Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    04/03/2024, 14:15

General

  • Target

    b255d021f8154ff50c4d660af3d2add2.exe

  • Size

    57KB

  • MD5

    b255d021f8154ff50c4d660af3d2add2

  • SHA1

    95bd59977f59169796085fee6ee8ce16a88f0dc1

  • SHA256

    d765fe9a2d98bf50348be276eb608aefc9fefd360c98550569b874cf4f7846b7

  • SHA512

    6ae65532414baf189f15e90effc2ce340df3d68e4bedb5185a71ffe647b680bb00abf3c22d8dae999d33c912ec32c6d4dcbed97e0f9f392f4ac7c9a49283b01c

  • SSDEEP

    1536:y16Gj+WVFGsh8p8Txzn2yh/ofBFt5CBKma:kpjdFGE1n16OLa

Score
8/10

Malware Config

Signatures

  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 48 IoCs
  • Modifies Internet Explorer start page 1 TTPs 2 IoCs
  • Modifies registry class 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b255d021f8154ff50c4d660af3d2add2.exe
    "C:\Users\Admin\AppData\Local\Temp\b255d021f8154ff50c4d660af3d2add2.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2032
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\comeback_197.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2432
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\PPLive\1.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2440
        • C:\PROGRA~1\INTERN~1\iexplore.exe
          C:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://WWw.cnkankan.com/?71628
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2792
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2792 CREDAT:275457 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2316
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\PPLive\1.inf
          4⤵
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          PID:1712
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\PPLive\2.bat
          4⤵
          • Drops file in Program Files directory
          • Suspicious use of WriteProcessMemory
          PID:2300
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.71628.com/?i"" /f
            5⤵
            • Modifies Internet Explorer settings
            • Modifies Internet Explorer start page
            PID:1984
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.71628.com/?i"" /f
            5⤵
            • Modifies Internet Explorer settings
            • Modifies Internet Explorer start page
            PID:1700
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\Software\tmp" /v "key" /d ""http://www.71628.com/?i"" /f
            5⤵
              PID:2620
            • C:\Windows\SysWOW64\reg.exe
              reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f
              5⤵
              • Modifies registry class
              PID:2240
            • C:\Windows\SysWOW64\reg.exe
              reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\Users\Admin\AppData\Roaming\PPLive\3.bat""" /f
              5⤵
              • Modifies registry class
              PID:2072
            • C:\Windows\SysWOW64\attrib.exe
              attrib +s +h C:\Users\Admin\AppData\Roaming\PPLive\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}
              5⤵
              • Sets file to hidden
              • Views/modifies file attributes
              PID:2988
            • C:\Windows\SysWOW64\attrib.exe
              attrib +s +h C:\Users\Admin\AppData\Roaming\PPLive\tmp
              5⤵
              • Sets file to hidden
              • Views/modifies file attributes
              PID:2568
            • C:\Windows\SysWOW64\rundll32.exe
              rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\PPLive\2.inf
              5⤵
              • Adds Run key to start application
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              PID:2732
              • C:\Windows\SysWOW64\runonce.exe
                "C:\Windows\system32\runonce.exe" -r
                6⤵
                • Checks processor information in registry
                PID:1684
                • C:\Windows\SysWOW64\grpconv.exe
                  "C:\Windows\System32\grpconv.exe" -o
                  7⤵
                    PID:1600
              • C:\Windows\SysWOW64\rundll32.exe
                rundll32 D:\VolumeDH\inj.dat,MainLoad
                5⤵
                  PID:816
          • C:\Users\Admin\AppData\Local\Temp\inlEBC8.tmp
            C:\Users\Admin\AppData\Local\Temp\inlEBC8.tmp
            2⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:1576
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inlEBC8.tmp > nul
              3⤵
                PID:2616
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\B255D0~1.EXE > nul
              2⤵
              • Deletes itself
              PID:3008

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

            Filesize

            344B

            MD5

            6645bf1edb0371c25c90e83740e146ba

            SHA1

            5c90e7bec1af02e64f35122eabc86ceda2b0595c

            SHA256

            a216393154ab39c3579609f991f2939413a406c4a77f8f83e2a094abc5505afa

            SHA512

            8d075a0a69d50c09cc7ad506a3ae5451d07b59ff9e390a1db85136f3df475dce41e2a09d136c49be993841886e52abe77e43cf0cf83c850626ac3abc872d495c

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

            Filesize

            344B

            MD5

            21fef5af96b07b82317c86d6cd3674af

            SHA1

            5e7f01457868a2318580d79d1d6dbcd7dc38df6f

            SHA256

            c88aac5afa7d864a842007442d2a123bab88a4227ab91cc01af0ca95cee6ae86

            SHA512

            7956467e7723fff9613b0136707eca5ca991e139ed96a598d646c569e940a81110b7ce4a9862245bb233d891b3251f34ff068212fd592536dabb663668b08752

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

            Filesize

            344B

            MD5

            74432926652fb3e7e85549cf81df6c34

            SHA1

            2b4e4ae4f36f1bbacdbd78593d322f3c10c4a7be

            SHA256

            87796d4e2b32b2500fe6a30ff8eb771d59375634556fe76a1b7f8a5e0a88d1b1

            SHA512

            e57442fde44ae1b4db6d440ccbb251b58e9706d9be7bd11aa93939d870da485ecfc9ff264367e1edc4586ea4125b2987eeefd1263a943010c6a0846c14985ab9

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

            Filesize

            344B

            MD5

            8ac97dcdc20518857fa01d968bb18fc7

            SHA1

            bfab51d6faa4783c51af34941255af6ff9135947

            SHA256

            30e45dc251a92644e7d5226e846aa5a19bc7ecce241a75e32eb79ed6369c785d

            SHA512

            172d0cf4708f03f5f027359f66b3350f71ba7fa66fde6adbb15035fbf043d1859a1a275cb62877769a965c0798e9dced5ec40bbac5de9dc1a017e7faec14e4e5

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

            Filesize

            344B

            MD5

            a375069220005962bf2391db8836c606

            SHA1

            84d80da6039b89c46c236d2156d0ed5ada9743c7

            SHA256

            e8968c37f8acaeb0b52dd407be011e8be54976ac399cf07dee66d2009defb2d8

            SHA512

            79bff40d71137d10e0c13c2f5c1a84252a8535d9c741d4a61494dde0c536962a3ddfb12666a03cc794dc5261068dac6d0967ae52f668809aad8b146adc83ec49

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

            Filesize

            344B

            MD5

            ce1e5ba29736b76e0039d9d66f17e356

            SHA1

            a806b2ce290c46e1a81f1662b32c79c3d3ccad6a

            SHA256

            3088bd08d57341b43983f0c66661510c7ca226ff183d4a7ea6237ce13e4fa2d9

            SHA512

            19466d7fe5653a565f88e8ad4b0e03981de0489ba4f093f6a4af1c6c403d78b76f33a19a3a5e3cd59424d55887c8794d332a71b8a45fd113d82caca30610c75d

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

            Filesize

            344B

            MD5

            513b27644e3ef4098a56b680ffe18b56

            SHA1

            ff03c8512f904c4ab9cd8b55c6a5ba8388e2be28

            SHA256

            b5184c259285f190153a11fc8873b33afef54cb9b3918446f87a376a085789f1

            SHA512

            d8a2d4b208895aa322d0cf59235a1528c163d7e0bd50ced97f10d61521055b5d90762cb42765f35e55900e6e974d1eab828c31de4371d5346b3160b25beb4cd5

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

            Filesize

            344B

            MD5

            97cd3d7d88d8554ba560ec608c07340c

            SHA1

            5aab7ef087e6dff552a1721dec7a2f296b8a49fc

            SHA256

            03e155fcee280753be82c5ec56ac54dea67ca5b09f86202fafd6546bfda4bd38

            SHA512

            b0d3b954b10f3bd83963695e13d6edcebf736d903854e5df12147ec2907c885b0036ca25477d2ba1691c9ed0527a1c263cc86a0db92febfd867c5c3d1a374eb4

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

            Filesize

            344B

            MD5

            c7adb6d6ffa222853217f6111d8b31a2

            SHA1

            0095bc497b134b8ffd4aa55f1afdd8363b7d5f99

            SHA256

            2e93c6cd8bb57a73e882e5f131ec9ad6cf535840146b111920a95813d8543289

            SHA512

            93d0cbc7f3f5f6b2e4a9173c2fcc1d6e34a96b4c8e4231f6fd913a6e15a1aa947be84879beb8d67dd20aeef65dfb1a723b8e3d2706c8915e9c1b129e617943c1

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

            Filesize

            344B

            MD5

            10fa89b29ae66751d93f0c160c420015

            SHA1

            b7e75adf96f1880eba3244e212232863f760f498

            SHA256

            978446c6efb3a592539a4f1749647b0d5b543b4e3e47d1fcdba798bfcfabeb5a

            SHA512

            d6cd78623ac1ecdb2eed164705e88f1c7213aead54a317eb2ac1af3ba46410070de22386c3b0f329cd2f83ffc1c58933ac55841ffb714ee477863389f3e2b752

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

            Filesize

            344B

            MD5

            2c98e07b69a087f6ff85862f7ee15ded

            SHA1

            6fe5dff909423e25105318aa994854a0d36d453b

            SHA256

            ce752ae7ce4b6f04fc1b38c6a6ed1b183af0c29bcf226145898560aea494e71a

            SHA512

            218c511af1dfd2af38477bd3e54421e9f5a03b7925857c58fa56dd88f3d86dd8a203514e2a3285acb4e445f6956c4914588054b4e269ecb66da18e7d83014035

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

            Filesize

            344B

            MD5

            49cef5b7ebd253033bcd8d70128a7678

            SHA1

            2916db80e1dd8d405d9996ef28158be3ea660998

            SHA256

            8402b1648f36b06e83f4cba6688104731302655f123d565b378b7d2519f6c96b

            SHA512

            363fc90d960e9dd27a3f2d64a71ccd858dc0f5b87ca7808723cfbacf5b0859bf705233337335af915cc3ff29d96c3b163cb01fcb34fa5179646c6cdce0643b66

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

            Filesize

            344B

            MD5

            d71db79b52639166ad02f58ed4a7bc87

            SHA1

            cb611677520b99c9f96f72e3bb012d9e5077471d

            SHA256

            6debd9f05f3f84dde618c9623bd64c7f289fb9ae2cf9ae87807eff3cc9ad56bd

            SHA512

            fac602af371faaaaecd1f5171428e5b313ee7cbfb3bb498b8a99a4043931880ef968676ee55739accf98ee0cf71eaea0052cac595f41ca8aa2227084e30c4d6a

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

            Filesize

            344B

            MD5

            62cd5030ec6d6da174aee4a2c7bbbe0e

            SHA1

            0131f6f143435dd7b7af9abc0979355f43f5f5ed

            SHA256

            309acc4ea31cef2286dacd5f6ad2d99f643df102635df2120b3b2c15e81412b4

            SHA512

            b31628e696f47f1d5f70208690955361b91506fa3b2bf00f7a1ae975765e0409b0445497dbf06f23cd85494f4ed99ba9e71c1e9f5e731156293196e8219ba72a

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

            Filesize

            344B

            MD5

            8f9b0576aefd121dcea854d89860a638

            SHA1

            7b98ebc272adf0e76ddd18765d5d6be4609e1e1d

            SHA256

            5b6a200a68a60eb2b9223cb87b8028c6ef57dfea3fe5bdb2a145e0a59959f9b9

            SHA512

            45ee139eced6678328257a4da00d0c479466f793c9715de3c59b392d33c08b70ef7de28d741d7dea1124f52833476bd79e07ccbaae6a3be685f79465f0144faa

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

            Filesize

            344B

            MD5

            1768ed3946bbb33bdd704e74812ce5eb

            SHA1

            4a56011c3320b18c64300eab7b0f74b99116bb08

            SHA256

            8e6ed9a676a5ad95de32cc2af3030fd2d8b2b10e0d040ef2a39a000b3e196837

            SHA512

            7b3bd90815dcd4c45e916fdc832138c30bd34e3e3ae36133495d53edb7e9612191dd3c6b7cbef2479e6a59d35ede730b039f07b24529d90ebffdf9f9b2e8fd16

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

            Filesize

            344B

            MD5

            f38b1f5b838f5b7665cb835902470e42

            SHA1

            0a5306dc0034ffa005550f599d989045e83ffc39

            SHA256

            251a45b8de88f3bf306e2c4f8a0bcf4a516e2bd759f0ce3c6e1494d0b5357cce

            SHA512

            fcefc1deca3a6bab66319184e7778226903d36175d9cbac07e57a9d0fa7dfbb0205d4eb84083d5a1818ef1e690a318ab34643d1ab38d41c4d257b0aee8877aa6

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

            Filesize

            344B

            MD5

            7c396f8c1a099294d72182aee9999444

            SHA1

            1da5be4f5977996abb837311516e4f1c31b8590c

            SHA256

            547fb57f67ae67c7543f189980d6759471ae936392d7deddde4e5f3e5adce6d6

            SHA512

            e565916d7be2586d62aff6f7c48d3c6f62ce79f85eae5b0e6c99c801498eed7f535bff3a95837219ff6cecc9136e9b157b394f526ed83bbfe0062811babdb06b

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

            Filesize

            344B

            MD5

            7be74059733d4988de2ffca76eb78a47

            SHA1

            ca163df88c0925cf2c8a8c6a07969829923a9140

            SHA256

            0a5bd3a92782f2298e5db97d7b9eaa9312e163d2c01c25de3e4b6876ba489098

            SHA512

            4e739020d3024d3cdec0b4c4d733b192998541480f03be56b1c8a10ed980bc250107b29cbfac5049bd879c02bbda0bc484a274f7e0f2db32ab7281d9d030e782

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

            Filesize

            344B

            MD5

            f2d477fc8d80df04ff96375e8a0c5e74

            SHA1

            6cde0d7bec8a4e1a410975d23d15cec856ecce2b

            SHA256

            d7d26b522e73e2398bf2d40465338a4bb58cbfda43e3dd6ce552c2ceed9b4f08

            SHA512

            298246228cb09962569d45faeadc0cc63b589ba9373a15eafff6eb29d095a1afda476e632c9ea02aaa41d2a6bbf70c8c17402bd4a76afbb55b6f96fcdde0bcde

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

            Filesize

            344B

            MD5

            71dccda05e5a9e35fc903dd8a40783ff

            SHA1

            06b89ec589b042c629ac3bafa218df92b2ae509d

            SHA256

            cc624e12719c7f18fa5bc7506d650844d2b7de689a42232706e4adee0252de2d

            SHA512

            2269e0d6404084b05cd670d65fefb13ef2fe040fd676e6dfb7e659a7f2a94887ff8d91c4db1c9a53fcc804666638cf3d132c2c4427a74568df4cf7ab352e1435

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

            Filesize

            344B

            MD5

            f8905e13a7fbf5d04d5c4dae812643a3

            SHA1

            75e7f4d320b7d4fa33e659e56bcbdf936a79a120

            SHA256

            71467c2fb70dc68d7c979acec8ac94c3a503eedf7830ede5a8828cd3a754c587

            SHA512

            579230d3b67f6158a302689edcb03b5c56546730d418bc6821d7eafa1c57e47709219c8a3fde463baa747a36074cae5b5fe98e08fc573ef9af41e5cdf8950893

          • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\q905y6j\imagestore.dat

            Filesize

            1KB

            MD5

            3faf9b25daef282346ae01a8b147876e

            SHA1

            007dd5feb1cc99e36798955117e59dcd42012ce6

            SHA256

            cb704a32a3cbcef5b1074b85485cdf61c6bfd64be15bc11e8f470907f47b56ff

            SHA512

            4b81caa2cca6eb7ef86130be5f2a036d6242ba0db829efba862c66e67efed190535125a1f7eb2596a3fb2ca21dbe4ef63341d5e80d9a6b670bcf86b314244260

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L9PN2QMY\favicon[1].ico

            Filesize

            1KB

            MD5

            7ef1f0a0093460fe46bb691578c07c95

            SHA1

            2da3ffbbf4737ce4dae9488359de34034d1ebfbd

            SHA256

            4c62eef22174220b8655590a77b27957f3518b4c3b7352d0b64263b80e728f2c

            SHA512

            68da2c2f6f7a88ae364a4cf776d2c42e50150501ccf9b740a2247885fb21d1becbe9ee0ba61e965dd21d8ee01be2b364a29a7f9032fc6b5cdfb28cc6b42f4793

          • C:\Users\Admin\AppData\Local\Temp\CabF1A1.tmp

            Filesize

            65KB

            MD5

            ac05d27423a85adc1622c714f2cb6184

            SHA1

            b0fe2b1abddb97837ea0195be70ab2ff14d43198

            SHA256

            c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

            SHA512

            6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

          • C:\Users\Admin\AppData\Local\Temp\CabF2DB.tmp

            Filesize

            67KB

            MD5

            753df6889fd7410a2e9fe333da83a429

            SHA1

            3c425f16e8267186061dd48ac1c77c122962456e

            SHA256

            b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

            SHA512

            9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

          • C:\Users\Admin\AppData\Local\Temp\TarF1A0.tmp

            Filesize

            171KB

            MD5

            9c0c641c06238516f27941aa1166d427

            SHA1

            64cd549fb8cf014fcd9312aa7a5b023847b6c977

            SHA256

            4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

            SHA512

            936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

          • C:\Users\Admin\AppData\Local\Temp\TarF340.tmp

            Filesize

            175KB

            MD5

            dd73cead4b93366cf3465c8cd32e2796

            SHA1

            74546226dfe9ceb8184651e920d1dbfb432b314e

            SHA256

            a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

            SHA512

            ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

          • C:\Users\Admin\AppData\Local\Temp\comeback_197.bat

            Filesize

            53B

            MD5

            23962a245f75fe25510051582203aff1

            SHA1

            20832a3a1179bb2730194d2f7738d41d5d669a43

            SHA256

            1abcea214b9b2bd76cc04be07ae2d4d70371e6ca443d99f4f1327afe7a5fc647

            SHA512

            dc36b64f2dbb710652900a31295c148760b0c44eae13515aa29613916c9dffe3d8e55ba61568f7c27b43bf0c341f7dcd4b9c721f81627fc6bb915b15c358fe80

          • C:\Users\Admin\AppData\Local\Temp\inlEBC8.tmp

            Filesize

            992KB

            MD5

            e9cf92cf46c1aa4c3f39d32d82cb9b5f

            SHA1

            69bfcb3ca48e501f4d9d68f93beff7caeff2233d

            SHA256

            b4a5158c399e14d98fd083cc66398c420f83aa44008bcb574c378d74930926b1

            SHA512

            25f7e80409d52294e7b977c5694c9135fe782c858ec4a61306099e31cd927bca481c740802f50b94fd0047483e02e0b3af0970b93cc155324a1e30b6babdcd7c

          • C:\Users\Admin\AppData\Local\Temp\inlEBC8.tmp

            Filesize

            433KB

            MD5

            009978a694b907272232dae718ab2dfa

            SHA1

            3e956d50265c389aaa762662e6383452747b553e

            SHA256

            38c3a1f7ad09787918862b2d6dd93b441b4856995cc8fc713a6154f5d50f8fd9

            SHA512

            f8bd846149481c476fd461fd05cf6e297d647894683e32d1ce3ccb96465893d3c9d0ae554d46a1bf52b28f89b1bde41dcad75afe237f413fbc60490b56a8e6c4

          • C:\Users\Admin\AppData\Local\Temp\winrar_config.tmp

            Filesize

            660B

            MD5

            d980f89e4088711df685a0aa09e8f5a7

            SHA1

            dde805f4fa5e016e122e4240e20ff844113717d7

            SHA256

            28f62bd59962d06d903ea079466c66985caa306251717235a0d470a1b0f62d09

            SHA512

            fa2a669d846081d71dcada405d3c4bdb92229ba2b4a9f8fd4e461d7c4d51012d3d3b893466f814c8178b9980119703d1a3f7eafeff281a2eb75465e504df9ee9

          • C:\Users\Admin\AppData\Roaming\PPLive\1.bat

            Filesize

            3KB

            MD5

            286fe459674aef6eee17f6ac79a15fdb

            SHA1

            233dc43099c575a67b05fc1076e676324fd6e63d

            SHA256

            872cc596dc1fe6d5a131129bd84c2a76d6874e9c57ab2cd792d4d12b6f014fd2

            SHA512

            c9acc4a134001da76e7ae6aa5ae65ce58501942dfc1f80959ae4db27c06010db753c9d115eedbe0b2b0e30dd5c4dcd1d32816493b053c65cee81d3a343c87314

          • C:\Users\Admin\AppData\Roaming\PPLive\1.inf

            Filesize

            492B

            MD5

            34c14b8530e1094e792527f7a474fe77

            SHA1

            f71c4e9091140256b34c18220d1dd1efab1f301d

            SHA256

            fe0dfb3458bfe2a3632d365e00765fa10f14d62e7dfa8b70a055c7eb9fdb6713

            SHA512

            25bb09b526e1e9f5c6052f1f7c36b37c956c1b5649936af8df3abfcf120c931f3d2603e17a061cb99d8c8074bfb1973a5423cce89762fca53cd46aeb3e8944a2

          • C:\Users\Admin\AppData\Roaming\PPLive\2.bat

            Filesize

            3KB

            MD5

            d4917ae9072a10d8e12ef3b282b25b3b

            SHA1

            bd9ec6c6395997525ec7c15ecca2f115573cc14c

            SHA256

            6f7649988962c61ac7644262ee6082ef352bbb00cb155a3f4ef0467fbdf1c67b

            SHA512

            c6ed3119e008191ad56050f6b72a2d64e908c57e80fd0c252b8b1947cf091644c83b6bc16c56d6e2153579eb3e8711c8cd608977426a0906d56a7713bfca309d

          • C:\Users\Admin\AppData\Roaming\PPLive\2.inf

            Filesize

            247B

            MD5

            ca436f6f187bc049f9271ecdcbf348fa

            SHA1

            bf8a548071cfc150f7affb802538edf03d281106

            SHA256

            6cdfa9b7f0e1e4ee16bc8ce5d7448d47ea8866c1f55f3e56be5c2a4d183ca534

            SHA512

            d19e20aabddad6b0284f8c1d473e9180f30b49d4d8b54f26e7c8630228e16b1f6ba04023c5e8b1993d8a10d97adcfff683b216f79b9981bf16181641aebdd591

          • C:\Users\Admin\AppData\Roaming\PPLive\4.bat

            Filesize

            121KB

            MD5

            f4628c8066866d1cd974801b7c51c5fb

            SHA1

            6a0594bd5bda5656b97c18626704ff19a2fd875b

            SHA256

            f93c09513c7589ba4a0a32e6f2a1b7d1d283bf7e11926ca86b0e81c5d9aaf898

            SHA512

            fbb851002d60862be5e22f7803586b0945443962a526ca6b1545bfd57633d5443670838f95dcbf281747943ef58edc88bbabe5faf55a2a39332bc293b3b1f5fb

          • \Users\Admin\AppData\Local\Temp\inlEBC8.tmp

            Filesize

            697KB

            MD5

            ca12160321ab07aaf3d2eb8f822c65f0

            SHA1

            2011ec04932d553b2f4fbf1a83c92ad96ef15d46

            SHA256

            eebdfa0592f6f965102d00ba5609642bdabacb073d9d0347ff44066887906265

            SHA512

            fa280acfd6af33e7b37fe83907f63f274d9a2398d69278a3e3226729b55c6c848a18acf4638312634ede12126e32a77d26328dd424d03f5bae5706f4e6db51b6

          • \Users\Admin\AppData\Local\Temp\inlEBC8.tmp

            Filesize

            880KB

            MD5

            c8183b6139b869aced9851e60618b4db

            SHA1

            e3c7a31d9caf1d471d8b92d1101e1671a924eb00

            SHA256

            0dd74b25b2f59f17d96804ebd782e374cb3918b865f8bd4f6f792f2bcf820a91

            SHA512

            6e3dbe20e89e7ebc874dd39dcbeeff244caace522399aa3a6b6f1488a67e909ed9d80fa97e53b0d24cdc0be4b965fbdb83e328189a3431816ddee3bd7c467374

          • memory/2032-5-0x00000000001F0000-0x0000000000217000-memory.dmp

            Filesize

            156KB

          • memory/2032-0-0x00000000001F0000-0x0000000000217000-memory.dmp

            Filesize

            156KB

          • memory/2032-88-0x00000000001F0000-0x0000000000217000-memory.dmp

            Filesize

            156KB

          • memory/2032-1-0x0000000000020000-0x0000000000023000-memory.dmp

            Filesize

            12KB

          • memory/2032-28-0x0000000000930000-0x000000000093F000-memory.dmp

            Filesize

            60KB

          • memory/2032-9-0x0000000000020000-0x0000000000023000-memory.dmp

            Filesize

            12KB

          • memory/2792-72-0x0000000002DE0000-0x0000000002DF0000-memory.dmp

            Filesize

            64KB