Analysis

  • max time kernel
    300s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    09-05-2024 23:22

General

  • Target

    ad8f4809df9a7429e0a3dbbaeafae78056f10584f042bcfde4b8fdab553077ad.exe

  • Size

    663KB

  • MD5

    cf783d751a0c45d4fdead46ac29d831e

  • SHA1

    30826caa615ea57877699a5b9062f89685b01e19

  • SHA256

    ad8f4809df9a7429e0a3dbbaeafae78056f10584f042bcfde4b8fdab553077ad

  • SHA512

    8dacbec85e93700cdbb783b57d2421a110133592c7ff75a176f2bc0ee6c71625c02ef2b9d41427b12c1da3b99a0b7ecca3cc1019ceb19cd252fa0836bbfa3fc2

  • SSDEEP

    12288:2MwC2DnOQyOmir722i6N0hwQ929tHih31p+dFYTsmkcVT5xXd/o9OrsR9KGPGm+N:2MwC2DUOjP3Nmw5jHih31p+dFYTVTo9k

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://cellc.org/tmp/index.php

http://h-c-v.ru/tmp/index.php

http://icebrasilpr.com/tmp/index.php

http://piratia-life.ru/tmp/index.php

http://piratia.su/tmp/index.php

rc4.i32
rc4.i32

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 50 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1380
    • C:\Users\Admin\AppData\Local\Temp\ad8f4809df9a7429e0a3dbbaeafae78056f10584f042bcfde4b8fdab553077ad.exe
      "C:\Users\Admin\AppData\Local\Temp\ad8f4809df9a7429e0a3dbbaeafae78056f10584f042bcfde4b8fdab553077ad.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1688
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k move Albania Albania.cmd & Albania.cmd & exit
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2656
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          4⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:2752
        • C:\Windows\SysWOW64\findstr.exe
          findstr /I "wrsa.exe opssvc.exe"
          4⤵
            PID:2660
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • Suspicious use of AdjustPrivilegeToken
            PID:2628
          • C:\Windows\SysWOW64\findstr.exe
            findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
            4⤵
              PID:1928
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c md 55106455
              4⤵
                PID:2768
              • C:\Windows\SysWOW64\findstr.exe
                findstr /V "RESTORATIONFONTPALACECHRONICLES" Evaluated
                4⤵
                  PID:2604
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c copy /b Attempting 55106455\e
                  4⤵
                    PID:3060
                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55106455\Denial.pif
                    55106455\Denial.pif 55106455\e
                    4⤵
                    • Suspicious use of NtCreateUserProcessOtherParentProcess
                    • Executes dropped EXE
                    • Suspicious use of SetThreadContext
                    • Modifies system certificate store
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of FindShellTrayWindow
                    • Suspicious use of SendNotifyMessage
                    • Suspicious use of WriteProcessMemory
                    PID:1660
                  • C:\Windows\SysWOW64\PING.EXE
                    ping -n 5 127.0.0.1
                    4⤵
                    • Runs ping.exe
                    PID:2864
              • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55106455\Denial.pif
                "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55106455\Denial.pif"
                2⤵
                • Executes dropped EXE
                • Checks SCSI registry key(s)
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: MapViewOfSection
                PID:3004
              • C:\Users\Admin\AppData\Local\Temp\F3C1.exe
                C:\Users\Admin\AppData\Local\Temp\F3C1.exe
                2⤵
                • Executes dropped EXE
                PID:2420

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

              Filesize

              68KB

              MD5

              29f65ba8e88c063813cc50a4ea544e93

              SHA1

              05a7040d5c127e68c25d81cc51271ffb8bef3568

              SHA256

              1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

              SHA512

              e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Albania

              Filesize

              7KB

              MD5

              83a34379d845324abb6c98f0de6a4e7e

              SHA1

              a58643df603af76d4021c465d8da22f79f9fd9ac

              SHA256

              271a4d29889f6c79cb2f8ac13cad58c60f056d2c32e98f566f4d6b05a25ee972

              SHA512

              8aefcbbe9aaa0e793680251b69f652b8c93130e4f837fe778ac9a065acd2587c65677878b220c34802a2bfb458ab71ecea23d73e0a80d75d5fad23590645df78

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Anticipated

              Filesize

              67KB

              MD5

              a2e216bd646dd38c490ff0164ac15154

              SHA1

              44228567eedf2b0fb15844b43d033b386a2b216e

              SHA256

              1b23e536a23154db81725f73f2b292f430705b7f23c23f06f3867b7a09a8ea34

              SHA512

              4e59f0c817a607a22c5252a627068c9a30bed8a7f1d7de1edfc207ff937e41cc03f1f7498aebaef2c91d8f4a79ba9ede16f59960108ea2f0c00e447218389571

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Assuming

              Filesize

              27KB

              MD5

              a246b727587260e8d2160c469775406f

              SHA1

              dd9d97017a010f5975aa3bdd2939b19f6ffad472

              SHA256

              e863b1e55cd9a201bb7809ac9910a88e116d0e4baa3960e755783565bf376a26

              SHA512

              cdcec235f1c56f66caef22f06850be96524873991da5d4fb6b8afd328342b94646c22bdf201a0091e3beb5a2f472b91adf3f3b1bb535ab12383c7de13d40c021

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Attempting

              Filesize

              176KB

              MD5

              c7b2f746bc85d8ae6a82d1fcdf97aec4

              SHA1

              2727e77352394fb221032093f9f8cb08b75de704

              SHA256

              bd1522cb5baf51bfafbe60bfa22d3fee52f4c7aab5f6623a9cb9d64e5d596098

              SHA512

              297b24d6212c71a34a346ba9ec7704cf65cf8cf53b2172bc47c84c557bbd0dd1a80f38964ab143f12ad268658fc6eff9fbe06229195ad180821693ceb8652e62

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Can

              Filesize

              23KB

              MD5

              a73cbae9bd2a41321f36edbdd6c65b7c

              SHA1

              a2fa5a1d98a274b21eecec433dbd40d389f30342

              SHA256

              b112da438b23aac96d683e124e3662e1b400d16a7ae37fa744dccb655626f94e

              SHA512

              f4554896582856e945b2833fc70a6dbe1e570809fa69b8650e766b488fe24e25763668b54b662f3bd0ebba32ef6791f20fb0fb39d5c581649322afcd3577f56d

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Circular

              Filesize

              21KB

              MD5

              b53f193a1db5ebbc23b70b726c5c0ef9

              SHA1

              399d49e299295d345c630e4d493e33809724fc64

              SHA256

              30c6a92bbc3e63f030fb7fae15c54b3dc4ee761efa1c8a50ea972ba0ea8fac5c

              SHA512

              84b6d3c8906903f408cb383b5f37ca767f61469e131136a9ba3e5b5b0c26fe2db6d4cf21efdc0277dc2fb4458bcac3b232e9f1fc81c2d4b9d1dbe548d202933d

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Contamination

              Filesize

              35KB

              MD5

              048275c8473b0a874be5421cc89940e7

              SHA1

              565cbb767e94e9c7da1700848402a26cd82ae7d6

              SHA256

              c00348a944fa33156a4bb434b26e4887494370b70b433c045b7dd398fae27be5

              SHA512

              42a9b215c85aaf1c925e86e83f3ced8e8cf81b37c4e9a729c59a7b6b32b9d4a68fe0d20b462cb910efa55595f1049413fe43eb8dc7e263c7ed941537369780d3

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Delivery

              Filesize

              44KB

              MD5

              cfa9d49c9371fe3e206d03a6d11841d8

              SHA1

              03b5dca0caed51a8a9d18869e6159e275d620f61

              SHA256

              4323539bcde6c14548d79f9b9c6a7a9a76c2f4d7edc3b854f76182818cb258b1

              SHA512

              28cffe1c7b84eaf1a21aaa7f16d8803561c1dc9738f0ec56a3c828af5ce6922cd2d0a1804b3334b1cf39abc2c910591384cb5d26823a418b3ce20019d26efcec

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Evaluated

              Filesize

              153B

              MD5

              cf08079b340fdab04e86b040d078461e

              SHA1

              0326ff30140800b51a0fe8856dc656367cdd8ebe

              SHA256

              f14a10f991af08b0326af086ed0ea3cad3def0f3b54c7cfd23d1539a0c80cf10

              SHA512

              4f3c39fd91c407ea1360d6a4c260e16071290ab0ad0201e08ed9531b18860892e09ced00ba1fc89d4808998c9ad3520e15eedfb143122b27404fe6969069a053

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Ieee

              Filesize

              6KB

              MD5

              585d09b16f10af2fdf4e01cbc393422c

              SHA1

              d196cf50c138c7d04f0238ed8424ebebf2bca21a

              SHA256

              3f49376ec6727868eee0ce178cb0fe1cae84463b9444087f6254827b62b33a86

              SHA512

              79611db3617d4b158fa3bc0ec90cc379175edf4bcf6e2af60a2f00ef9e8d0d959bed74f094a32a5fbfd16257c294f3659e9a06519ee0ab660340545b2b5f477c

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Label

              Filesize

              17KB

              MD5

              92e5502db653ed4395441348e2eeaba5

              SHA1

              11223dd7e7effff7359d2f430d514a942e488ccb

              SHA256

              a5d089db7c8e0015cfc2b25cccd216a94c1f2507c3e0f350b3450988ef3c2cbc

              SHA512

              502076f45f8fd0a284bd6e43e6bf082a534f97a0b4258232ee89730c80c90c92928a87be3cecc464be4d2ca4c1e28daa5241a26c99772d230c33dd7679c59198

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Medicine

              Filesize

              21KB

              MD5

              5bfdf8dc632cc32dc5ac6d20e4c8ee80

              SHA1

              733c80e1710022ad6a966940fe5833a346640eed

              SHA256

              5553260b69f6faa02c8e58f94b6414d2016913b74d6522f5fcdefc20eac36b98

              SHA512

              6dcd0b77ee3eeb7f7610b56f850220a4197f56470b5c7e3baff48d2e3f193402ccbaf6a3f69036b4c76236a09b7b553538fc3385b227a5afc4bf64a4a8d51136

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Mess

              Filesize

              51KB

              MD5

              1eea5eff1b7d032a5d227a0437b6bd45

              SHA1

              9596bece26074ea14e69e03cb303a54cc1bee1ce

              SHA256

              1e5276f666cf5948a218a2b046fa23514d48d9422058f2e86b489be4f067a8a4

              SHA512

              b704f7ce8320c599aabff0fc0ab9bd4ad81542ac5be6499e0b8f2997f387e0570a26a092281e47eb30def9f8a0a5482160d2d41498c38dccca593159da3cfabb

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Out

              Filesize

              40KB

              MD5

              3ea618afe5a1681a23ac7a3ab270d58f

              SHA1

              8c1017bfe037c490dd467a3587e64bc08cb317d7

              SHA256

              4f37e201e8e5aff58c87ef2b6201f36750bd5383965a1c281fbf1f8b4fa0e3f4

              SHA512

              a0b386b14504048dcfc064bc55f6ed6c53acd3968c7a40a696c7471533e19e705088a061bacf23faf0961d595cbbbcefb804dac915cc47b374b662fbf31537a4

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Pct

              Filesize

              42KB

              MD5

              21ecf5216b3a9945c53dd293c43b073a

              SHA1

              684991c0ed9242df8bde212d6f1ccef7ff373186

              SHA256

              a332b7ebfa9ae56b76383945be23180ae4c0eb24c542f6067a56fc2106cad368

              SHA512

              4bc3d72e0f06c5b821bcd81f12fa22c2fe435430fb85cb7d79f03421c9d222e65f4c4783d65aee1ab995eff6a810c7dc4d182d14cfc7cff108ebf0ea0891a0a0

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Places

              Filesize

              9KB

              MD5

              711c2478a4f7cb003ff8f0e2f12c485b

              SHA1

              8eb0cede64a7abea133472485d8bd4a271438ff7

              SHA256

              a701d0ee1d14a452be2ef9ad4bf75d31ab42f49e5cc1636f30abef297e6e218e

              SHA512

              33d463ec06f271e496590cba3b073fee21a31937e7629d2d1f2a5e15fdddf996ee403d80bf4d66fd9b2b39313b2898d9dce4073edc6102b541415d4438729479

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Pose

              Filesize

              43KB

              MD5

              df91119a70e56a6fbe62248ea52ae18e

              SHA1

              76df5ccc73df5ae24f10ef7e311ea740f8e19e24

              SHA256

              a63f9c4b49c3f6c469abe0490336dc8c81c86346ed363bed8b49f4aab88b7343

              SHA512

              ab4ee3f9fff2a3f9e914b1f24a82566f8360ae6628962208c59deb488ec662c666d7547e184a8038415e8dc296ec283bd0aee8e66d196f5146fdc187c16f7352

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Pregnancy

              Filesize

              47KB

              MD5

              c2306fea58668b8c2bf2c34df5ef2fea

              SHA1

              0ee8f1c7fa2b3b9bf1f4447b33a124cdcecda547

              SHA256

              5cf34136b875ea16ab2e26fb34733b8b2defef04b0a2b4e205eeee1b5e886691

              SHA512

              8a2b368892686af9441c8c675fc6e6e46bf0738f389434b831adac33aaf8a6d5436d5e91eb1f9f22c286eed95083f343b02c274b94f638868c458b6e78cf1933

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Procedures

              Filesize

              49KB

              MD5

              557d9c5d42133129f3cc06dc51d2f78a

              SHA1

              8d5f9cf0ab869e38cfef0bbd894827f5e6e52881

              SHA256

              4ec9139d86815aba942a547e5f44774aec2052e37bf26e59727431ed61f1e333

              SHA512

              d121e27d1c8740d116cd02a84a05eee0e383436afc6128d339289c30776d565beb97c334e0358ba977fe24b88ae55cba58f601ed642718fd20161532ab818227

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Registry

              Filesize

              8KB

              MD5

              dc9e7d6a523e68beb4f21ca2b16dafee

              SHA1

              6f9584e2c6a60ba8b743000d0988dc388ea3a116

              SHA256

              e822464d0a24402e0ac22b22e40ac550ed8b0946b3fa7cfcebb4bbb7c5cf2f9a

              SHA512

              f5b009a74ec5cdda5a962a5a9c0c4696283a063f95ad861ea6f0e2c2572f5011fcf77123ab70a60f5940ee0c3aa63d52b65650389bd2e72fb01a73fb2813fdc0

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Sacred

              Filesize

              41KB

              MD5

              174398305f18885f03ab79bf0162274a

              SHA1

              b62c3abed0495a87f1acd1eea6be5d3b336ed7f0

              SHA256

              d81f47bb692b1ed20bfe94e363e92b6c947d4c0adbdbbfd4b6cd5f701c03e70c

              SHA512

              0b9e3cb4cf1d47011e14894d3474e0c67bb3c1f66f12777c8cae45c8e92dcf4fc0d2a18e96484d3f54ddd5e31cfb060352fe2c6cecc1eda655625771e5491f02

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Samuel

              Filesize

              55KB

              MD5

              7886a394784c5ff16f8035e4ef438355

              SHA1

              914d2c98b0d773608ad3b6906b9536848de79a0d

              SHA256

              4086cb0307ee1b403fa2f3274c8c66aa285a325310c815a7f25d7dfb561cdbc6

              SHA512

              935b7ff4cb923c3c907d1df4f000c29b08c1b1d1c6e3a4079a4b90f2fbfcf5a367c6636dff49b81ae3dc2a238e08dee2998653af4349e627f9558e9e9c57ad9a

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Site

              Filesize

              26KB

              MD5

              18e0d240be6a4cda1cafe09d286ef9d8

              SHA1

              3c1b695edd14e815920e793dadf71c4c93d208dd

              SHA256

              edc3f91422263f5f410938f3602db7202a196d5d7799d1fc5ffa5adc79ff1033

              SHA512

              a9bab6afb438e540a66857baa6ffeb991ffb48b30dadc4af9701cbd49180440627f8c0095d5cde831d335723351bd1050801100fc2fbc3bdddd0a8b387c58db0

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Sorry

              Filesize

              59KB

              MD5

              62962c19f97f68a87ff1684ec469f94e

              SHA1

              cc93792af47822d9c69dc87af131aa2f71fdd242

              SHA256

              533dd3eb6294b12940d181bf4031a0c7dcb4de07c9a3de15a5df7474615931f9

              SHA512

              bf92b66be1221c801610dcb4369cdb3d9a472fde3b033509ea1bc3d8b5c08d29c7871e72c2f94a877376c8ed0a8ebd9226a68423ae82eb78946064c28ee5da95

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Spas

              Filesize

              40KB

              MD5

              0b83ca4b90d08ab46783656c12b52cec

              SHA1

              10d8cbfedccf3ebae729e2cbd9f3056a3adeab58

              SHA256

              cbaf66b752e9d9eed2c7deafa1a0c33d1b887e84b2ade53c88e8e8eb98d46eaa

              SHA512

              824d315bddc8c56f726eb6df25615d99ac28d5d37e04b4dc450c091e65268954168f7c4caef0be795133fa870c2d6026394e48c2276f8a2fd4c52d49090f714f

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Strategic

              Filesize

              24KB

              MD5

              af32c8d2c920c14652ea7ca2be82de73

              SHA1

              5c3289340df6a46fadf3cd2d7ec82c7bbe6fb3da

              SHA256

              a50a537010be59cfc0ae26bde86d5dcffaee772412b4918a91ddaa75cac8f23e

              SHA512

              0dbe3fbf3fe5a91a8243c08babf07ed8c6e5c1c577015b9c4f1b9f7c49c91523eb63b5382aac5e6b5ffb8484f99ca966e13eca52c8b155e951d24a940fc75cd0

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Theorem

              Filesize

              46KB

              MD5

              2f2ff9d2cd4cd938e41db31c7337bd98

              SHA1

              c972aba839633ba81b0b3ac95ce1e5604dcdd9c2

              SHA256

              00b43c4d27e4825bfdb92634a5a172400d80091e43b4635e8ccf5f0ae081970a

              SHA512

              cd53a9c9ea771874a521efc13907bfbd0b4f78c2ee13975ed09123f7f5110f57213ac8357ff97a25817b8c82691e3178da1c8897c96cf98d841b32beb682ace7

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Warranty

              Filesize

              63KB

              MD5

              8128e4b04e7b35789be125c802561c0f

              SHA1

              d1107ab67ddbc9efba5527593ef91c5e256616fb

              SHA256

              36022914b51d3e6cd1bdd4f30c51a246255dae805fefbe98c28ef0fbcf75dcd3

              SHA512

              6c68674787bf9acf432cc07978372a75a056359a3eb91dea7709336bd33670fcff8034b48efbefa9f3f6f740f794f13d1f3609d884921115d04bf3ed94ebfd7c

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Workshops

              Filesize

              20KB

              MD5

              81d98e4855442c2477cb7b5ec5a00af6

              SHA1

              c4809f11e87237b07dbf619337f9581bc7b4afc6

              SHA256

              ec158425a6ddabcae3f3ad28a876918856cc3fd5502212edea3f4de81af1e63c

              SHA512

              113e669d23d2467b1fffb00c1b1cc99be54426189cffa62d013db9198c0ca30028e219175cfaf56ab51b0889cb5e834696a5e928ecf321693c26fb019a7a68bd

            • C:\Users\Admin\AppData\Local\Temp\F3C1.exe

              Filesize

              331KB

              MD5

              cc193035cd8f2bbd157ff4987775fbce

              SHA1

              62c5c7fb9ea684901b096993ffa94ccd061f7a7b

              SHA256

              95cee0c04c33b542a2d8d1f675b2c6610d91e9a406d744e9fef9197b8be57b6a

              SHA512

              157d687bb89b960b32da06b27edbd85d474531bfe7395bffa30fb207f6fcd1f57ce834f2d87b839d75b5200dafc69b72649c801c0876f4bee2c3e98695fb855c

            • \Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55106455\Denial.pif

              Filesize

              925KB

              MD5

              62d09f076e6e0240548c2f837536a46a

              SHA1

              26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

              SHA256

              1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

              SHA512

              32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

            • memory/1380-107-0x0000000003F30000-0x0000000003F46000-memory.dmp

              Filesize

              88KB

            • memory/2420-121-0x0000000000400000-0x0000000002B10000-memory.dmp

              Filesize

              39.1MB