Analysis

  • max time kernel
    76s
  • max time network
    89s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02/03/2024, 16:35

General

  • Target

  • Size

    775KB

  • MD5

    f49bcb5336b1e1212ae82cbb98f8dfe4

  • SHA1

    fc87518aee297f9c18e40f4604ea048aec0342c4

  • SHA256

    1501affdcf557a9dcb73ae34d43365d5301532a48328564160fdc1f3acb01e2e

  • SHA512

    51a4b1a5ede81e4dbeb9a335fe3a370e6ae452a46d4f4ce8753b37d6e399b00e0de3b066921febf1b5b20f5e3356e0d93da5df366acd2002b792ecb7eb32a7e4

  • SSDEEP

    12288:msCyG0JUuqby8mkxhZZIQUopL1UnDs1WxWM1W0pdNkFGNjB7tDWYK:j/kxX/ZLwo1WgMPACBv

Malware Config

Signatures

  • Modifies security service 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 4 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 8 IoCs
  • Suspicious use of SetThreadContext 49 IoCs
  • Modifies Internet Explorer settings 1 TTPs 62 IoCs
  • Modifies data under HKEY_USERS 30 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of UnmapMainImage 3 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    1⤵
      PID:328
    • C:\Users\Admin\AppData\Local\Temp\[email protected]
      "C:\Users\Admin\AppData\Local\Temp\[email protected]"
      1⤵
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2612
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Deletes itself
        PID:2068
      • \??\globalroot\systemroot\system32\usеrinit.exe
        /install
        2⤵
        • Sets service image path in registry
        • Executes dropped EXE
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2484
        • C:\Windows\system32\svchost.exe
          "C:\Windows\system32\svchost.exe"
          3⤵
          • Modifies security service
          • Windows security bypass
          • Modifies system executable filetype association
          • Enumerates connected drives
          • Suspicious use of NtCreateThreadExHideFromDebugger
          • Suspicious use of SetThreadContext
          • Modifies data under HKEY_USERS
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:2680
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" https://secure.2010billing.com/purchase/get.php?i=antvir&advert=3&extern=4&lang=EN
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1688
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1688 CREDAT:275457 /prefetch:2
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:912
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" https://secure.2010billing.com/purchase/get.php?i=antvir&advert=3&extern=4&lang=EN
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1180
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1180 CREDAT:275457 /prefetch:2
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:552
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1180 CREDAT:275464 /prefetch:2
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:1896
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" https://secure.2010billing.com/purchase/get.php?i=antvir&advert=3&extern=4&lang=EN
            4⤵
              PID:1928
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe" https://secure.2010billing.com/purchase/get.php?i=antvir&advert=3&extern=4&lang=EN
              4⤵
                PID:1656
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1656 CREDAT:275457 /prefetch:2
                  5⤵
                    PID:1960
          • C:\Windows\system32\wbem\WMIADAP.EXE
            wmiadap.exe /F /T /R
            1⤵
              PID:1452
            • C:\Windows\system32\wbem\wmiprvse.exe
              C:\Windows\system32\wbem\wmiprvse.exe -Embedding
              1⤵
                PID:2184
              • C:\Windows\system32\DllHost.exe
                C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                1⤵
                  PID:528
                • C:\Windows\system32\DllHost.exe
                  C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
                  1⤵
                    PID:1940
                  • C:\Windows\system32\DllHost.exe
                    C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
                    1⤵
                      PID:2896

                    Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

                            Filesize

                            67KB

                            MD5

                            753df6889fd7410a2e9fe333da83a429

                            SHA1

                            3c425f16e8267186061dd48ac1c77c122962456e

                            SHA256

                            b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

                            SHA512

                            9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                            Filesize

                            344B

                            MD5

                            5fa99b9beab8f1a98421f7e371dc3d38

                            SHA1

                            c8991d394ee5166a8f3f7103064ff03981e17af2

                            SHA256

                            a41d68f1beee07844693bfe948b6305c071926797485c3818a4c90b7d67bb9b5

                            SHA512

                            52c6868e1e1abad7ad418b5dec92b12e6a4d8733622a98a21011e005f3cbc8da6873e7b68cf2caddae378a01283e82abdba218d01187327a7f6befecd0c85486

                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                            Filesize

                            344B

                            MD5

                            eeeda9c53aea509b4c87f20bd15ec7e5

                            SHA1

                            d3a0a385a76979c2dbfb5f9328cbb82691306c6c

                            SHA256

                            f986af75bfbf3f992ef0003969beb15aa6ca965e3441aa49076a306b7d45b0ef

                            SHA512

                            ee5cf39b1f4d2c3b1b9ef8d2ebe0c746a24264214002ac95333f99a0352a7597430c064b2b50c900a5a06fc498edbfab560d34acb315d9147b44cee1be4bd624

                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                            Filesize

                            344B

                            MD5

                            91af7e3d8a897a02f257050baf4612e3

                            SHA1

                            845b3a0cac21a3d16ed0e5ab7b405a1fa0decc6e

                            SHA256

                            968480269438b691099e36c23596293b6d6bfa0cde0cc866612544f4a2974146

                            SHA512

                            3b9dccafaca958facee630ddf89effcdc783196ebf987545e4c1587845232050a89d916deb2d8d503af4382d2fd3748bda4868cd684ee402733061cb9f255dac

                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                            Filesize

                            344B

                            MD5

                            88de4a8552e3144b1de75f4ef7665a7d

                            SHA1

                            1dac5991e3f94edfef4bad29ba1905920e9c1fe3

                            SHA256

                            5b5bacfced416c5927b1f5daa817b2b577610832b83df23c7191a7b6d22a1c8b

                            SHA512

                            01056d824678371f18050104171932b0c5c6983de1d7b516c9f29b3f0281ed92e11b0e0448726fc2ece788d37c138478feef30c90c25849325dddabcedc146de

                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                            Filesize

                            344B

                            MD5

                            125576ec7f0ff7d3923a2da41fc93675

                            SHA1

                            b8aee8597c54f7cbc7ce368db103c2f6d760489f

                            SHA256

                            e508e11f97836b1c1125c8f130fe09dd407dc4773860f883a852c70783471d50

                            SHA512

                            74b4b6ff8dbb172a83eb14f1782a801786c48694d06fb2a49cbab0925c391667b99cdb2ccaa9912f8a305b9975104dc40ee6f25c988df5ec9d66f21bfbac7e1b

                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                            Filesize

                            344B

                            MD5

                            435e230041289fbefae505f969005e7e

                            SHA1

                            392cc149203138c1865603b423af61254fd70eec

                            SHA256

                            a0df2d01909381dba22c6a2774267aed6de21f244992702b52ddb9029c4ea0f1

                            SHA512

                            57efc116e10f2679ce89318c55dd952f6b6bfa70b6ddd7eaaafbd620c10808beb371bb29c7755b8fd6d657c0da580180a212593fe19c9d1c20574a0e21590ed2

                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                            Filesize

                            344B

                            MD5

                            d217d64fc07dbe5c258f0f32834f5f48

                            SHA1

                            209d32f312d6724e6bf9d8a4627e7ce6ba8428e3

                            SHA256

                            cd4b0ed1f0c8d2fea70bfa177c11cba304022178612964fd51bc755a215a083b

                            SHA512

                            ec0f8ab137f97976a3f4cef8b9eb3686f53855a5802f3b76964527975742495fc8889731a0539a1ae5de2956164fef0f416805d1d0b0f0ba2a4b268ed2e9b7be

                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                            Filesize

                            344B

                            MD5

                            6988b80347b77ceebebf1427a3d319a7

                            SHA1

                            77b1ceae719143795096380b9cfe9829723d7942

                            SHA256

                            aa677512c7eba52eacf127ee6099101027d1d6045dfad7eb3e707cc719f61693

                            SHA512

                            16e8cdee31428c63280d46b50e24085baba0d4fdf2e7ed1fe45c06fffbc8f770a879a35efe9a6dc71cc7012a124b1c8488fa6776600975a70b4eb25132787f86

                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                            Filesize

                            344B

                            MD5

                            e25aa2dbc8e99ca25206a04d935f72d8

                            SHA1

                            2a190a44c9df876c62fcb5ff864c976a8cb93c12

                            SHA256

                            9d18d1a16270a66022cf4b79c277b569ac7f9ec4cc289d0aaf977f69030c8d14

                            SHA512

                            8000db05d9c6ce8080c7f449c07d836268aa5f3284636c290e3c3bb54439d9506aa7639b62d3f1c131e30f624f14d9b69d7b3be8b007cd967c3424a0cfb7adc2

                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                            Filesize

                            344B

                            MD5

                            de548bb2323cf64740950ff6ece245d1

                            SHA1

                            84900b2089d83a1309c75d6c2779458bf09a611b

                            SHA256

                            9857c2d654eaf673ac92abd85b5cdd07ed019f506f13cd2530184fb05f17bc5c

                            SHA512

                            cae72ed7ef0f8f8a69f8272edbbe4e739b805ed4d5a044d8d4442575a98d1a91405ba517e7ea3cb4a6c1143994e2ae12038bf8eee1693ad12ddcd961d1a84596

                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                            Filesize

                            344B

                            MD5

                            3fa72dedbb4968745fc140d78c9f5f10

                            SHA1

                            9bbfbd9e3f13c54f593854e38a86fc67060dae5b

                            SHA256

                            4a41e86e6cb191941ddc59a71f84e1fc43394eaf7b7ae01fad291b6ed8faf028

                            SHA512

                            6e3baa93721190d7ff504a3a1a6bcec821133c9cfe2a35903337edee0b4bce2e480f328355ab65cd2efc06ab8bb38b698ec4a1507b4dc7bf10f556e1ca4a1815

                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                            Filesize

                            344B

                            MD5

                            00393b74b1e78443909b60d283b272ef

                            SHA1

                            17c2a82e29628c17afccdbbea79c8e1051569306

                            SHA256

                            131868f188cf0c9072348e22ceab919e470a8853dfa2918d02a9a58f0bb7505e

                            SHA512

                            1769b8bf4fcd9cd1b426803ce119d8f245d929501e956d8ce792eb3b4621ce9032719152d4f8664afaa766b1f34b242b646a72cd9984fca1da2ae6821502d8e2

                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                            Filesize

                            344B

                            MD5

                            dec6f1c5c8c9e13e7a5e48aea260e3ec

                            SHA1

                            8487e5361256c42842cac9f5c8b1d028eddfe3c6

                            SHA256

                            39a4e5e572a005067ca631f9a96bc59e5ae9d3b60ef5793be557426013329e6f

                            SHA512

                            18f2868fd851f4862ed681350dc52cc8e6eee13fbad7221d1c220948f0d02b96e22a4f0dda429f99a37d63b7868aa7f6e49235c3b668566e8de455b0170b422f

                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                            Filesize

                            344B

                            MD5

                            543b72f33e20b7b2eb61654a4ad916c9

                            SHA1

                            8e3ba6503b1774afaf29c5aec846a7653c3d7811

                            SHA256

                            897bc4fe5e6bccfda5e86507edfd88f1501be61810ccfcab96a7d4943b06d526

                            SHA512

                            5d14fcd926a5cd03c5135bc640a5a916fd8c94ade5a86bcd606d43ada7d5a281130981dee603bf975b53b0d1e7cdffa9f33787551973290a6721714aa1b5016b

                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                            Filesize

                            344B

                            MD5

                            d773d93012bce1b52e7c9b97907e8c94

                            SHA1

                            672d2e4982d61708caf5e0f9cc4fdaa604905d00

                            SHA256

                            cd7d10d365c89b0902c21b7c6fa290832e32033f6eb633250fa26084a49c2fe0

                            SHA512

                            7010bfa2418d1133a0e938bdabdf762cef0521b65586ce41df0db165c720a389843c913d5d7e67462a5ba9759c594d99342bdb4bc14f92e201b47b8979da8c23

                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                            Filesize

                            344B

                            MD5

                            383ea7d6a28aea7f6e45998ed97e54ce

                            SHA1

                            5bd6b4141a43645cb3ff4ca49d13bbca8e56701b

                            SHA256

                            4ffa0278b6d40ed1d88c8070df804fdf91e0790e3f678fe818db84252cd4f9be

                            SHA512

                            d72da5202aee091dae5ad0f5d48a8e14a15751da1ef77febe7b210424ab7a522e23e40f92ba6884fec216a711817fd2135cbbb83b675dc27b6dd50cda52d86cf

                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                            Filesize

                            344B

                            MD5

                            56fd870f55562b79b9efb40f2c135397

                            SHA1

                            0673955ddce7a2fa0fa3299e21e05fe0b52f9a08

                            SHA256

                            f885469cef80fbc3ec9658881f8ab82860b43f1ac898a420acd623e8c3719be3

                            SHA512

                            a93c37179c2c29667bccf14c932f6460144c26acb0908bc9e28ece9f24b95c439eb26a1f375cabfb54091e7c9385d5c584b9c2e3c341d38b0afc9f7cdab83813

                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                            Filesize

                            344B

                            MD5

                            97b1e9848ca5acef67c9ce508c293eec

                            SHA1

                            e10a89fb33ede8551319fe4a885048f928a55042

                            SHA256

                            d21dee8bc3ae5f967fe77eacb283cea1fa1743056e3a21d1802e8e677e9505cf

                            SHA512

                            c36a8b153ad2a524e366d8b1c653f4c5e3e3ae098d827962e1994adb247fb68dee9732ef7cb620c706bd553f54c950a85b492f01e98e70642202cb72ae4d09ee

                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                            Filesize

                            344B

                            MD5

                            1cf53bf00ae4ae0d15248970b5dc4ecb

                            SHA1

                            45beea26ba739c59e5d45f381d190f8abdfb113f

                            SHA256

                            ac0d415e494c5297a5103263f31bbc0d867d8d07384f01f972ddf4e617b44a55

                            SHA512

                            ddbc7605809a806c7e1d824b61b3d6ae6687b511dbe7b88eb41dc6a3247171540e3581ecd171c0a12577e97f048f132220892f371c7462ac201c8e9bbfc05cea

                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                            Filesize

                            344B

                            MD5

                            12536c96bc64bc5d677f7d012f67f318

                            SHA1

                            e6fbbfab3848cc75801f53ffec76f6fa61b5e344

                            SHA256

                            32784e3dd8bb3cdbf723d9151ae19b511c83b75d443720cb79b82db92600e8bd

                            SHA512

                            e61af4e45b9d65ba2b54d13d96af92b6e8f6598cd93a720c98e993c29e21b1874f1352c7fe2370f6cc747a611ae0c2097ebe2131ebc6d24ae004d88c0de53d73

                          • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{12D37E61-D8B3-11EE-B671-4AE872E97954}.dat

                            Filesize

                            5KB

                            MD5

                            9527bf40f559800fd3b04814bbc79a2c

                            SHA1

                            768c5b4fe5462f030467e552360a5e0ba5f39c43

                            SHA256

                            436ef25d4247f02fce299ef9b60b7b1a908b795c5385c66565449870aedeb88c

                            SHA512

                            8b4ad12cef16f44c36e3ff8c50c4b7e08265aa1f11c69aaaff55e6930ac00d315c26055694aca30fa0e9d283d1d0b98ac17f51561299acd60a11a0409edf914a

                          • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{1CEA3241-D8B3-11EE-B671-4AE872E97954}.dat

                            Filesize

                            5KB

                            MD5

                            22b178ee31c51f48b66eaac9984cfaa9

                            SHA1

                            b8b264ded9130d49369d998777b7ad53ca3708fc

                            SHA256

                            56ac709270958c98de1793b7db0fffea535ed3799d0fafcba00c358b73408a64

                            SHA512

                            89a531b6d5142fb34a1cfaad84069702a239aa27d2c2f568798d3fd9ad137a84da5cd6f742338be1ded8c6c44e7304ee5d6ca684117a2210873af879b00a7bfa

                          • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{BA76E2A0-D0CB-11EE-AB17-C695CBC44580}.dat

                            Filesize

                            5KB

                            MD5

                            155996f17a92c47de350e459a6e41386

                            SHA1

                            e471d155c1d7168f1a75d5864f388bb4b38015e0

                            SHA256

                            bfa419ade4b7b9f1c5df73d8baefd06b9adca183df79fa3cca1134ad998e5112

                            SHA512

                            a5c5336ed8e132f40ecd0d93d5c2d231e4d5a60f4fa83d6df1b54e7d840baf43c0f15e301217bc3c07454be8a0b329de7384bf435a978560993f5686327e4a63

                          • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{12D37E64-D8B3-11EE-B671-4AE872E97954}.dat

                            Filesize

                            4KB

                            MD5

                            add3306883224d654844a059926cd23a

                            SHA1

                            63056684cf174583355cc626c01e6578252bab03

                            SHA256

                            919aeb875e9d7a47a5b6c1439f24b9cca9cb4434337c353c9f14aae5eda90d9c

                            SHA512

                            8bedf4fd31f4e9d5413b2494975dae8db86c2827655e0c519bfb8110bf97d9dc333efbb642bb5be99e735e4fad97b7534fc75a64bbedbd1e04768711f326c8e7

                          • C:\Users\Admin\AppData\Local\Temp\Cab7497.tmp

                            Filesize

                            65KB

                            MD5

                            ac05d27423a85adc1622c714f2cb6184

                            SHA1

                            b0fe2b1abddb97837ea0195be70ab2ff14d43198

                            SHA256

                            c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

                            SHA512

                            6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

                          • C:\Users\Admin\AppData\Local\Temp\Tar75D6.tmp

                            Filesize

                            175KB

                            MD5

                            dd73cead4b93366cf3465c8cd32e2796

                            SHA1

                            74546226dfe9ceb8184651e920d1dbfb432b314e

                            SHA256

                            a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

                            SHA512

                            ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

                          • C:\Users\Admin\AppData\Local\Temp\{E9C1E0AC-C9B1-4c85-94DE-9C1518918D02}.tlb

                            Filesize

                            2KB

                            MD5

                            63881935b6ff930a39df13a27c18c3f5

                            SHA1

                            d5464ca24d61b2efb562b1b4f4e0bef69c94cf04

                            SHA256

                            50d712b007a3339855619a4ad283661c07e13ec0a74465ea3d121439005cd1e5

                            SHA512

                            011d0307d088ac7a691ff504f8c3e99a06097fc27e10d40d62721cf6c6d0500120d040a7d32fd10aa50aeef1ef12be67501fff122bed129a354fb57c213a0ed9

                          • C:\Users\Admin\AppData\Local\Temp\~DFAA18BF052BDAA972.TMP

                            Filesize

                            16KB

                            MD5

                            586b38047b28665d76fa758c9b063573

                            SHA1

                            bf727aa40120cdcc43591e2d8921b26c5322a17c

                            SHA256

                            6909c25c91407cee861748a84d582473fb8ff34140044c80880799ab642809a1

                            SHA512

                            59d45b5c875a56da4eaf024c028422a0d1010a876efbd397ba37c0944de74920de9cf4e73c056b80d493a7b64261f857aaad59043b63f071f154f65281ad8abe

                          • C:\Windows\System32\exefile.exe

                            Filesize

                            115KB

                            MD5

                            72178bb0f9674f0ce0b6b188d1219266

                            SHA1

                            ae3c43c7846c0ef977fa90991e1c366e34ab671c

                            SHA256

                            09cd3c864182b703a1384a15e60424c0ee8c82c3fd19f197c391a0e3ec5bd16e

                            SHA512

                            d9004c1b8402375c92690525f06ae83198bb929bb18dfc46fda9036a4054ed9c38637438b13ecc2566f98f2a8ac297ec7f0151b63a59c4f7bbc2ab8f7b6d779e

                          • C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx

                            Filesize

                            68KB

                            MD5

                            3d9c07539df65f271c6f796ecd8a5a25

                            SHA1

                            df81120bbe93431f064d634f221309c5b129c73d

                            SHA256

                            2c5af935a6aa5a84ccf281b70fc33696e17f514433bbfcb5f99001a654a35730

                            SHA512

                            921b4bf60e6b2bd0997a95918897a842bcd1e7ca3256aefd89f669b5dc8a25522fd8bfec99888825e317f574cf030de0d5aca11a6c67ac16e2dad9d7b2f1deee

                          • \Windows\System32\usеrinit.exe

                            Filesize

                            139KB

                            MD5

                            4acd14244d2cd76d06939163127cfb10

                            SHA1

                            75f3e3c764f7d20c9950f5410f753f3210bcc2e7

                            SHA256

                            29b5b65a1cdf119ac7c6c9df76c6843b25a81bd00aa5a5e995ec675e34bf1acb

                            SHA512

                            001504da15c1825102479ba379b0be7ec15e779626d450d9d763552d7e1ac71f5bb86110f9361363bd401aabc53cdfd2d554480aec8bef85ed8c7b03cebf4031

                          • \systemroot\system32\msiavjyv.dll

                            Filesize

                            718KB

                            MD5

                            7943d251821ca441924f0d64946e8a3d

                            SHA1

                            cace099a490410260802ee143f7c7e3543f2f4cf

                            SHA256

                            be8dbcb59c3181ec518a6934931efc725a128310956fd076f0f0bd537b96a9eb

                            SHA512

                            0d4c9f021e07e2a27f3e7f46be591f01ec4c04fce98d9c177697ea4518d0c8d80105d73a29deff925cf28fce89a4fe40e790ef0086748dc169b1a8190e6d40f9

                          • memory/328-58-0x0000000001360000-0x0000000001366000-memory.dmp

                            Filesize

                            24KB

                          • memory/328-54-0x0000000001360000-0x0000000001366000-memory.dmp

                            Filesize

                            24KB

                          • memory/328-66-0x0000000001360000-0x0000000001366000-memory.dmp

                            Filesize

                            24KB

                          • memory/328-52-0x0000000001340000-0x0000000001343000-memory.dmp

                            Filesize

                            12KB

                          • memory/2612-9-0x0000000000400000-0x00000000004C4400-memory.dmp

                            Filesize

                            785KB

                          • memory/2612-1-0x0000000000400000-0x00000000004C4400-memory.dmp

                            Filesize

                            785KB

                          • memory/2612-2-0x0000000000580000-0x0000000000780000-memory.dmp

                            Filesize

                            2.0MB

                          • memory/2680-43-0x000007FFFFF80000-0x000007FFFFF90000-memory.dmp

                            Filesize

                            64KB

                          • memory/2680-25-0x0000000000190000-0x00000000001AA000-memory.dmp

                            Filesize

                            104KB

                          • memory/2680-20-0x0000000000190000-0x00000000001AA000-memory.dmp

                            Filesize

                            104KB

                          • memory/2680-14-0x0000000000060000-0x0000000000077000-memory.dmp

                            Filesize

                            92KB

                          • memory/2680-15-0x0000000000190000-0x00000000001AA000-memory.dmp

                            Filesize

                            104KB

                          • memory/2680-53-0x0000000000190000-0x00000000001AA000-memory.dmp

                            Filesize

                            104KB

                          • memory/2680-50-0x0000000000190000-0x00000000001AA000-memory.dmp

                            Filesize

                            104KB

                          • memory/2680-51-0x0000000000190000-0x00000000001AA000-memory.dmp

                            Filesize

                            104KB

                          • memory/2680-718-0x0000000000190000-0x00000000001AA000-memory.dmp

                            Filesize

                            104KB