PID 2680 set thread context of 328 2680 svchost.exe 16 PID 2680 set thread context of 328 2680 svchost.exe 16 PID 2680 set thread context of 328 2680 svchost.exe 16 PID 2680 set thread context of 328 2680 svchost.exe 16 PID 2680 set thread context of 328 2680 svchost.exe 16 PID 2680 set thread context of 328 2680 svchost.exe 16 PID 2680 set thread context of 328 2680 svchost.exe 16 PID 2680 set thread context of 328 2680 svchost.exe 16 PID 2680 set thread context of 328 2680 svchost.exe 16 PID 2680 set thread context of 328 2680 svchost.exe 16 PID 2680 set thread context of 328 2680 svchost.exe 16 PID 2680 set thread context of 328 2680 svchost.exe 16 PID 2680 set thread context of 328 2680 svchost.exe 16 PID 2680 set thread context of 328 2680 svchost.exe 16 PID 2680 set thread context of 328 2680 svchost.exe 16 PID 2680 set thread context of 328 2680 svchost.exe 16 PID 2680 set thread context of 328 2680 svchost.exe 16 PID 2680 set thread context of 328 2680 svchost.exe 16 PID 2680 set thread context of 328 2680 svchost.exe 16 PID 2680 set thread context of 328 2680 svchost.exe 16 PID 2680 set thread context of 328 2680 svchost.exe 16 PID 2680 set thread context of 328 2680 svchost.exe 16 PID 2680 set thread context of 328 2680 svchost.exe 16 PID 2680 set thread context of 328 2680 svchost.exe 16 PID 2680 set thread context of 328 2680 svchost.exe 16 PID 2680 set thread context of 328 2680 svchost.exe 16 PID 2680 set thread context of 328 2680 svchost.exe 16 PID 2680 set thread context of 328 2680 svchost.exe 16 PID 2680 set thread context of 328 2680 svchost.exe 16 PID 2680 set thread context of 328 2680 svchost.exe 16 PID 2680 set thread context of 328 2680 svchost.exe 16 PID 2680 set thread context of 328 2680 svchost.exe 16 PID 2680 set thread context of 328 2680 svchost.exe 16 PID 2680 set thread context of 328 2680 svchost.exe 16 -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000112dd71d930ff24b8b2b71a2c228122b000000000200000000001066000000010000200000005256fa2613c423d20cbaa1097c1ca81bc3077792f0f1270426da644b5fe3f7e5000000000e8000000002000020000000841a78ba40c5e3c996fa4f68b7916868540d8cd9652eccdfe85a735a224a05ac200000001344d231d1c97b5cae25ed5302e39485e2066b6f30c75ed894a9e1e09b49e4b7400000009ea7c91c481e451c4c0f6f5c0a54da4e1363ab59594d522d59a95d6e992dda7d0a45891eb0b954447244dc0a43ff009cf518966a2e819f8a2e84cb36d144d012 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{12D37E61-D8B3-11EE-B671-4AE872E97954} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000112dd71d930ff24b8b2b71a2c228122b00000000020000000000106600000001000020000000f0334212a0a3a948dfaa594747732f13603475a77c70035c1874688754a0d603000000000e8000000002000020000000682d7c8ed560114c97eea8238d2c18b46ed27e323037e97f89b216f5477d829690000000d59bc10579900500a024670d8a1f074a9a933f8991e9d646008d9b1090935676696aca304086ddbec2a14c10a1cb0579b3dcacd97c0110bc9075fa94afa38db0641deccc4571c8ae8cd14d85b5ad6de81ff2c00288e2b857456a959f7db76e00b38a1466cca8be12c1a12309f7e5819e3d11b7e8f53e7f9c00eebcebccda23ac81d53ae386dc5a5a393b4e1a20ec41f640000000abf0b367bf1e774878d43905163666281f1426a8de71df492be179a348cbf5a8f55a712b10189f50029da33e9a55df310b379c22cf1bd1583ada9717fc18f5e5 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a03987e1bf6cda01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1CEA3241-D8B3-11EE-B671-4AE872E97954} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe -
Modifies data under HKEY_USERS 30 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C57B559-8C32-4399-91FF-80093C13E1AC} svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" usеrinit.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C57B559-8C32-4399-91FF-80093C13E1AC}\WpadDecision = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3a-31-e6-b0-02-01 svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C57B559-8C32-4399-91FF-80093C13E1AC}\WpadNetworkName = "Network 3" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3a-31-e6-b0-02-01\WpadDecisionReason = "1" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main usеrinit.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f007f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" usеrinit.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C57B559-8C32-4399-91FF-80093C13E1AC}\WpadDecisionReason = "1" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C57B559-8C32-4399-91FF-80093C13E1AC}\3a-31-e6-b0-02-01 svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3a-31-e6-b0-02-01\WpadDecisionTime = 60777cc1bf6cda01 svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3a-31-e6-b0-02-01\WpadDecision = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ usеrinit.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C57B559-8C32-4399-91FF-80093C13E1AC}\WpadDecisionTime = 60777cc1bf6cda01 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main svchost.exe -
Modifies registry class 6 IoCs
description ioc Process Key created \registry\machine\Software\Classes\Wow6432Node\Interface\{2ea8c9d4-7b76-aecf-38db-17f923ffdd55} [email protected] Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2ea8c9d4-7b76-aecf-38db-17f923ffdd55}\u = "3" [email protected] Key created \registry\machine\Software\Classes\Interface\{2ea8c9d4-7b76-aecf-38db-17f923ffdd55} [email protected] Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2ea8c9d4-7b76-aecf-38db-17f923ffdd55}\u = "3" [email protected] Key created \registry\machine\Software\Classes\Interface\{507e1fac-b73d-1bbf-56af-f783afcbf39c} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"exefile\" /shell <%1> %*" svchost.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
pid Process 2484 usеrinit.exe 2484 usеrinit.exe 2484 usеrinit.exe 2484 usеrinit.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1204 Process not Found -
Suspicious behavior: MapViewOfSection 10 IoCs
pid Process 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2612 [email protected] Token: SeSecurityPrivilege 2612 [email protected] Token: SeDebugPrivilege 2484 usеrinit.exe Token: SeShutdownPrivilege 1204 Process not Found Token: SeAssignPrimaryTokenPrivilege 860 Process not Found Token: SeIncreaseQuotaPrivilege 860 Process not Found Token: SeSecurityPrivilege 860 Process not Found Token: SeTakeOwnershipPrivilege 860 Process not Found Token: SeLoadDriverPrivilege 860 Process not Found Token: SeSystemtimePrivilege 860 Process not Found Token: SeBackupPrivilege 860 Process not Found Token: SeRestorePrivilege 860 Process not Found Token: SeShutdownPrivilege 860 Process not Found Token: SeSystemEnvironmentPrivilege 860 Process not Found Token: SeUndockPrivilege 860 Process not Found Token: SeManageVolumePrivilege 860 Process not Found Token: SeAssignPrimaryTokenPrivilege 860 Process not Found Token: SeIncreaseQuotaPrivilege 860 Process not Found Token: SeSecurityPrivilege 860 Process not Found Token: SeTakeOwnershipPrivilege 860 Process not Found Token: SeLoadDriverPrivilege 860 Process not Found Token: SeSystemtimePrivilege 860 Process not Found Token: SeBackupPrivilege 860 Process not Found Token: SeRestorePrivilege 860 Process not Found Token: SeShutdownPrivilege 860 Process not Found Token: SeSystemEnvironmentPrivilege 860 Process not Found Token: SeUndockPrivilege 860 Process not Found Token: SeManageVolumePrivilege 860 Process not Found Token: SeAssignPrimaryTokenPrivilege 860 Process not Found Token: SeIncreaseQuotaPrivilege 860 Process not Found Token: SeSecurityPrivilege 860 Process not Found Token: SeTakeOwnershipPrivilege 860 Process not Found Token: SeLoadDriverPrivilege 860 Process not Found Token: SeSystemtimePrivilege 860 Process not Found Token: SeBackupPrivilege 860 Process not Found Token: SeRestorePrivilege 860 Process not Found Token: SeShutdownPrivilege 860 Process not Found Token: SeSystemEnvironmentPrivilege 860 Process not Found Token: SeUndockPrivilege 860 Process not Found Token: SeManageVolumePrivilege 860 Process not Found Token: SeAssignPrimaryTokenPrivilege 860 Process not Found Token: SeIncreaseQuotaPrivilege 860 Process not Found Token: SeSecurityPrivilege 860 Process not Found Token: SeTakeOwnershipPrivilege 860 Process not Found Token: SeLoadDriverPrivilege 860 Process not Found Token: SeSystemtimePrivilege 860 Process not Found Token: SeBackupPrivilege 860 Process not Found Token: SeRestorePrivilege 860 Process not Found Token: SeShutdownPrivilege 860 Process not Found Token: SeSystemEnvironmentPrivilege 860 Process not Found Token: SeUndockPrivilege 860 Process not Found Token: SeManageVolumePrivilege 860 Process not Found Token: SeAssignPrimaryTokenPrivilege 860 Process not Found Token: SeIncreaseQuotaPrivilege 860 Process not Found Token: SeSecurityPrivilege 860 Process not Found Token: SeTakeOwnershipPrivilege 860 Process not Found Token: SeLoadDriverPrivilege 860 Process not Found Token: SeSystemtimePrivilege 860 Process not Found Token: SeBackupPrivilege 860 Process not Found Token: SeRestorePrivilege 860 Process not Found Token: SeShutdownPrivilege 860 Process not Found Token: SeSystemEnvironmentPrivilege 860 Process not Found Token: SeUndockPrivilege 860 Process not Found Token: SeManageVolumePrivilege 860 Process not Found -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2680 svchost.exe 2680 svchost.exe 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 1204 Process not Found 1204 Process not Found 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe 2680 svchost.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
pid Process 1688 iexplore.exe 1688 iexplore.exe 912 IEXPLORE.EXE 912 IEXPLORE.EXE 1180 iexplore.exe 1180 iexplore.exe 552 IEXPLORE.EXE 552 IEXPLORE.EXE 1180 iexplore.exe 1180 iexplore.exe 1896 IEXPLORE.EXE 1896 IEXPLORE.EXE 552 IEXPLORE.EXE 552 IEXPLORE.EXE -
Suspicious use of UnmapMainImage 3 IoCs
pid Process 608 Process not Found 608 Process not Found 608 Process not Found -
Suspicious use of WriteProcessMemory 51 IoCs
description pid Process procid_target PID 2612 wrote to memory of 2068 2612 [email protected] 28 PID 2612 wrote to memory of 2068 2612 [email protected] 28 PID 2612 wrote to memory of 2068 2612 [email protected] 28 PID 2612 wrote to memory of 2068 2612 [email protected] 28 PID 2612 wrote to memory of 2068 2612 [email protected] 28 PID 2612 wrote to memory of 2484 2612 [email protected] 30 PID 2612 wrote to memory of 2484 2612 [email protected] 30 PID 2612 wrote to memory of 2484 2612 [email protected] 30 PID 2612 wrote to memory of 2484 2612 [email protected] 30 PID 2484 wrote to memory of 2680 2484 usеrinit.exe 31 PID 2484 wrote to memory of 2680 2484 usеrinit.exe 31 PID 2484 wrote to memory of 2680 2484 usеrinit.exe 31 PID 2484 wrote to memory of 2680 2484 usеrinit.exe 31 PID 2484 wrote to memory of 2680 2484 usеrinit.exe 31 PID 2680 wrote to memory of 328 2680 svchost.exe 16 PID 860 wrote to memory of 1452 860 Process not Found 32 PID 860 wrote to memory of 1452 860 Process not Found 32 PID 860 wrote to memory of 1452 860 Process not Found 32 PID 608 wrote to memory of 2184 608 Process not Found 33 PID 608 wrote to memory of 2184 608 Process not Found 33 PID 608 wrote to memory of 2184 608 Process not Found 33 PID 2680 wrote to memory of 1688 2680 svchost.exe 34 PID 2680 wrote to memory of 1688 2680 svchost.exe 34 PID 2680 wrote to memory of 1688 2680 svchost.exe 34 PID 608 wrote to memory of 528 608 Process not Found 35 PID 608 wrote to memory of 528 608 Process not Found 35 PID 608 wrote to memory of 528 608 Process not Found 35 PID 1688 wrote to memory of 912 1688 iexplore.exe 36 PID 1688 wrote to memory of 912 1688 iexplore.exe 36 PID 1688 wrote to memory of 912 1688 iexplore.exe 36 PID 1688 wrote to memory of 912 1688 iexplore.exe 36 PID 608 wrote to memory of 1940 608 Process not Found 37 PID 608 wrote to memory of 1940 608 Process not Found 37 PID 608 wrote to memory of 1940 608 Process not Found 37 PID 2680 wrote to memory of 1180 2680 svchost.exe 38 PID 2680 wrote to memory of 1180 2680 svchost.exe 38 PID 2680 wrote to memory of 1180 2680 svchost.exe 38 PID 1180 wrote to memory of 552 1180 iexplore.exe 39 PID 1180 wrote to memory of 552 1180 iexplore.exe 39 PID 1180 wrote to memory of 552 1180 iexplore.exe 39 PID 1180 wrote to memory of 552 1180 iexplore.exe 39 PID 2680 wrote to memory of 1928 2680 svchost.exe 40 PID 2680 wrote to memory of 1928 2680 svchost.exe 40 PID 2680 wrote to memory of 1928 2680 svchost.exe 40 PID 1180 wrote to memory of 1896 1180 iexplore.exe 41 PID 1180 wrote to memory of 1896 1180 iexplore.exe 41 PID 1180 wrote to memory of 1896 1180 iexplore.exe 41 PID 1180 wrote to memory of 1896 1180 iexplore.exe 41 PID 608 wrote to memory of 2896 608 Process not Found 42 PID 608 wrote to memory of 2896 608 Process not Found 42 PID 608 wrote to memory of 2896 608 Process not Found 42
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService1⤵PID:328
-
C:\Users\Admin\AppData\Local\Temp\[email protected]"C:\Users\Admin\AppData\Local\Temp\[email protected]"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Deletes itself
PID:2068
-
-
\??\globalroot\systemroot\system32\usеrinit.exe/install2⤵
- Sets service image path in registry
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\system32\svchost.exe"C:\Windows\system32\svchost.exe"3⤵
- Modifies security service
- Windows security bypass
- Modifies system executable filetype association
- Enumerates connected drives
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://secure.2010billing.com/purchase/get.php?i=antvir&advert=3&extern=4&lang=EN4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1688 CREDAT:275457 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:912
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://secure.2010billing.com/purchase/get.php?i=antvir&advert=3&extern=4&lang=EN4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1180 CREDAT:275457 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:552
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1180 CREDAT:275464 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1896
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://secure.2010billing.com/purchase/get.php?i=antvir&advert=3&extern=4&lang=EN4⤵PID:1928
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://secure.2010billing.com/purchase/get.php?i=antvir&advert=3&extern=4&lang=EN4⤵PID:1656
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1656 CREDAT:275457 /prefetch:25⤵PID:1960
-
-
-
-
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R1⤵PID:1452
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding1⤵PID:2184
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:528
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:1940
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:2896
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
67KB
MD5753df6889fd7410a2e9fe333da83a429
SHA13c425f16e8267186061dd48ac1c77c122962456e
SHA256b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA5129d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD55fa99b9beab8f1a98421f7e371dc3d38
SHA1c8991d394ee5166a8f3f7103064ff03981e17af2
SHA256a41d68f1beee07844693bfe948b6305c071926797485c3818a4c90b7d67bb9b5
SHA51252c6868e1e1abad7ad418b5dec92b12e6a4d8733622a98a21011e005f3cbc8da6873e7b68cf2caddae378a01283e82abdba218d01187327a7f6befecd0c85486
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5eeeda9c53aea509b4c87f20bd15ec7e5
SHA1d3a0a385a76979c2dbfb5f9328cbb82691306c6c
SHA256f986af75bfbf3f992ef0003969beb15aa6ca965e3441aa49076a306b7d45b0ef
SHA512ee5cf39b1f4d2c3b1b9ef8d2ebe0c746a24264214002ac95333f99a0352a7597430c064b2b50c900a5a06fc498edbfab560d34acb315d9147b44cee1be4bd624
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD591af7e3d8a897a02f257050baf4612e3
SHA1845b3a0cac21a3d16ed0e5ab7b405a1fa0decc6e
SHA256968480269438b691099e36c23596293b6d6bfa0cde0cc866612544f4a2974146
SHA5123b9dccafaca958facee630ddf89effcdc783196ebf987545e4c1587845232050a89d916deb2d8d503af4382d2fd3748bda4868cd684ee402733061cb9f255dac
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD588de4a8552e3144b1de75f4ef7665a7d
SHA11dac5991e3f94edfef4bad29ba1905920e9c1fe3
SHA2565b5bacfced416c5927b1f5daa817b2b577610832b83df23c7191a7b6d22a1c8b
SHA51201056d824678371f18050104171932b0c5c6983de1d7b516c9f29b3f0281ed92e11b0e0448726fc2ece788d37c138478feef30c90c25849325dddabcedc146de
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5125576ec7f0ff7d3923a2da41fc93675
SHA1b8aee8597c54f7cbc7ce368db103c2f6d760489f
SHA256e508e11f97836b1c1125c8f130fe09dd407dc4773860f883a852c70783471d50
SHA51274b4b6ff8dbb172a83eb14f1782a801786c48694d06fb2a49cbab0925c391667b99cdb2ccaa9912f8a305b9975104dc40ee6f25c988df5ec9d66f21bfbac7e1b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5435e230041289fbefae505f969005e7e
SHA1392cc149203138c1865603b423af61254fd70eec
SHA256a0df2d01909381dba22c6a2774267aed6de21f244992702b52ddb9029c4ea0f1
SHA51257efc116e10f2679ce89318c55dd952f6b6bfa70b6ddd7eaaafbd620c10808beb371bb29c7755b8fd6d657c0da580180a212593fe19c9d1c20574a0e21590ed2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5d217d64fc07dbe5c258f0f32834f5f48
SHA1209d32f312d6724e6bf9d8a4627e7ce6ba8428e3
SHA256cd4b0ed1f0c8d2fea70bfa177c11cba304022178612964fd51bc755a215a083b
SHA512ec0f8ab137f97976a3f4cef8b9eb3686f53855a5802f3b76964527975742495fc8889731a0539a1ae5de2956164fef0f416805d1d0b0f0ba2a4b268ed2e9b7be
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD56988b80347b77ceebebf1427a3d319a7
SHA177b1ceae719143795096380b9cfe9829723d7942
SHA256aa677512c7eba52eacf127ee6099101027d1d6045dfad7eb3e707cc719f61693
SHA51216e8cdee31428c63280d46b50e24085baba0d4fdf2e7ed1fe45c06fffbc8f770a879a35efe9a6dc71cc7012a124b1c8488fa6776600975a70b4eb25132787f86
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5e25aa2dbc8e99ca25206a04d935f72d8
SHA12a190a44c9df876c62fcb5ff864c976a8cb93c12
SHA2569d18d1a16270a66022cf4b79c277b569ac7f9ec4cc289d0aaf977f69030c8d14
SHA5128000db05d9c6ce8080c7f449c07d836268aa5f3284636c290e3c3bb54439d9506aa7639b62d3f1c131e30f624f14d9b69d7b3be8b007cd967c3424a0cfb7adc2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5de548bb2323cf64740950ff6ece245d1
SHA184900b2089d83a1309c75d6c2779458bf09a611b
SHA2569857c2d654eaf673ac92abd85b5cdd07ed019f506f13cd2530184fb05f17bc5c
SHA512cae72ed7ef0f8f8a69f8272edbbe4e739b805ed4d5a044d8d4442575a98d1a91405ba517e7ea3cb4a6c1143994e2ae12038bf8eee1693ad12ddcd961d1a84596
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD53fa72dedbb4968745fc140d78c9f5f10
SHA19bbfbd9e3f13c54f593854e38a86fc67060dae5b
SHA2564a41e86e6cb191941ddc59a71f84e1fc43394eaf7b7ae01fad291b6ed8faf028
SHA5126e3baa93721190d7ff504a3a1a6bcec821133c9cfe2a35903337edee0b4bce2e480f328355ab65cd2efc06ab8bb38b698ec4a1507b4dc7bf10f556e1ca4a1815
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD500393b74b1e78443909b60d283b272ef
SHA117c2a82e29628c17afccdbbea79c8e1051569306
SHA256131868f188cf0c9072348e22ceab919e470a8853dfa2918d02a9a58f0bb7505e
SHA5121769b8bf4fcd9cd1b426803ce119d8f245d929501e956d8ce792eb3b4621ce9032719152d4f8664afaa766b1f34b242b646a72cd9984fca1da2ae6821502d8e2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5dec6f1c5c8c9e13e7a5e48aea260e3ec
SHA18487e5361256c42842cac9f5c8b1d028eddfe3c6
SHA25639a4e5e572a005067ca631f9a96bc59e5ae9d3b60ef5793be557426013329e6f
SHA51218f2868fd851f4862ed681350dc52cc8e6eee13fbad7221d1c220948f0d02b96e22a4f0dda429f99a37d63b7868aa7f6e49235c3b668566e8de455b0170b422f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5543b72f33e20b7b2eb61654a4ad916c9
SHA18e3ba6503b1774afaf29c5aec846a7653c3d7811
SHA256897bc4fe5e6bccfda5e86507edfd88f1501be61810ccfcab96a7d4943b06d526
SHA5125d14fcd926a5cd03c5135bc640a5a916fd8c94ade5a86bcd606d43ada7d5a281130981dee603bf975b53b0d1e7cdffa9f33787551973290a6721714aa1b5016b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5d773d93012bce1b52e7c9b97907e8c94
SHA1672d2e4982d61708caf5e0f9cc4fdaa604905d00
SHA256cd7d10d365c89b0902c21b7c6fa290832e32033f6eb633250fa26084a49c2fe0
SHA5127010bfa2418d1133a0e938bdabdf762cef0521b65586ce41df0db165c720a389843c913d5d7e67462a5ba9759c594d99342bdb4bc14f92e201b47b8979da8c23
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5383ea7d6a28aea7f6e45998ed97e54ce
SHA15bd6b4141a43645cb3ff4ca49d13bbca8e56701b
SHA2564ffa0278b6d40ed1d88c8070df804fdf91e0790e3f678fe818db84252cd4f9be
SHA512d72da5202aee091dae5ad0f5d48a8e14a15751da1ef77febe7b210424ab7a522e23e40f92ba6884fec216a711817fd2135cbbb83b675dc27b6dd50cda52d86cf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD556fd870f55562b79b9efb40f2c135397
SHA10673955ddce7a2fa0fa3299e21e05fe0b52f9a08
SHA256f885469cef80fbc3ec9658881f8ab82860b43f1ac898a420acd623e8c3719be3
SHA512a93c37179c2c29667bccf14c932f6460144c26acb0908bc9e28ece9f24b95c439eb26a1f375cabfb54091e7c9385d5c584b9c2e3c341d38b0afc9f7cdab83813
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD597b1e9848ca5acef67c9ce508c293eec
SHA1e10a89fb33ede8551319fe4a885048f928a55042
SHA256d21dee8bc3ae5f967fe77eacb283cea1fa1743056e3a21d1802e8e677e9505cf
SHA512c36a8b153ad2a524e366d8b1c653f4c5e3e3ae098d827962e1994adb247fb68dee9732ef7cb620c706bd553f54c950a85b492f01e98e70642202cb72ae4d09ee
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD51cf53bf00ae4ae0d15248970b5dc4ecb
SHA145beea26ba739c59e5d45f381d190f8abdfb113f
SHA256ac0d415e494c5297a5103263f31bbc0d867d8d07384f01f972ddf4e617b44a55
SHA512ddbc7605809a806c7e1d824b61b3d6ae6687b511dbe7b88eb41dc6a3247171540e3581ecd171c0a12577e97f048f132220892f371c7462ac201c8e9bbfc05cea
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD512536c96bc64bc5d677f7d012f67f318
SHA1e6fbbfab3848cc75801f53ffec76f6fa61b5e344
SHA25632784e3dd8bb3cdbf723d9151ae19b511c83b75d443720cb79b82db92600e8bd
SHA512e61af4e45b9d65ba2b54d13d96af92b6e8f6598cd93a720c98e993c29e21b1874f1352c7fe2370f6cc747a611ae0c2097ebe2131ebc6d24ae004d88c0de53d73
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{12D37E61-D8B3-11EE-B671-4AE872E97954}.dat
Filesize5KB
MD59527bf40f559800fd3b04814bbc79a2c
SHA1768c5b4fe5462f030467e552360a5e0ba5f39c43
SHA256436ef25d4247f02fce299ef9b60b7b1a908b795c5385c66565449870aedeb88c
SHA5128b4ad12cef16f44c36e3ff8c50c4b7e08265aa1f11c69aaaff55e6930ac00d315c26055694aca30fa0e9d283d1d0b98ac17f51561299acd60a11a0409edf914a
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{1CEA3241-D8B3-11EE-B671-4AE872E97954}.dat
Filesize5KB
MD522b178ee31c51f48b66eaac9984cfaa9
SHA1b8b264ded9130d49369d998777b7ad53ca3708fc
SHA25656ac709270958c98de1793b7db0fffea535ed3799d0fafcba00c358b73408a64
SHA51289a531b6d5142fb34a1cfaad84069702a239aa27d2c2f568798d3fd9ad137a84da5cd6f742338be1ded8c6c44e7304ee5d6ca684117a2210873af879b00a7bfa
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{BA76E2A0-D0CB-11EE-AB17-C695CBC44580}.dat
Filesize5KB
MD5155996f17a92c47de350e459a6e41386
SHA1e471d155c1d7168f1a75d5864f388bb4b38015e0
SHA256bfa419ade4b7b9f1c5df73d8baefd06b9adca183df79fa3cca1134ad998e5112
SHA512a5c5336ed8e132f40ecd0d93d5c2d231e4d5a60f4fa83d6df1b54e7d840baf43c0f15e301217bc3c07454be8a0b329de7384bf435a978560993f5686327e4a63
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{12D37E64-D8B3-11EE-B671-4AE872E97954}.dat
Filesize4KB
MD5add3306883224d654844a059926cd23a
SHA163056684cf174583355cc626c01e6578252bab03
SHA256919aeb875e9d7a47a5b6c1439f24b9cca9cb4434337c353c9f14aae5eda90d9c
SHA5128bedf4fd31f4e9d5413b2494975dae8db86c2827655e0c519bfb8110bf97d9dc333efbb642bb5be99e735e4fad97b7534fc75a64bbedbd1e04768711f326c8e7
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
175KB
MD5dd73cead4b93366cf3465c8cd32e2796
SHA174546226dfe9ceb8184651e920d1dbfb432b314e
SHA256a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63
-
Filesize
2KB
MD563881935b6ff930a39df13a27c18c3f5
SHA1d5464ca24d61b2efb562b1b4f4e0bef69c94cf04
SHA25650d712b007a3339855619a4ad283661c07e13ec0a74465ea3d121439005cd1e5
SHA512011d0307d088ac7a691ff504f8c3e99a06097fc27e10d40d62721cf6c6d0500120d040a7d32fd10aa50aeef1ef12be67501fff122bed129a354fb57c213a0ed9
-
Filesize
16KB
MD5586b38047b28665d76fa758c9b063573
SHA1bf727aa40120cdcc43591e2d8921b26c5322a17c
SHA2566909c25c91407cee861748a84d582473fb8ff34140044c80880799ab642809a1
SHA51259d45b5c875a56da4eaf024c028422a0d1010a876efbd397ba37c0944de74920de9cf4e73c056b80d493a7b64261f857aaad59043b63f071f154f65281ad8abe
-
Filesize
115KB
MD572178bb0f9674f0ce0b6b188d1219266
SHA1ae3c43c7846c0ef977fa90991e1c366e34ab671c
SHA25609cd3c864182b703a1384a15e60424c0ee8c82c3fd19f197c391a0e3ec5bd16e
SHA512d9004c1b8402375c92690525f06ae83198bb929bb18dfc46fda9036a4054ed9c38637438b13ecc2566f98f2a8ac297ec7f0151b63a59c4f7bbc2ab8f7b6d779e
-
Filesize
68KB
MD53d9c07539df65f271c6f796ecd8a5a25
SHA1df81120bbe93431f064d634f221309c5b129c73d
SHA2562c5af935a6aa5a84ccf281b70fc33696e17f514433bbfcb5f99001a654a35730
SHA512921b4bf60e6b2bd0997a95918897a842bcd1e7ca3256aefd89f669b5dc8a25522fd8bfec99888825e317f574cf030de0d5aca11a6c67ac16e2dad9d7b2f1deee
-
Filesize
139KB
MD54acd14244d2cd76d06939163127cfb10
SHA175f3e3c764f7d20c9950f5410f753f3210bcc2e7
SHA25629b5b65a1cdf119ac7c6c9df76c6843b25a81bd00aa5a5e995ec675e34bf1acb
SHA512001504da15c1825102479ba379b0be7ec15e779626d450d9d763552d7e1ac71f5bb86110f9361363bd401aabc53cdfd2d554480aec8bef85ed8c7b03cebf4031
-
Filesize
718KB
MD57943d251821ca441924f0d64946e8a3d
SHA1cace099a490410260802ee143f7c7e3543f2f4cf
SHA256be8dbcb59c3181ec518a6934931efc725a128310956fd076f0f0bd537b96a9eb
SHA5120d4c9f021e07e2a27f3e7f46be591f01ec4c04fce98d9c177697ea4518d0c8d80105d73a29deff925cf28fce89a4fe40e790ef0086748dc169b1a8190e6d40f9