bb85df581184a01fd378b6f9eb44c9ee0661064343fde83e297f5c359bccee6d

Resubmissions

09/03/2024, 22:41

240309-2l67yach48 6

09/03/2024, 22:33

240309-2glenscf93 1

Analysis

max time kernel
141s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/03/2024, 22:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Core.xml
Size

35KB
MD5

0505315076f50de128b8256927b94722
SHA1

305c0048d402b936710c20c651c476a2e895e823
SHA256

bb85df581184a01fd378b6f9eb44c9ee0661064343fde83e297f5c359bccee6d
SHA512

dc7bc55d0e85125bbe0e23d6d5428492484c30159c25021dcb76c6b4808a19a602edc7ef4ae0ba9244c4c35d85bdfc5c0f6f17640da23f7e1bdffaa737b29330
SSDEEP

768:ikbkSAvZgSLJAId/mAvZgSLJAId/DSOSiS4SK:ikbkSAvZgSLJAId/mAvZgSLJAId/n

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Sidebar = "C:\\Program Files\\Windows Sidebar\\sidebar.exe /autoRun"	sidebar.exe

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\desktop.ini	wmplayer.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\V:	wmplayer.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WindowsUpdate.log	ehshell.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ehshell.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	ehshell.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ehshell.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	ehshell.exe

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0b21cff7272da01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	sidebar.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2A6C9E41-DE66-11EE-8356-E61A8C993A67} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e861098c19b4244d8627ee4664a9606900000000020000000000106600000001000020000000772c823683e45062ea54dccc50643cdcc233d6d363b8163ac57a2d8a51ba901f000000000e8000000002000020000000cf8963be33b14d4bbeaf63c9f02fe39fd4544a71ff4169954d0fe34ec13bcc0b90000000204d0bbf368c283500765f4b4114161c9c34e666fcf1b56d9d201f8ada9a1d16772dd49f10fc21fd57c1f3d99dd243be4b576c1b79c4d4a4f8ca6db6cdf8283b3f3b9740f9488817ab631300adca7c27e008225ef50fd688785080edaed51ce5ad42ba33cb81f8808287bc0fc4b98a049a78422e17149a1c41811c79958915ca4f4ed406e1640c60bdaf2019dcf9a221400000002473a2ae8c727a2f825d0ad11ce057906f23205edf895a47c51525efd47c756e36267e06d9d23777800358fae7a2b40bf0a5254b13c4264f22d96eb064464c3f	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MINIE	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e861098c19b4244d8627ee4664a96069000000000200000000001066000000010000200000009bae4ea32e048699f5607e92309e64f5f298484add71703e0df96fab6467af83000000000e8000000002000020000000408b2363b16ebd2639b761e3006b0c54c8d4a18be060f63d8fb73bf7008c932220000000a2d9365f2c738f170a6275d7a01bf7ee401d9074e31f7d3ed33f345f449b4b394000000022b94c4a333716aaf0533f6afbbd4ac9b7ce9aac8f34dde76abbfa35fbedd4edb918e503f303fef415c8c82b5b9144e41d0616fcc1645571bb22d9b8261a4763	IEXPLORE.EXE

Modifies registry class 2 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer\CLSID = "{cd3afa96-b84f-48f0-9393-7edc34128127}"	wmplayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer	wmplayer.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
908	sidebar.exe
2296	ehshell.exe
2296	ehshell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2296	ehshell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	908	sidebar.exe
Token: SeDebugPrivilege	2296	ehshell.exe
Token: SeShutdownPrivilege	2296	ehshell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3060	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3060	IEXPLORE.EXE
3060	IEXPLORE.EXE
2716	IEXPLORE.EXE
2716	IEXPLORE.EXE
2716	IEXPLORE.EXE
2716	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2952 wrote to memory of 2504	2952	MSOXMLED.EXE	28
PID 2952 wrote to memory of 2504	2952	MSOXMLED.EXE	28
PID 2952 wrote to memory of 2504	2952	MSOXMLED.EXE	28
PID 2952 wrote to memory of 2504	2952	MSOXMLED.EXE	28
PID 2504 wrote to memory of 3060	2504	iexplore.exe	29
PID 2504 wrote to memory of 3060	2504	iexplore.exe	29
PID 2504 wrote to memory of 3060	2504	iexplore.exe	29
PID 2504 wrote to memory of 3060	2504	iexplore.exe	29
PID 3060 wrote to memory of 2716	3060	IEXPLORE.EXE	30
PID 3060 wrote to memory of 2716	3060	IEXPLORE.EXE	30
PID 3060 wrote to memory of 2716	3060	IEXPLORE.EXE	30
PID 3060 wrote to memory of 2716	3060	IEXPLORE.EXE	30
PID 908 wrote to memory of 2296	908	sidebar.exe	36
PID 908 wrote to memory of 2296	908	sidebar.exe	36
PID 908 wrote to memory of 2296	908	sidebar.exe	36
PID 2296 wrote to memory of 2932	2296	ehshell.exe	39
PID 2296 wrote to memory of 2932	2296	ehshell.exe	39
PID 2296 wrote to memory of 2932	2296	ehshell.exe	39
PID 2296 wrote to memory of 2932	2296	ehshell.exe	39

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Core.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3060
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3060 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2716

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2840

C:\Program Files\Windows Sidebar\sidebar.exe
"C:\Program Files\Windows Sidebar\sidebar.exe" /showGadgets
1⤵
- Adds Run key to start application
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:908
- C:\Windows\eHome\ehshell.exe
  "C:\Windows\eHome\ehshell.exe" /playfavslideshow
  2⤵
  - Drops file in Windows directory
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Program Files (x86)\Windows Media Player\wmplayer.exe
    "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /SkipFUE /RemoteOCXLaunch /SuppressDialogs
    3⤵
    - Drops desktop.ini file(s)
    - Enumerates connected drives
    - Modifies registry class
    PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
27b6dff7560360e44419556f9f58a2ea

SHA1
b6180d70184275c1753dc11643b71ed1ae47db86

SHA256
c80aa1e7ddd0cbdf6bf537b9f5a987481e376683807aaa9b0625497d5c470e76

SHA512
ab6ac197bfd33c5cc3fdefda59b3d48d20ef2439893a633329fee4a045a9991b727fdada77eabcd843ebe82d02f7e5540f32663b48d86b4867f8a8a915b8fe86

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7b0ba8bdcbb50d11da6704f486cfc080

SHA1
7f50a77c334369bfb0b51ebc9eb6b259622b1a8f

SHA256
57f15d2762cf860d738f7ae952f49db9faa04bbc903577e36e6c398f2d57dd31

SHA512
7dd6546284f4a8bbcc8758038e24fab8e1469413e589d9f5a22323f8b3a28f6d4cf994543ad23b493be05716b3b1a856e9aabf9a255fd5a7455559e2c3b47ee8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
17129bb0456136da70ba5522e0eccc94

SHA1
840b22175722245af4aa64224b21143d300ca3a8

SHA256
0196a9ca7b10d751ecba547b82f665ef3cabb9e2831286a10ccd35a4d6fd2f96

SHA512
679922eaea10cdaf00caec35aa4020a86b6a19ee5f68e2d135d119413d2dfbfbb010c1a8c351db68ca4c57991929ac9c8e2cb41b0c216c6a9ee33edcc1e27786

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b06a837987e3626c61599abad662b682

SHA1
451988781ac028772b07208f58533f2619a4a0fb

SHA256
c275deb85c7b4b4ec7c14cb20c7c40656a1ba51503483c73798b42e76af571ad

SHA512
712fe0312e10596feedb71d738429c92f772581e750aa509ce1f43b759b1c9f603829b86e1c1adfe3c10477d5a6c94927f8f724740bc511ecef5733013854b47

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d5448670a538512f6a71d69c323ee0e4

SHA1
91a16a1ad7dcaeaba85b7406d8c1292158819042

SHA256
a173d825beb46d9df6228dfaafd2cf0ce43d2bb90378677a6e714526b0339f39

SHA512
beb158b235f0b52d442ef16d1c406db48cab77dc3c2539e480998635b23c9638c4d201727ee3dafec9cf5d2701c61e723d9a8b8de24f5b41d67ff46c0e568c14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Sidebar\Settings.ini

Filesize
1KB

MD5
f090c466bc987932ab6f501d53067ad9

SHA1
9b2bc1bf4f0f87e7bac6f5b6800e84bf11e95bd7

SHA256
3917e724dc84a3a8f8a7a4f93d598bfab195da20345fa3400cdb2f78747e7fc2

SHA512
e980af80cc4222b905a214b7f17e24adcdcb49423d09c6d12c9e2af2abc57037efbf023d66914e33dacf951f1787bdcc20f77ac0cb14ffc6bf2fe8c627aa4642

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab281B.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2C87.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFCB22AD9DF09D1B65.TMP

Filesize
16KB

MD5
b0048fcee81b8556c81e8fe7d982d42c

SHA1
678d4e3669bf9a3292fb95ad49a3e4426307192b

SHA256
639187a5da1a3e19781b05633dccbab39e8ac942d3b8a3edb68bb117799ff5bd

SHA512
540826da1000f109ec5e2e65c6609a4993880aba2c91bf7430dbfc14881118db2a22bf4b40a992a0c499cc57f168fedef477dc7c6b948450ee8f14a8158356a5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2297530677-1229052932-2803917579-1000\8f96978fc46d9f00d8780351026924d7_63be8c66-23f0-4400-84bb-c1a439222555

Filesize
59B

MD5
db733e033c397fec5917611957620271

SHA1
6f94d1daa0fc4ec1b2d4cbcb93730d8edb77a2b7

SHA256
1f3ffadd3b80c7f95be06e245410768e8302a24e573868da3c6fd91230025bdc

SHA512
9a9bb4cf6380bb0a73ea414ca2226a344c7da003e49610dc38bd10892dc17244e4c88bf8a466131027e3c064c693ad99014e6853fff51edb21cb690b926b962f

Download Submit
\??\c:\programdata\microsoft\ehome\mcepg2-0.db

Filesize
404KB

MD5
202238c79b56cccb8a6fc2195d6183f7

SHA1
1ec07ce025b36a67e90249892bb1c4bbd7d50e6e

SHA256
d7c4e9b1f55f609c4301c9081032c5bad61b8357fbcfa2a5a3cb1406aca40004

SHA512
41364c7c74a5df651882c60998d3f1e40aeb60de073da853a4e777c90da34dec19aa44938f63e424d1c634319f7791f368ac0defad818121cab55c7cb09779ea

Download Submit
memory/908-534-0x0000000006B20000-0x0000000006BA0000-memory.dmp

Filesize
512KB

Download
memory/908-533-0x000007FEF3230000-0x000007FEF3BCD000-memory.dmp

Filesize
9.6MB

Download
memory/908-535-0x000007FEF3230000-0x000007FEF3BCD000-memory.dmp

Filesize
9.6MB

Download
memory/908-537-0x0000000006B20000-0x0000000006BA0000-memory.dmp

Filesize
512KB

Download
memory/908-552-0x0000000006B20000-0x0000000006BA0000-memory.dmp

Filesize
512KB

Download
memory/908-551-0x000007FEF3230000-0x000007FEF3BCD000-memory.dmp

Filesize
9.6MB

Download
memory/2296-545-0x0000000002210000-0x0000000002290000-memory.dmp

Filesize
512KB

Download
memory/2296-558-0x00000000023B0000-0x00000000023B1000-memory.dmp

Filesize
4KB

Download
memory/2296-547-0x000000001D450000-0x000000001D5D4000-memory.dmp

Filesize
1.5MB

Download
memory/2296-548-0x00000000023B0000-0x00000000023B1000-memory.dmp

Filesize
4KB

Download
memory/2296-549-0x000000001B740000-0x000000001B7DE000-memory.dmp

Filesize
632KB

Download
memory/2296-550-0x000000001BC70000-0x000000001BD28000-memory.dmp

Filesize
736KB

Download
memory/2296-542-0x0000000002210000-0x0000000002290000-memory.dmp

Filesize
512KB

Download
memory/2296-541-0x000007FEF3230000-0x000007FEF3BCD000-memory.dmp

Filesize
9.6MB

Download
memory/2296-553-0x000007FEF3230000-0x000007FEF3BCD000-memory.dmp

Filesize
9.6MB

Download
memory/2296-554-0x0000000002210000-0x0000000002290000-memory.dmp

Filesize
512KB

Download
memory/2296-556-0x0000000002210000-0x0000000002290000-memory.dmp

Filesize
512KB

Download
memory/2296-546-0x000000001E260000-0x000000001E868000-memory.dmp

Filesize
6.0MB

Download
memory/2296-557-0x0000000002210000-0x0000000002290000-memory.dmp

Filesize
512KB

Download
memory/2296-555-0x0000000002210000-0x0000000002290000-memory.dmp

Filesize
512KB

Download
memory/2296-618-0x0000000002210000-0x0000000002290000-memory.dmp

Filesize
512KB

Download
memory/2932-615-0x000000006F980000-0x000000006FA71000-memory.dmp

Filesize
964KB

Download
memory/2932-617-0x0000000004A40000-0x0000000004A4A000-memory.dmp

Filesize
40KB

Download
memory/2932-561-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2932-619-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2932-620-0x000000006F980000-0x000000006FA71000-memory.dmp

Filesize
964KB

Download
memory/2932-621-0x0000000004A40000-0x0000000004A4A000-memory.dmp

Filesize
40KB

Download