Malware Analysis Report

2025-08-11 01:06

Sample ID 240302-t345xafd49
Target Antivirus 2010.zip
SHA256 61ff034c476d4060fbea6debc5f84494cf02f337a9a897ddb6b3eb3a28c16406
Tags
discovery evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

61ff034c476d4060fbea6debc5f84494cf02f337a9a897ddb6b3eb3a28c16406

Threat Level: Known bad

The file Antivirus 2010.zip was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence trojan

Modifies security service

Windows security bypass

Sets service image path in registry

Modifies system executable filetype association

Loads dropped DLL

Deletes itself

Executes dropped EXE

Enumerates connected drives

Checks installed software on the system

Suspicious use of SetThreadContext

Suspicious use of NtCreateThreadExHideFromDebugger

Drops file in System32 directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious use of UnmapMainImage

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Modifies data under HKEY_USERS

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-02 16:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-02 16:35

Reported

2024-03-02 16:37

Platform

win7-20240221-en

Max time kernel

76s

Max time network

89s

Command Line

C:\Windows\system32\svchost.exe -k NetworkService

Signatures

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\system32\svchost.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\FirewallOverride = "1" C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusOverride = "1" C:\Windows\system32\svchost.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\userinit\ImagePath = "\\\\.\\globalroot\\systemroot\\system32\\usеrinit.exe" \??\globalroot\systemroot\system32\usеrinit.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\globalroot\systemroot\system32\usеrinit.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"exefile\" /shell <%1> %*" C:\Windows\system32\svchost.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\S: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT \??\globalroot\systemroot\system32\usеrinit.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2612 set thread context of 2068 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\cmd.exe
PID 2680 set thread context of 328 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2680 set thread context of 328 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2680 set thread context of 328 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2680 set thread context of 328 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2680 set thread context of 328 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2680 set thread context of 328 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2680 set thread context of 328 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2680 set thread context of 328 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2680 set thread context of 328 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2680 set thread context of 328 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2680 set thread context of 328 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2680 set thread context of 328 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2680 set thread context of 328 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2680 set thread context of 328 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2680 set thread context of 328 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2680 set thread context of 328 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2680 set thread context of 328 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2680 set thread context of 328 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2680 set thread context of 328 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2680 set thread context of 328 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2680 set thread context of 328 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2680 set thread context of 328 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2680 set thread context of 328 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2680 set thread context of 328 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2680 set thread context of 328 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2680 set thread context of 328 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2680 set thread context of 328 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2680 set thread context of 328 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2680 set thread context of 328 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2680 set thread context of 328 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2680 set thread context of 328 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2680 set thread context of 328 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2680 set thread context of 328 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2680 set thread context of 328 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2680 set thread context of 328 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2680 set thread context of 328 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2680 set thread context of 328 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2680 set thread context of 328 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2680 set thread context of 328 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2680 set thread context of 328 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2680 set thread context of 328 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2680 set thread context of 328 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2680 set thread context of 328 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2680 set thread context of 328 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2680 set thread context of 328 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2680 set thread context of 328 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2680 set thread context of 328 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2680 set thread context of 328 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000112dd71d930ff24b8b2b71a2c228122b000000000200000000001066000000010000200000005256fa2613c423d20cbaa1097c1ca81bc3077792f0f1270426da644b5fe3f7e5000000000e8000000002000020000000841a78ba40c5e3c996fa4f68b7916868540d8cd9652eccdfe85a735a224a05ac200000001344d231d1c97b5cae25ed5302e39485e2066b6f30c75ed894a9e1e09b49e4b7400000009ea7c91c481e451c4c0f6f5c0a54da4e1363ab59594d522d59a95d6e992dda7d0a45891eb0b954447244dc0a43ff009cf518966a2e819f8a2e84cb36d144d012 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{12D37E61-D8B3-11EE-B671-4AE872E97954} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000112dd71d930ff24b8b2b71a2c228122b00000000020000000000106600000001000020000000f0334212a0a3a948dfaa594747732f13603475a77c70035c1874688754a0d603000000000e8000000002000020000000682d7c8ed560114c97eea8238d2c18b46ed27e323037e97f89b216f5477d829690000000d59bc10579900500a024670d8a1f074a9a933f8991e9d646008d9b1090935676696aca304086ddbec2a14c10a1cb0579b3dcacd97c0110bc9075fa94afa38db0641deccc4571c8ae8cd14d85b5ad6de81ff2c00288e2b857456a959f7db76e00b38a1466cca8be12c1a12309f7e5819e3d11b7e8f53e7f9c00eebcebccda23ac81d53ae386dc5a5a393b4e1a20ec41f640000000abf0b367bf1e774878d43905163666281f1426a8de71df492be179a348cbf5a8f55a712b10189f50029da33e9a55df310b379c22cf1bd1583ada9717fc18f5e5 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a03987e1bf6cda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1CEA3241-D8B3-11EE-B671-4AE872E97954} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C57B559-8C32-4399-91FF-80093C13E1AC} C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" \??\globalroot\systemroot\system32\usеrinit.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C57B559-8C32-4399-91FF-80093C13E1AC}\WpadDecision = "0" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3a-31-e6-b0-02-01 C:\Windows\system32\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C57B559-8C32-4399-91FF-80093C13E1AC}\WpadNetworkName = "Network 3" C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3a-31-e6-b0-02-01\WpadDecisionReason = "1" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main \??\globalroot\systemroot\system32\usеrinit.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Windows\system32\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\system32\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f007f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" \??\globalroot\systemroot\system32\usеrinit.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C57B559-8C32-4399-91FF-80093C13E1AC}\WpadDecisionReason = "1" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C57B559-8C32-4399-91FF-80093C13E1AC}\3a-31-e6-b0-02-01 C:\Windows\system32\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3a-31-e6-b0-02-01\WpadDecisionTime = 60777cc1bf6cda01 C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3a-31-e6-b0-02-01\WpadDecision = "0" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ \??\globalroot\systemroot\system32\usеrinit.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" C:\Windows\system32\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C57B559-8C32-4399-91FF-80093C13E1AC}\WpadDecisionTime = 60777cc1bf6cda01 C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main C:\Windows\system32\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \registry\machine\Software\Classes\Wow6432Node\Interface\{2ea8c9d4-7b76-aecf-38db-17f923ffdd55} C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2ea8c9d4-7b76-aecf-38db-17f923ffdd55}\u = "3" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Key created \registry\machine\Software\Classes\Interface\{2ea8c9d4-7b76-aecf-38db-17f923ffdd55} C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2ea8c9d4-7b76-aecf-38db-17f923ffdd55}\u = "3" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Key created \registry\machine\Software\Classes\Interface\{507e1fac-b73d-1bbf-56af-f783afcbf39c} C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"exefile\" /shell <%1> %*" C:\Windows\system32\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Token: SeDebugPrivilege N/A \??\globalroot\systemroot\system32\usеrinit.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeAssignPrimaryTokenPrivilege N/A N/A N/A
Token: SeIncreaseQuotaPrivilege N/A N/A N/A
Token: SeSecurityPrivilege N/A N/A N/A
Token: SeTakeOwnershipPrivilege N/A N/A N/A
Token: SeLoadDriverPrivilege N/A N/A N/A
Token: SeSystemtimePrivilege N/A N/A N/A
Token: SeBackupPrivilege N/A N/A N/A
Token: SeRestorePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeSystemEnvironmentPrivilege N/A N/A N/A
Token: SeUndockPrivilege N/A N/A N/A
Token: SeManageVolumePrivilege N/A N/A N/A
Token: SeAssignPrimaryTokenPrivilege N/A N/A N/A
Token: SeIncreaseQuotaPrivilege N/A N/A N/A
Token: SeSecurityPrivilege N/A N/A N/A
Token: SeTakeOwnershipPrivilege N/A N/A N/A
Token: SeLoadDriverPrivilege N/A N/A N/A
Token: SeSystemtimePrivilege N/A N/A N/A
Token: SeBackupPrivilege N/A N/A N/A
Token: SeRestorePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeSystemEnvironmentPrivilege N/A N/A N/A
Token: SeUndockPrivilege N/A N/A N/A
Token: SeManageVolumePrivilege N/A N/A N/A
Token: SeAssignPrimaryTokenPrivilege N/A N/A N/A
Token: SeIncreaseQuotaPrivilege N/A N/A N/A
Token: SeSecurityPrivilege N/A N/A N/A
Token: SeTakeOwnershipPrivilege N/A N/A N/A
Token: SeLoadDriverPrivilege N/A N/A N/A
Token: SeSystemtimePrivilege N/A N/A N/A
Token: SeBackupPrivilege N/A N/A N/A
Token: SeRestorePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeSystemEnvironmentPrivilege N/A N/A N/A
Token: SeUndockPrivilege N/A N/A N/A
Token: SeManageVolumePrivilege N/A N/A N/A
Token: SeAssignPrimaryTokenPrivilege N/A N/A N/A
Token: SeIncreaseQuotaPrivilege N/A N/A N/A
Token: SeSecurityPrivilege N/A N/A N/A
Token: SeTakeOwnershipPrivilege N/A N/A N/A
Token: SeLoadDriverPrivilege N/A N/A N/A
Token: SeSystemtimePrivilege N/A N/A N/A
Token: SeBackupPrivilege N/A N/A N/A
Token: SeRestorePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeSystemEnvironmentPrivilege N/A N/A N/A
Token: SeUndockPrivilege N/A N/A N/A
Token: SeManageVolumePrivilege N/A N/A N/A
Token: SeAssignPrimaryTokenPrivilege N/A N/A N/A
Token: SeIncreaseQuotaPrivilege N/A N/A N/A
Token: SeSecurityPrivilege N/A N/A N/A
Token: SeTakeOwnershipPrivilege N/A N/A N/A
Token: SeLoadDriverPrivilege N/A N/A N/A
Token: SeSystemtimePrivilege N/A N/A N/A
Token: SeBackupPrivilege N/A N/A N/A
Token: SeRestorePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeSystemEnvironmentPrivilege N/A N/A N/A
Token: SeUndockPrivilege N/A N/A N/A
Token: SeManageVolumePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2612 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] \??\globalroot\systemroot\system32\usеrinit.exe
PID 2612 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] \??\globalroot\systemroot\system32\usеrinit.exe
PID 2612 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] \??\globalroot\systemroot\system32\usеrinit.exe
PID 2612 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] \??\globalroot\systemroot\system32\usеrinit.exe
PID 2484 wrote to memory of 2680 N/A \??\globalroot\systemroot\system32\usеrinit.exe C:\Windows\system32\svchost.exe
PID 2484 wrote to memory of 2680 N/A \??\globalroot\systemroot\system32\usеrinit.exe C:\Windows\system32\svchost.exe
PID 2484 wrote to memory of 2680 N/A \??\globalroot\systemroot\system32\usеrinit.exe C:\Windows\system32\svchost.exe
PID 2484 wrote to memory of 2680 N/A \??\globalroot\systemroot\system32\usеrinit.exe C:\Windows\system32\svchost.exe
PID 2484 wrote to memory of 2680 N/A \??\globalroot\systemroot\system32\usеrinit.exe C:\Windows\system32\svchost.exe
PID 2680 wrote to memory of 328 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 860 wrote to memory of 1452 N/A N/A C:\Windows\system32\wbem\WMIADAP.EXE
PID 860 wrote to memory of 1452 N/A N/A C:\Windows\system32\wbem\WMIADAP.EXE
PID 860 wrote to memory of 1452 N/A N/A C:\Windows\system32\wbem\WMIADAP.EXE
PID 608 wrote to memory of 2184 N/A N/A C:\Windows\system32\wbem\wmiprvse.exe
PID 608 wrote to memory of 2184 N/A N/A C:\Windows\system32\wbem\wmiprvse.exe
PID 608 wrote to memory of 2184 N/A N/A C:\Windows\system32\wbem\wmiprvse.exe
PID 2680 wrote to memory of 1688 N/A C:\Windows\system32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2680 wrote to memory of 1688 N/A C:\Windows\system32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2680 wrote to memory of 1688 N/A C:\Windows\system32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 608 wrote to memory of 528 N/A N/A C:\Windows\system32\DllHost.exe
PID 608 wrote to memory of 528 N/A N/A C:\Windows\system32\DllHost.exe
PID 608 wrote to memory of 528 N/A N/A C:\Windows\system32\DllHost.exe
PID 1688 wrote to memory of 912 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1688 wrote to memory of 912 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1688 wrote to memory of 912 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1688 wrote to memory of 912 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 608 wrote to memory of 1940 N/A N/A C:\Windows\system32\DllHost.exe
PID 608 wrote to memory of 1940 N/A N/A C:\Windows\system32\DllHost.exe
PID 608 wrote to memory of 1940 N/A N/A C:\Windows\system32\DllHost.exe
PID 2680 wrote to memory of 1180 N/A C:\Windows\system32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2680 wrote to memory of 1180 N/A C:\Windows\system32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2680 wrote to memory of 1180 N/A C:\Windows\system32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1180 wrote to memory of 552 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1180 wrote to memory of 552 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1180 wrote to memory of 552 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1180 wrote to memory of 552 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2680 wrote to memory of 1928 N/A C:\Windows\system32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2680 wrote to memory of 1928 N/A C:\Windows\system32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2680 wrote to memory of 1928 N/A C:\Windows\system32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1180 wrote to memory of 1896 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1180 wrote to memory of 1896 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1180 wrote to memory of 1896 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1180 wrote to memory of 1896 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 608 wrote to memory of 2896 N/A N/A C:\Windows\system32\DllHost.exe
PID 608 wrote to memory of 2896 N/A N/A C:\Windows\system32\DllHost.exe
PID 608 wrote to memory of 2896 N/A N/A C:\Windows\system32\DllHost.exe

Processes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe"

\??\globalroot\systemroot\system32\usеrinit.exe

/install

C:\Windows\system32\svchost.exe

"C:\Windows\system32\svchost.exe"

C:\Windows\system32\wbem\WMIADAP.EXE

wmiadap.exe /F /T /R

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -Embedding

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://secure.2010billing.com/purchase/get.php?i=antvir&advert=3&extern=4&lang=EN

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1688 CREDAT:275457 /prefetch:2

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://secure.2010billing.com/purchase/get.php?i=antvir&advert=3&extern=4&lang=EN

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1180 CREDAT:275457 /prefetch:2

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://secure.2010billing.com/purchase/get.php?i=antvir&advert=3&extern=4&lang=EN

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1180 CREDAT:275464 /prefetch:2

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://secure.2010billing.com/purchase/get.php?i=antvir&advert=3&extern=4&lang=EN

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1656 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 168.156.42.60:80 tcp
US 168.156.42.60:80 tcp
US 168.156.42.60:80 tcp
US 168.156.42.60:80 tcp
US 8.8.8.8:53 www.yahoo.com udp
GB 87.248.114.12:80 www.yahoo.com tcp
NL 88.208.21.219:8083 tcp
US 8.8.8.8:53 secure.2010billing.com udp
NL 88.208.21.219:8083 tcp
NL 88.208.21.219:8083 tcp
NL 88.208.21.219:8083 tcp

Files

memory/2612-1-0x0000000000400000-0x00000000004C4400-memory.dmp

memory/2612-2-0x0000000000580000-0x0000000000780000-memory.dmp

\Windows\System32\usеrinit.exe

MD5 4acd14244d2cd76d06939163127cfb10
SHA1 75f3e3c764f7d20c9950f5410f753f3210bcc2e7
SHA256 29b5b65a1cdf119ac7c6c9df76c6843b25a81bd00aa5a5e995ec675e34bf1acb
SHA512 001504da15c1825102479ba379b0be7ec15e779626d450d9d763552d7e1ac71f5bb86110f9361363bd401aabc53cdfd2d554480aec8bef85ed8c7b03cebf4031

\systemroot\system32\msiavjyv.dll

MD5 7943d251821ca441924f0d64946e8a3d
SHA1 cace099a490410260802ee143f7c7e3543f2f4cf
SHA256 be8dbcb59c3181ec518a6934931efc725a128310956fd076f0f0bd537b96a9eb
SHA512 0d4c9f021e07e2a27f3e7f46be591f01ec4c04fce98d9c177697ea4518d0c8d80105d73a29deff925cf28fce89a4fe40e790ef0086748dc169b1a8190e6d40f9

memory/2612-9-0x0000000000400000-0x00000000004C4400-memory.dmp

memory/2680-15-0x0000000000190000-0x00000000001AA000-memory.dmp

memory/2680-14-0x0000000000060000-0x0000000000077000-memory.dmp

memory/2680-20-0x0000000000190000-0x00000000001AA000-memory.dmp

memory/2680-25-0x0000000000190000-0x00000000001AA000-memory.dmp

memory/2680-43-0x000007FFFFF80000-0x000007FFFFF90000-memory.dmp

memory/2680-50-0x0000000000190000-0x00000000001AA000-memory.dmp

memory/2680-51-0x0000000000190000-0x00000000001AA000-memory.dmp

memory/328-54-0x0000000001360000-0x0000000001366000-memory.dmp

memory/2680-53-0x0000000000190000-0x00000000001AA000-memory.dmp

memory/328-52-0x0000000001340000-0x0000000001343000-memory.dmp

memory/328-58-0x0000000001360000-0x0000000001366000-memory.dmp

memory/328-66-0x0000000001360000-0x0000000001366000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{E9C1E0AC-C9B1-4c85-94DE-9C1518918D02}.tlb

MD5 63881935b6ff930a39df13a27c18c3f5
SHA1 d5464ca24d61b2efb562b1b4f4e0bef69c94cf04
SHA256 50d712b007a3339855619a4ad283661c07e13ec0a74465ea3d121439005cd1e5
SHA512 011d0307d088ac7a691ff504f8c3e99a06097fc27e10d40d62721cf6c6d0500120d040a7d32fd10aa50aeef1ef12be67501fff122bed129a354fb57c213a0ed9

C:\Windows\System32\exefile.exe

MD5 72178bb0f9674f0ce0b6b188d1219266
SHA1 ae3c43c7846c0ef977fa90991e1c366e34ab671c
SHA256 09cd3c864182b703a1384a15e60424c0ee8c82c3fd19f197c391a0e3ec5bd16e
SHA512 d9004c1b8402375c92690525f06ae83198bb929bb18dfc46fda9036a4054ed9c38637438b13ecc2566f98f2a8ac297ec7f0151b63a59c4f7bbc2ab8f7b6d779e

C:\Users\Admin\AppData\Local\Temp\Cab7497.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx

MD5 3d9c07539df65f271c6f796ecd8a5a25
SHA1 df81120bbe93431f064d634f221309c5b129c73d
SHA256 2c5af935a6aa5a84ccf281b70fc33696e17f514433bbfcb5f99001a654a35730
SHA512 921b4bf60e6b2bd0997a95918897a842bcd1e7ca3256aefd89f669b5dc8a25522fd8bfec99888825e317f574cf030de0d5aca11a6c67ac16e2dad9d7b2f1deee

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\Local\Temp\Tar75D6.tmp

MD5 dd73cead4b93366cf3465c8cd32e2796
SHA1 74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256 a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512 ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 91af7e3d8a897a02f257050baf4612e3
SHA1 845b3a0cac21a3d16ed0e5ab7b405a1fa0decc6e
SHA256 968480269438b691099e36c23596293b6d6bfa0cde0cc866612544f4a2974146
SHA512 3b9dccafaca958facee630ddf89effcdc783196ebf987545e4c1587845232050a89d916deb2d8d503af4382d2fd3748bda4868cd684ee402733061cb9f255dac

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 88de4a8552e3144b1de75f4ef7665a7d
SHA1 1dac5991e3f94edfef4bad29ba1905920e9c1fe3
SHA256 5b5bacfced416c5927b1f5daa817b2b577610832b83df23c7191a7b6d22a1c8b
SHA512 01056d824678371f18050104171932b0c5c6983de1d7b516c9f29b3f0281ed92e11b0e0448726fc2ece788d37c138478feef30c90c25849325dddabcedc146de

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 125576ec7f0ff7d3923a2da41fc93675
SHA1 b8aee8597c54f7cbc7ce368db103c2f6d760489f
SHA256 e508e11f97836b1c1125c8f130fe09dd407dc4773860f883a852c70783471d50
SHA512 74b4b6ff8dbb172a83eb14f1782a801786c48694d06fb2a49cbab0925c391667b99cdb2ccaa9912f8a305b9975104dc40ee6f25c988df5ec9d66f21bfbac7e1b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 435e230041289fbefae505f969005e7e
SHA1 392cc149203138c1865603b423af61254fd70eec
SHA256 a0df2d01909381dba22c6a2774267aed6de21f244992702b52ddb9029c4ea0f1
SHA512 57efc116e10f2679ce89318c55dd952f6b6bfa70b6ddd7eaaafbd620c10808beb371bb29c7755b8fd6d657c0da580180a212593fe19c9d1c20574a0e21590ed2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d217d64fc07dbe5c258f0f32834f5f48
SHA1 209d32f312d6724e6bf9d8a4627e7ce6ba8428e3
SHA256 cd4b0ed1f0c8d2fea70bfa177c11cba304022178612964fd51bc755a215a083b
SHA512 ec0f8ab137f97976a3f4cef8b9eb3686f53855a5802f3b76964527975742495fc8889731a0539a1ae5de2956164fef0f416805d1d0b0f0ba2a4b268ed2e9b7be

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6988b80347b77ceebebf1427a3d319a7
SHA1 77b1ceae719143795096380b9cfe9829723d7942
SHA256 aa677512c7eba52eacf127ee6099101027d1d6045dfad7eb3e707cc719f61693
SHA512 16e8cdee31428c63280d46b50e24085baba0d4fdf2e7ed1fe45c06fffbc8f770a879a35efe9a6dc71cc7012a124b1c8488fa6776600975a70b4eb25132787f86

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e25aa2dbc8e99ca25206a04d935f72d8
SHA1 2a190a44c9df876c62fcb5ff864c976a8cb93c12
SHA256 9d18d1a16270a66022cf4b79c277b569ac7f9ec4cc289d0aaf977f69030c8d14
SHA512 8000db05d9c6ce8080c7f449c07d836268aa5f3284636c290e3c3bb54439d9506aa7639b62d3f1c131e30f624f14d9b69d7b3be8b007cd967c3424a0cfb7adc2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 de548bb2323cf64740950ff6ece245d1
SHA1 84900b2089d83a1309c75d6c2779458bf09a611b
SHA256 9857c2d654eaf673ac92abd85b5cdd07ed019f506f13cd2530184fb05f17bc5c
SHA512 cae72ed7ef0f8f8a69f8272edbbe4e739b805ed4d5a044d8d4442575a98d1a91405ba517e7ea3cb4a6c1143994e2ae12038bf8eee1693ad12ddcd961d1a84596

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3fa72dedbb4968745fc140d78c9f5f10
SHA1 9bbfbd9e3f13c54f593854e38a86fc67060dae5b
SHA256 4a41e86e6cb191941ddc59a71f84e1fc43394eaf7b7ae01fad291b6ed8faf028
SHA512 6e3baa93721190d7ff504a3a1a6bcec821133c9cfe2a35903337edee0b4bce2e480f328355ab65cd2efc06ab8bb38b698ec4a1507b4dc7bf10f556e1ca4a1815

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 00393b74b1e78443909b60d283b272ef
SHA1 17c2a82e29628c17afccdbbea79c8e1051569306
SHA256 131868f188cf0c9072348e22ceab919e470a8853dfa2918d02a9a58f0bb7505e
SHA512 1769b8bf4fcd9cd1b426803ce119d8f245d929501e956d8ce792eb3b4621ce9032719152d4f8664afaa766b1f34b242b646a72cd9984fca1da2ae6821502d8e2

memory/2680-718-0x0000000000190000-0x00000000001AA000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{12D37E61-D8B3-11EE-B671-4AE872E97954}.dat

MD5 9527bf40f559800fd3b04814bbc79a2c
SHA1 768c5b4fe5462f030467e552360a5e0ba5f39c43
SHA256 436ef25d4247f02fce299ef9b60b7b1a908b795c5385c66565449870aedeb88c
SHA512 8b4ad12cef16f44c36e3ff8c50c4b7e08265aa1f11c69aaaff55e6930ac00d315c26055694aca30fa0e9d283d1d0b98ac17f51561299acd60a11a0409edf914a

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{BA76E2A0-D0CB-11EE-AB17-C695CBC44580}.dat

MD5 155996f17a92c47de350e459a6e41386
SHA1 e471d155c1d7168f1a75d5864f388bb4b38015e0
SHA256 bfa419ade4b7b9f1c5df73d8baefd06b9adca183df79fa3cca1134ad998e5112
SHA512 a5c5336ed8e132f40ecd0d93d5c2d231e4d5a60f4fa83d6df1b54e7d840baf43c0f15e301217bc3c07454be8a0b329de7384bf435a978560993f5686327e4a63

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{12D37E64-D8B3-11EE-B671-4AE872E97954}.dat

MD5 add3306883224d654844a059926cd23a
SHA1 63056684cf174583355cc626c01e6578252bab03
SHA256 919aeb875e9d7a47a5b6c1439f24b9cca9cb4434337c353c9f14aae5eda90d9c
SHA512 8bedf4fd31f4e9d5413b2494975dae8db86c2827655e0c519bfb8110bf97d9dc333efbb642bb5be99e735e4fad97b7534fc75a64bbedbd1e04768711f326c8e7

C:\Users\Admin\AppData\Local\Temp\~DFAA18BF052BDAA972.TMP

MD5 586b38047b28665d76fa758c9b063573
SHA1 bf727aa40120cdcc43591e2d8921b26c5322a17c
SHA256 6909c25c91407cee861748a84d582473fb8ff34140044c80880799ab642809a1
SHA512 59d45b5c875a56da4eaf024c028422a0d1010a876efbd397ba37c0944de74920de9cf4e73c056b80d493a7b64261f857aaad59043b63f071f154f65281ad8abe

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dec6f1c5c8c9e13e7a5e48aea260e3ec
SHA1 8487e5361256c42842cac9f5c8b1d028eddfe3c6
SHA256 39a4e5e572a005067ca631f9a96bc59e5ae9d3b60ef5793be557426013329e6f
SHA512 18f2868fd851f4862ed681350dc52cc8e6eee13fbad7221d1c220948f0d02b96e22a4f0dda429f99a37d63b7868aa7f6e49235c3b668566e8de455b0170b422f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 543b72f33e20b7b2eb61654a4ad916c9
SHA1 8e3ba6503b1774afaf29c5aec846a7653c3d7811
SHA256 897bc4fe5e6bccfda5e86507edfd88f1501be61810ccfcab96a7d4943b06d526
SHA512 5d14fcd926a5cd03c5135bc640a5a916fd8c94ade5a86bcd606d43ada7d5a281130981dee603bf975b53b0d1e7cdffa9f33787551973290a6721714aa1b5016b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d773d93012bce1b52e7c9b97907e8c94
SHA1 672d2e4982d61708caf5e0f9cc4fdaa604905d00
SHA256 cd7d10d365c89b0902c21b7c6fa290832e32033f6eb633250fa26084a49c2fe0
SHA512 7010bfa2418d1133a0e938bdabdf762cef0521b65586ce41df0db165c720a389843c913d5d7e67462a5ba9759c594d99342bdb4bc14f92e201b47b8979da8c23

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 383ea7d6a28aea7f6e45998ed97e54ce
SHA1 5bd6b4141a43645cb3ff4ca49d13bbca8e56701b
SHA256 4ffa0278b6d40ed1d88c8070df804fdf91e0790e3f678fe818db84252cd4f9be
SHA512 d72da5202aee091dae5ad0f5d48a8e14a15751da1ef77febe7b210424ab7a522e23e40f92ba6884fec216a711817fd2135cbbb83b675dc27b6dd50cda52d86cf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 56fd870f55562b79b9efb40f2c135397
SHA1 0673955ddce7a2fa0fa3299e21e05fe0b52f9a08
SHA256 f885469cef80fbc3ec9658881f8ab82860b43f1ac898a420acd623e8c3719be3
SHA512 a93c37179c2c29667bccf14c932f6460144c26acb0908bc9e28ece9f24b95c439eb26a1f375cabfb54091e7c9385d5c584b9c2e3c341d38b0afc9f7cdab83813

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 97b1e9848ca5acef67c9ce508c293eec
SHA1 e10a89fb33ede8551319fe4a885048f928a55042
SHA256 d21dee8bc3ae5f967fe77eacb283cea1fa1743056e3a21d1802e8e677e9505cf
SHA512 c36a8b153ad2a524e366d8b1c653f4c5e3e3ae098d827962e1994adb247fb68dee9732ef7cb620c706bd553f54c950a85b492f01e98e70642202cb72ae4d09ee

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1cf53bf00ae4ae0d15248970b5dc4ecb
SHA1 45beea26ba739c59e5d45f381d190f8abdfb113f
SHA256 ac0d415e494c5297a5103263f31bbc0d867d8d07384f01f972ddf4e617b44a55
SHA512 ddbc7605809a806c7e1d824b61b3d6ae6687b511dbe7b88eb41dc6a3247171540e3581ecd171c0a12577e97f048f132220892f371c7462ac201c8e9bbfc05cea

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 12536c96bc64bc5d677f7d012f67f318
SHA1 e6fbbfab3848cc75801f53ffec76f6fa61b5e344
SHA256 32784e3dd8bb3cdbf723d9151ae19b511c83b75d443720cb79b82db92600e8bd
SHA512 e61af4e45b9d65ba2b54d13d96af92b6e8f6598cd93a720c98e993c29e21b1874f1352c7fe2370f6cc747a611ae0c2097ebe2131ebc6d24ae004d88c0de53d73

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5fa99b9beab8f1a98421f7e371dc3d38
SHA1 c8991d394ee5166a8f3f7103064ff03981e17af2
SHA256 a41d68f1beee07844693bfe948b6305c071926797485c3818a4c90b7d67bb9b5
SHA512 52c6868e1e1abad7ad418b5dec92b12e6a4d8733622a98a21011e005f3cbc8da6873e7b68cf2caddae378a01283e82abdba218d01187327a7f6befecd0c85486

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eeeda9c53aea509b4c87f20bd15ec7e5
SHA1 d3a0a385a76979c2dbfb5f9328cbb82691306c6c
SHA256 f986af75bfbf3f992ef0003969beb15aa6ca965e3441aa49076a306b7d45b0ef
SHA512 ee5cf39b1f4d2c3b1b9ef8d2ebe0c746a24264214002ac95333f99a0352a7597430c064b2b50c900a5a06fc498edbfab560d34acb315d9147b44cee1be4bd624

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{1CEA3241-D8B3-11EE-B671-4AE872E97954}.dat

MD5 22b178ee31c51f48b66eaac9984cfaa9
SHA1 b8b264ded9130d49369d998777b7ad53ca3708fc
SHA256 56ac709270958c98de1793b7db0fffea535ed3799d0fafcba00c358b73408a64
SHA512 89a531b6d5142fb34a1cfaad84069702a239aa27d2c2f568798d3fd9ad137a84da5cd6f742338be1ded8c6c44e7304ee5d6ca684117a2210873af879b00a7bfa