Analysis Overview
SHA256
61ff034c476d4060fbea6debc5f84494cf02f337a9a897ddb6b3eb3a28c16406
Threat Level: Known bad
The file Antivirus 2010.zip was found to be: Known bad.
Malicious Activity Summary
Modifies security service
Windows security bypass
Sets service image path in registry
Modifies system executable filetype association
Loads dropped DLL
Deletes itself
Executes dropped EXE
Enumerates connected drives
Checks installed software on the system
Suspicious use of SetThreadContext
Suspicious use of NtCreateThreadExHideFromDebugger
Drops file in System32 directory
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of UnmapMainImage
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Modifies data under HKEY_USERS
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-02 16:35
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-02 16:35
Reported
2024-03-02 16:37
Platform
win7-20240221-en
Max time kernel
76s
Max time network
89s
Command Line
Signatures
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" | C:\Windows\system32\svchost.exe | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\FirewallOverride = "1" | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusOverride = "1" | C:\Windows\system32\svchost.exe | N/A |
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\userinit\ImagePath = "\\\\.\\globalroot\\systemroot\\system32\\usеrinit.exe" | \??\globalroot\systemroot\system32\usеrinit.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\globalroot\systemroot\system32\usеrinit.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"exefile\" /shell <%1> %*" | C:\Windows\system32\svchost.exe | N/A |
Checks installed software on the system
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\S: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\svchost.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT | \??\globalroot\systemroot\system32\usеrinit.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx | N/A | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\svchost.exe | N/A |
| N/A | N/A | C:\Windows\system32\svchost.exe | N/A |
| N/A | N/A | C:\Windows\system32\svchost.exe | N/A |
| N/A | N/A | C:\Windows\system32\svchost.exe | N/A |
| N/A | N/A | C:\Windows\system32\svchost.exe | N/A |
| N/A | N/A | C:\Windows\system32\svchost.exe | N/A |
| N/A | N/A | C:\Windows\system32\svchost.exe | N/A |
| N/A | N/A | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of SetThreadContext
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000112dd71d930ff24b8b2b71a2c228122b000000000200000000001066000000010000200000005256fa2613c423d20cbaa1097c1ca81bc3077792f0f1270426da644b5fe3f7e5000000000e8000000002000020000000841a78ba40c5e3c996fa4f68b7916868540d8cd9652eccdfe85a735a224a05ac200000001344d231d1c97b5cae25ed5302e39485e2066b6f30c75ed894a9e1e09b49e4b7400000009ea7c91c481e451c4c0f6f5c0a54da4e1363ab59594d522d59a95d6e992dda7d0a45891eb0b954447244dc0a43ff009cf518966a2e819f8a2e84cb36d144d012 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{12D37E61-D8B3-11EE-B671-4AE872E97954} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000112dd71d930ff24b8b2b71a2c228122b00000000020000000000106600000001000020000000f0334212a0a3a948dfaa594747732f13603475a77c70035c1874688754a0d603000000000e8000000002000020000000682d7c8ed560114c97eea8238d2c18b46ed27e323037e97f89b216f5477d829690000000d59bc10579900500a024670d8a1f074a9a933f8991e9d646008d9b1090935676696aca304086ddbec2a14c10a1cb0579b3dcacd97c0110bc9075fa94afa38db0641deccc4571c8ae8cd14d85b5ad6de81ff2c00288e2b857456a959f7db76e00b38a1466cca8be12c1a12309f7e5819e3d11b7e8f53e7f9c00eebcebccda23ac81d53ae386dc5a5a393b4e1a20ec41f640000000abf0b367bf1e774878d43905163666281f1426a8de71df492be179a348cbf5a8f55a712b10189f50029da33e9a55df310b379c22cf1bd1583ada9717fc18f5e5 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a03987e1bf6cda01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MINIE | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MINIE | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1CEA3241-D8B3-11EE-B671-4AE872E97954} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C57B559-8C32-4399-91FF-80093C13E1AC} | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" | \??\globalroot\systemroot\system32\usеrinit.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C57B559-8C32-4399-91FF-80093C13E1AC}\WpadDecision = "0" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3a-31-e6-b0-02-01 | C:\Windows\system32\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C57B559-8C32-4399-91FF-80093C13E1AC}\WpadNetworkName = "Network 3" | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3a-31-e6-b0-02-01\WpadDecisionReason = "1" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main | \??\globalroot\systemroot\system32\usеrinit.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" | C:\Windows\system32\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Windows\system32\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f007f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" | \??\globalroot\systemroot\system32\usеrinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C57B559-8C32-4399-91FF-80093C13E1AC}\WpadDecisionReason = "1" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C57B559-8C32-4399-91FF-80093C13E1AC}\3a-31-e6-b0-02-01 | C:\Windows\system32\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3a-31-e6-b0-02-01\WpadDecisionTime = 60777cc1bf6cda01 | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3a-31-e6-b0-02-01\WpadDecision = "0" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | \??\globalroot\systemroot\system32\usеrinit.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" | C:\Windows\system32\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C57B559-8C32-4399-91FF-80093C13E1AC}\WpadDecisionTime = 60777cc1bf6cda01 | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main | C:\Windows\system32\svchost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \registry\machine\Software\Classes\Wow6432Node\Interface\{2ea8c9d4-7b76-aecf-38db-17f923ffdd55} | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2ea8c9d4-7b76-aecf-38db-17f923ffdd55}\u = "3" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Key created | \registry\machine\Software\Classes\Interface\{2ea8c9d4-7b76-aecf-38db-17f923ffdd55} | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2ea8c9d4-7b76-aecf-38db-17f923ffdd55}\u = "3" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Key created | \registry\machine\Software\Classes\Interface\{507e1fac-b73d-1bbf-56af-f783afcbf39c} | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"exefile\" /shell <%1> %*" | C:\Windows\system32\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | \??\globalroot\systemroot\system32\usеrinit.exe | N/A |
| N/A | N/A | \??\globalroot\systemroot\system32\usеrinit.exe | N/A |
| N/A | N/A | \??\globalroot\systemroot\system32\usеrinit.exe | N/A |
| N/A | N/A | \??\globalroot\systemroot\system32\usеrinit.exe | N/A |
| N/A | N/A | C:\Windows\system32\svchost.exe | N/A |
| N/A | N/A | C:\Windows\system32\svchost.exe | N/A |
| N/A | N/A | C:\Windows\system32\svchost.exe | N/A |
| N/A | N/A | C:\Windows\system32\svchost.exe | N/A |
| N/A | N/A | C:\Windows\system32\svchost.exe | N/A |
| N/A | N/A | C:\Windows\system32\svchost.exe | N/A |
| N/A | N/A | C:\Windows\system32\svchost.exe | N/A |
| N/A | N/A | C:\Windows\system32\svchost.exe | N/A |
| N/A | N/A | C:\Windows\system32\svchost.exe | N/A |
| N/A | N/A | C:\Windows\system32\svchost.exe | N/A |
| N/A | N/A | C:\Windows\system32\svchost.exe | N/A |
| N/A | N/A | C:\Windows\system32\svchost.exe | N/A |
| N/A | N/A | C:\Windows\system32\svchost.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\svchost.exe | N/A |
| N/A | N/A | C:\Windows\system32\svchost.exe | N/A |
| N/A | N/A | C:\Windows\system32\svchost.exe | N/A |
| N/A | N/A | C:\Windows\system32\svchost.exe | N/A |
| N/A | N/A | C:\Windows\system32\svchost.exe | N/A |
| N/A | N/A | C:\Windows\system32\svchost.exe | N/A |
| N/A | N/A | C:\Windows\system32\svchost.exe | N/A |
| N/A | N/A | C:\Windows\system32\svchost.exe | N/A |
| N/A | N/A | C:\Windows\system32\svchost.exe | N/A |
| N/A | N/A | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Token: SeDebugPrivilege | N/A | \??\globalroot\systemroot\system32\usеrinit.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | N/A | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | N/A | N/A |
| Token: SeSecurityPrivilege | N/A | N/A | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | N/A | N/A |
| Token: SeLoadDriverPrivilege | N/A | N/A | N/A |
| Token: SeSystemtimePrivilege | N/A | N/A | N/A |
| Token: SeBackupPrivilege | N/A | N/A | N/A |
| Token: SeRestorePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | N/A | N/A |
| Token: SeUndockPrivilege | N/A | N/A | N/A |
| Token: SeManageVolumePrivilege | N/A | N/A | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | N/A | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | N/A | N/A |
| Token: SeSecurityPrivilege | N/A | N/A | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | N/A | N/A |
| Token: SeLoadDriverPrivilege | N/A | N/A | N/A |
| Token: SeSystemtimePrivilege | N/A | N/A | N/A |
| Token: SeBackupPrivilege | N/A | N/A | N/A |
| Token: SeRestorePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | N/A | N/A |
| Token: SeUndockPrivilege | N/A | N/A | N/A |
| Token: SeManageVolumePrivilege | N/A | N/A | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | N/A | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | N/A | N/A |
| Token: SeSecurityPrivilege | N/A | N/A | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | N/A | N/A |
| Token: SeLoadDriverPrivilege | N/A | N/A | N/A |
| Token: SeSystemtimePrivilege | N/A | N/A | N/A |
| Token: SeBackupPrivilege | N/A | N/A | N/A |
| Token: SeRestorePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | N/A | N/A |
| Token: SeUndockPrivilege | N/A | N/A | N/A |
| Token: SeManageVolumePrivilege | N/A | N/A | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | N/A | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | N/A | N/A |
| Token: SeSecurityPrivilege | N/A | N/A | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | N/A | N/A |
| Token: SeLoadDriverPrivilege | N/A | N/A | N/A |
| Token: SeSystemtimePrivilege | N/A | N/A | N/A |
| Token: SeBackupPrivilege | N/A | N/A | N/A |
| Token: SeRestorePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | N/A | N/A |
| Token: SeUndockPrivilege | N/A | N/A | N/A |
| Token: SeManageVolumePrivilege | N/A | N/A | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | N/A | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | N/A | N/A |
| Token: SeSecurityPrivilege | N/A | N/A | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | N/A | N/A |
| Token: SeLoadDriverPrivilege | N/A | N/A | N/A |
| Token: SeSystemtimePrivilege | N/A | N/A | N/A |
| Token: SeBackupPrivilege | N/A | N/A | N/A |
| Token: SeRestorePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | N/A | N/A |
| Token: SeUndockPrivilege | N/A | N/A | N/A |
| Token: SeManageVolumePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
\??\globalroot\systemroot\system32\usеrinit.exe
/install
C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://secure.2010billing.com/purchase/get.php?i=antvir&advert=3&extern=4&lang=EN
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1688 CREDAT:275457 /prefetch:2
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://secure.2010billing.com/purchase/get.php?i=antvir&advert=3&extern=4&lang=EN
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1180 CREDAT:275457 /prefetch:2
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://secure.2010billing.com/purchase/get.php?i=antvir&advert=3&extern=4&lang=EN
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1180 CREDAT:275464 /prefetch:2
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://secure.2010billing.com/purchase/get.php?i=antvir&advert=3&extern=4&lang=EN
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1656 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 168.156.42.60:80 | tcp | |
| US | 168.156.42.60:80 | tcp | |
| US | 168.156.42.60:80 | tcp | |
| US | 168.156.42.60:80 | tcp | |
| US | 8.8.8.8:53 | www.yahoo.com | udp |
| GB | 87.248.114.12:80 | www.yahoo.com | tcp |
| NL | 88.208.21.219:8083 | tcp | |
| US | 8.8.8.8:53 | secure.2010billing.com | udp |
| NL | 88.208.21.219:8083 | tcp | |
| NL | 88.208.21.219:8083 | tcp | |
| NL | 88.208.21.219:8083 | tcp |
Files
memory/2612-1-0x0000000000400000-0x00000000004C4400-memory.dmp
memory/2612-2-0x0000000000580000-0x0000000000780000-memory.dmp
\Windows\System32\usеrinit.exe
| MD5 | 4acd14244d2cd76d06939163127cfb10 |
| SHA1 | 75f3e3c764f7d20c9950f5410f753f3210bcc2e7 |
| SHA256 | 29b5b65a1cdf119ac7c6c9df76c6843b25a81bd00aa5a5e995ec675e34bf1acb |
| SHA512 | 001504da15c1825102479ba379b0be7ec15e779626d450d9d763552d7e1ac71f5bb86110f9361363bd401aabc53cdfd2d554480aec8bef85ed8c7b03cebf4031 |
\systemroot\system32\msiavjyv.dll
| MD5 | 7943d251821ca441924f0d64946e8a3d |
| SHA1 | cace099a490410260802ee143f7c7e3543f2f4cf |
| SHA256 | be8dbcb59c3181ec518a6934931efc725a128310956fd076f0f0bd537b96a9eb |
| SHA512 | 0d4c9f021e07e2a27f3e7f46be591f01ec4c04fce98d9c177697ea4518d0c8d80105d73a29deff925cf28fce89a4fe40e790ef0086748dc169b1a8190e6d40f9 |
memory/2612-9-0x0000000000400000-0x00000000004C4400-memory.dmp
memory/2680-15-0x0000000000190000-0x00000000001AA000-memory.dmp
memory/2680-14-0x0000000000060000-0x0000000000077000-memory.dmp
memory/2680-20-0x0000000000190000-0x00000000001AA000-memory.dmp
memory/2680-25-0x0000000000190000-0x00000000001AA000-memory.dmp
memory/2680-43-0x000007FFFFF80000-0x000007FFFFF90000-memory.dmp
memory/2680-50-0x0000000000190000-0x00000000001AA000-memory.dmp
memory/2680-51-0x0000000000190000-0x00000000001AA000-memory.dmp
memory/328-54-0x0000000001360000-0x0000000001366000-memory.dmp
memory/2680-53-0x0000000000190000-0x00000000001AA000-memory.dmp
memory/328-52-0x0000000001340000-0x0000000001343000-memory.dmp
memory/328-58-0x0000000001360000-0x0000000001366000-memory.dmp
memory/328-66-0x0000000001360000-0x0000000001366000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\{E9C1E0AC-C9B1-4c85-94DE-9C1518918D02}.tlb
| MD5 | 63881935b6ff930a39df13a27c18c3f5 |
| SHA1 | d5464ca24d61b2efb562b1b4f4e0bef69c94cf04 |
| SHA256 | 50d712b007a3339855619a4ad283661c07e13ec0a74465ea3d121439005cd1e5 |
| SHA512 | 011d0307d088ac7a691ff504f8c3e99a06097fc27e10d40d62721cf6c6d0500120d040a7d32fd10aa50aeef1ef12be67501fff122bed129a354fb57c213a0ed9 |
C:\Windows\System32\exefile.exe
| MD5 | 72178bb0f9674f0ce0b6b188d1219266 |
| SHA1 | ae3c43c7846c0ef977fa90991e1c366e34ab671c |
| SHA256 | 09cd3c864182b703a1384a15e60424c0ee8c82c3fd19f197c391a0e3ec5bd16e |
| SHA512 | d9004c1b8402375c92690525f06ae83198bb929bb18dfc46fda9036a4054ed9c38637438b13ecc2566f98f2a8ac297ec7f0151b63a59c4f7bbc2ab8f7b6d779e |
C:\Users\Admin\AppData\Local\Temp\Cab7497.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx
| MD5 | 3d9c07539df65f271c6f796ecd8a5a25 |
| SHA1 | df81120bbe93431f064d634f221309c5b129c73d |
| SHA256 | 2c5af935a6aa5a84ccf281b70fc33696e17f514433bbfcb5f99001a654a35730 |
| SHA512 | 921b4bf60e6b2bd0997a95918897a842bcd1e7ca3256aefd89f669b5dc8a25522fd8bfec99888825e317f574cf030de0d5aca11a6c67ac16e2dad9d7b2f1deee |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 753df6889fd7410a2e9fe333da83a429 |
| SHA1 | 3c425f16e8267186061dd48ac1c77c122962456e |
| SHA256 | b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78 |
| SHA512 | 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444 |
C:\Users\Admin\AppData\Local\Temp\Tar75D6.tmp
| MD5 | dd73cead4b93366cf3465c8cd32e2796 |
| SHA1 | 74546226dfe9ceb8184651e920d1dbfb432b314e |
| SHA256 | a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22 |
| SHA512 | ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 91af7e3d8a897a02f257050baf4612e3 |
| SHA1 | 845b3a0cac21a3d16ed0e5ab7b405a1fa0decc6e |
| SHA256 | 968480269438b691099e36c23596293b6d6bfa0cde0cc866612544f4a2974146 |
| SHA512 | 3b9dccafaca958facee630ddf89effcdc783196ebf987545e4c1587845232050a89d916deb2d8d503af4382d2fd3748bda4868cd684ee402733061cb9f255dac |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 88de4a8552e3144b1de75f4ef7665a7d |
| SHA1 | 1dac5991e3f94edfef4bad29ba1905920e9c1fe3 |
| SHA256 | 5b5bacfced416c5927b1f5daa817b2b577610832b83df23c7191a7b6d22a1c8b |
| SHA512 | 01056d824678371f18050104171932b0c5c6983de1d7b516c9f29b3f0281ed92e11b0e0448726fc2ece788d37c138478feef30c90c25849325dddabcedc146de |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 125576ec7f0ff7d3923a2da41fc93675 |
| SHA1 | b8aee8597c54f7cbc7ce368db103c2f6d760489f |
| SHA256 | e508e11f97836b1c1125c8f130fe09dd407dc4773860f883a852c70783471d50 |
| SHA512 | 74b4b6ff8dbb172a83eb14f1782a801786c48694d06fb2a49cbab0925c391667b99cdb2ccaa9912f8a305b9975104dc40ee6f25c988df5ec9d66f21bfbac7e1b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 435e230041289fbefae505f969005e7e |
| SHA1 | 392cc149203138c1865603b423af61254fd70eec |
| SHA256 | a0df2d01909381dba22c6a2774267aed6de21f244992702b52ddb9029c4ea0f1 |
| SHA512 | 57efc116e10f2679ce89318c55dd952f6b6bfa70b6ddd7eaaafbd620c10808beb371bb29c7755b8fd6d657c0da580180a212593fe19c9d1c20574a0e21590ed2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d217d64fc07dbe5c258f0f32834f5f48 |
| SHA1 | 209d32f312d6724e6bf9d8a4627e7ce6ba8428e3 |
| SHA256 | cd4b0ed1f0c8d2fea70bfa177c11cba304022178612964fd51bc755a215a083b |
| SHA512 | ec0f8ab137f97976a3f4cef8b9eb3686f53855a5802f3b76964527975742495fc8889731a0539a1ae5de2956164fef0f416805d1d0b0f0ba2a4b268ed2e9b7be |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6988b80347b77ceebebf1427a3d319a7 |
| SHA1 | 77b1ceae719143795096380b9cfe9829723d7942 |
| SHA256 | aa677512c7eba52eacf127ee6099101027d1d6045dfad7eb3e707cc719f61693 |
| SHA512 | 16e8cdee31428c63280d46b50e24085baba0d4fdf2e7ed1fe45c06fffbc8f770a879a35efe9a6dc71cc7012a124b1c8488fa6776600975a70b4eb25132787f86 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e25aa2dbc8e99ca25206a04d935f72d8 |
| SHA1 | 2a190a44c9df876c62fcb5ff864c976a8cb93c12 |
| SHA256 | 9d18d1a16270a66022cf4b79c277b569ac7f9ec4cc289d0aaf977f69030c8d14 |
| SHA512 | 8000db05d9c6ce8080c7f449c07d836268aa5f3284636c290e3c3bb54439d9506aa7639b62d3f1c131e30f624f14d9b69d7b3be8b007cd967c3424a0cfb7adc2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | de548bb2323cf64740950ff6ece245d1 |
| SHA1 | 84900b2089d83a1309c75d6c2779458bf09a611b |
| SHA256 | 9857c2d654eaf673ac92abd85b5cdd07ed019f506f13cd2530184fb05f17bc5c |
| SHA512 | cae72ed7ef0f8f8a69f8272edbbe4e739b805ed4d5a044d8d4442575a98d1a91405ba517e7ea3cb4a6c1143994e2ae12038bf8eee1693ad12ddcd961d1a84596 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3fa72dedbb4968745fc140d78c9f5f10 |
| SHA1 | 9bbfbd9e3f13c54f593854e38a86fc67060dae5b |
| SHA256 | 4a41e86e6cb191941ddc59a71f84e1fc43394eaf7b7ae01fad291b6ed8faf028 |
| SHA512 | 6e3baa93721190d7ff504a3a1a6bcec821133c9cfe2a35903337edee0b4bce2e480f328355ab65cd2efc06ab8bb38b698ec4a1507b4dc7bf10f556e1ca4a1815 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 00393b74b1e78443909b60d283b272ef |
| SHA1 | 17c2a82e29628c17afccdbbea79c8e1051569306 |
| SHA256 | 131868f188cf0c9072348e22ceab919e470a8853dfa2918d02a9a58f0bb7505e |
| SHA512 | 1769b8bf4fcd9cd1b426803ce119d8f245d929501e956d8ce792eb3b4621ce9032719152d4f8664afaa766b1f34b242b646a72cd9984fca1da2ae6821502d8e2 |
memory/2680-718-0x0000000000190000-0x00000000001AA000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{12D37E61-D8B3-11EE-B671-4AE872E97954}.dat
| MD5 | 9527bf40f559800fd3b04814bbc79a2c |
| SHA1 | 768c5b4fe5462f030467e552360a5e0ba5f39c43 |
| SHA256 | 436ef25d4247f02fce299ef9b60b7b1a908b795c5385c66565449870aedeb88c |
| SHA512 | 8b4ad12cef16f44c36e3ff8c50c4b7e08265aa1f11c69aaaff55e6930ac00d315c26055694aca30fa0e9d283d1d0b98ac17f51561299acd60a11a0409edf914a |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{BA76E2A0-D0CB-11EE-AB17-C695CBC44580}.dat
| MD5 | 155996f17a92c47de350e459a6e41386 |
| SHA1 | e471d155c1d7168f1a75d5864f388bb4b38015e0 |
| SHA256 | bfa419ade4b7b9f1c5df73d8baefd06b9adca183df79fa3cca1134ad998e5112 |
| SHA512 | a5c5336ed8e132f40ecd0d93d5c2d231e4d5a60f4fa83d6df1b54e7d840baf43c0f15e301217bc3c07454be8a0b329de7384bf435a978560993f5686327e4a63 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{12D37E64-D8B3-11EE-B671-4AE872E97954}.dat
| MD5 | add3306883224d654844a059926cd23a |
| SHA1 | 63056684cf174583355cc626c01e6578252bab03 |
| SHA256 | 919aeb875e9d7a47a5b6c1439f24b9cca9cb4434337c353c9f14aae5eda90d9c |
| SHA512 | 8bedf4fd31f4e9d5413b2494975dae8db86c2827655e0c519bfb8110bf97d9dc333efbb642bb5be99e735e4fad97b7534fc75a64bbedbd1e04768711f326c8e7 |
C:\Users\Admin\AppData\Local\Temp\~DFAA18BF052BDAA972.TMP
| MD5 | 586b38047b28665d76fa758c9b063573 |
| SHA1 | bf727aa40120cdcc43591e2d8921b26c5322a17c |
| SHA256 | 6909c25c91407cee861748a84d582473fb8ff34140044c80880799ab642809a1 |
| SHA512 | 59d45b5c875a56da4eaf024c028422a0d1010a876efbd397ba37c0944de74920de9cf4e73c056b80d493a7b64261f857aaad59043b63f071f154f65281ad8abe |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | dec6f1c5c8c9e13e7a5e48aea260e3ec |
| SHA1 | 8487e5361256c42842cac9f5c8b1d028eddfe3c6 |
| SHA256 | 39a4e5e572a005067ca631f9a96bc59e5ae9d3b60ef5793be557426013329e6f |
| SHA512 | 18f2868fd851f4862ed681350dc52cc8e6eee13fbad7221d1c220948f0d02b96e22a4f0dda429f99a37d63b7868aa7f6e49235c3b668566e8de455b0170b422f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 543b72f33e20b7b2eb61654a4ad916c9 |
| SHA1 | 8e3ba6503b1774afaf29c5aec846a7653c3d7811 |
| SHA256 | 897bc4fe5e6bccfda5e86507edfd88f1501be61810ccfcab96a7d4943b06d526 |
| SHA512 | 5d14fcd926a5cd03c5135bc640a5a916fd8c94ade5a86bcd606d43ada7d5a281130981dee603bf975b53b0d1e7cdffa9f33787551973290a6721714aa1b5016b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d773d93012bce1b52e7c9b97907e8c94 |
| SHA1 | 672d2e4982d61708caf5e0f9cc4fdaa604905d00 |
| SHA256 | cd7d10d365c89b0902c21b7c6fa290832e32033f6eb633250fa26084a49c2fe0 |
| SHA512 | 7010bfa2418d1133a0e938bdabdf762cef0521b65586ce41df0db165c720a389843c913d5d7e67462a5ba9759c594d99342bdb4bc14f92e201b47b8979da8c23 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 383ea7d6a28aea7f6e45998ed97e54ce |
| SHA1 | 5bd6b4141a43645cb3ff4ca49d13bbca8e56701b |
| SHA256 | 4ffa0278b6d40ed1d88c8070df804fdf91e0790e3f678fe818db84252cd4f9be |
| SHA512 | d72da5202aee091dae5ad0f5d48a8e14a15751da1ef77febe7b210424ab7a522e23e40f92ba6884fec216a711817fd2135cbbb83b675dc27b6dd50cda52d86cf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 56fd870f55562b79b9efb40f2c135397 |
| SHA1 | 0673955ddce7a2fa0fa3299e21e05fe0b52f9a08 |
| SHA256 | f885469cef80fbc3ec9658881f8ab82860b43f1ac898a420acd623e8c3719be3 |
| SHA512 | a93c37179c2c29667bccf14c932f6460144c26acb0908bc9e28ece9f24b95c439eb26a1f375cabfb54091e7c9385d5c584b9c2e3c341d38b0afc9f7cdab83813 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 97b1e9848ca5acef67c9ce508c293eec |
| SHA1 | e10a89fb33ede8551319fe4a885048f928a55042 |
| SHA256 | d21dee8bc3ae5f967fe77eacb283cea1fa1743056e3a21d1802e8e677e9505cf |
| SHA512 | c36a8b153ad2a524e366d8b1c653f4c5e3e3ae098d827962e1994adb247fb68dee9732ef7cb620c706bd553f54c950a85b492f01e98e70642202cb72ae4d09ee |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1cf53bf00ae4ae0d15248970b5dc4ecb |
| SHA1 | 45beea26ba739c59e5d45f381d190f8abdfb113f |
| SHA256 | ac0d415e494c5297a5103263f31bbc0d867d8d07384f01f972ddf4e617b44a55 |
| SHA512 | ddbc7605809a806c7e1d824b61b3d6ae6687b511dbe7b88eb41dc6a3247171540e3581ecd171c0a12577e97f048f132220892f371c7462ac201c8e9bbfc05cea |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 12536c96bc64bc5d677f7d012f67f318 |
| SHA1 | e6fbbfab3848cc75801f53ffec76f6fa61b5e344 |
| SHA256 | 32784e3dd8bb3cdbf723d9151ae19b511c83b75d443720cb79b82db92600e8bd |
| SHA512 | e61af4e45b9d65ba2b54d13d96af92b6e8f6598cd93a720c98e993c29e21b1874f1352c7fe2370f6cc747a611ae0c2097ebe2131ebc6d24ae004d88c0de53d73 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5fa99b9beab8f1a98421f7e371dc3d38 |
| SHA1 | c8991d394ee5166a8f3f7103064ff03981e17af2 |
| SHA256 | a41d68f1beee07844693bfe948b6305c071926797485c3818a4c90b7d67bb9b5 |
| SHA512 | 52c6868e1e1abad7ad418b5dec92b12e6a4d8733622a98a21011e005f3cbc8da6873e7b68cf2caddae378a01283e82abdba218d01187327a7f6befecd0c85486 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | eeeda9c53aea509b4c87f20bd15ec7e5 |
| SHA1 | d3a0a385a76979c2dbfb5f9328cbb82691306c6c |
| SHA256 | f986af75bfbf3f992ef0003969beb15aa6ca965e3441aa49076a306b7d45b0ef |
| SHA512 | ee5cf39b1f4d2c3b1b9ef8d2ebe0c746a24264214002ac95333f99a0352a7597430c064b2b50c900a5a06fc498edbfab560d34acb315d9147b44cee1be4bd624 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{1CEA3241-D8B3-11EE-B671-4AE872E97954}.dat
| MD5 | 22b178ee31c51f48b66eaac9984cfaa9 |
| SHA1 | b8b264ded9130d49369d998777b7ad53ca3708fc |
| SHA256 | 56ac709270958c98de1793b7db0fffea535ed3799d0fafcba00c358b73408a64 |
| SHA512 | 89a531b6d5142fb34a1cfaad84069702a239aa27d2c2f568798d3fd9ad137a84da5cd6f742338be1ded8c6c44e7304ee5d6ca684117a2210873af879b00a7bfa |