Analysis

  • max time kernel
    234s
  • max time network
    237s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    19-05-2024 15:31

Errors

Reason
Machine shutdown

General

  • Target

    Loader.exe

  • Size

    521KB

  • MD5

    0e700c36da9bcb97998493b3661ab35a

  • SHA1

    402b44dbcfa6d2ec0fe2fd082805ca4ff52b012b

  • SHA256

    1e212baba428318ef6e3a80c7b8e68c61f5cb03e75e3821a6a706117e622f8f3

  • SHA512

    5a901bd0f2b1d99ebcd161dac9fb9314e83b70f76c1b25575e6a26c0eca0d75cc3873417148e0c5aa405ea9c54ba1e4f91d7094eade8196ab3d9b733f2577cbe

  • SSDEEP

    12288:+FEtsY5UFFc16SkomYXxtEJDeY8fgGGcOS4T3q8:psg16/Axy81nb

Score
10/10

Malware Config

Extracted

Family

lumma

C2

https://museumtespaceorsp.shop/api

https://buttockdecarderwiso.shop/api

https://averageaattractiionsl.shop/api

https://femininiespywageg.shop/api

https://employhabragaomlsp.shop/api

https://stalfbaclcalorieeis.shop/api

https://civilianurinedtsraov.shop/api

https://roomabolishsnifftwk.shop/api

Signatures

  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 64 IoCs
  • Checks SCSI registry key(s) 3 TTPs 7 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of FindShellTrayWindow 52 IoCs
  • Suspicious use of SendNotifyMessage 51 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4388
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
        PID:2996
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Drops file in Windows directory
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1560
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:3264
      • C:\Program Files\VideoLAN\VLC\vlc.exe
        "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\ExitSync.snd"
        1⤵
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        PID:960
      • C:\Windows\system32\systemreset.exe
        "C:\Windows\system32\systemreset.exe" -moset
        1⤵
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1476
        • C:\$SysReset\Scratch\133ADD50-A650-44B4-96E5-251A33F3D0DE\dismhost.exe
          C:\$SysReset\Scratch\133ADD50-A650-44B4-96E5-251A33F3D0DE\dismhost.exe {431E6601-5121-4483-8D40-D7BBB63B7B77}
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:2240
      • C:\Windows\System32\vdsldr.exe
        C:\Windows\System32\vdsldr.exe -Embedding
        1⤵
          PID:4880
        • C:\Windows\System32\vds.exe
          C:\Windows\System32\vds.exe
          1⤵
          • Checks SCSI registry key(s)
          PID:312
        • C:\Windows\System32\vdsldr.exe
          C:\Windows\System32\vdsldr.exe -Embedding
          1⤵
            PID:5208
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:5300
          • C:\Windows\system32\LogonUI.exe
            "LogonUI.exe" /flags:0x0 /state0:0xa3ab3855 /state1:0x41c64e6d
            1⤵
            • Modifies data under HKEY_USERS
            • Suspicious use of SetWindowsHookEx
            PID:2436

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\$SysReset\Logs\setupact.log

            Filesize

            124KB

            MD5

            22cef8e6b59dbb4d5bb475056d4e3285

            SHA1

            ee8a99700cb58ea268643ba8492324d07f51d102

            SHA256

            cfd7a1640c59f4a4d71dba6a7e010bd1a73813d016aa04569264931b07454b82

            SHA512

            518284685241e4e9a2fd105c4cc22054abce750674233491642e1d5cd4903815d3713734ca5def5b92c7ed20e7447debeed58a9738d0ddaa36f0f1d41928b49b

          • C:\$SysReset\Logs\setupact.log

            Filesize

            28KB

            MD5

            af6d7868cf3eb15e18f2667d07c37823

            SHA1

            c0db2c848792db2c67e11f5aed187e7b77f93c33

            SHA256

            d6e05281764ee190043e39f7ea67489e55167c43f6ae6e43d8afc4433621aed1

            SHA512

            370665f0f1559bca85687d774f4a5b3ad54ba354e70a7d82402d6df9a7559e1cd79b993902aff8c20d0478922d6fb5a04adc82d4c28a172828b328754fc7b7c5

          • C:\$SysReset\Logs\setupact.log

            Filesize

            29KB

            MD5

            029f5c90892d5806dacc5fd935fa2f36

            SHA1

            b885626f87bc0d753331976ca2d9471c0cdd3616

            SHA256

            b63834dde23fa81865ccae36d4633a01e5ef77d5a7c61576c372e9e95d2a54e2

            SHA512

            417b0092770dd7137a72cca27d6fc999e8123c827499eeda4a6d600e8528b7f234a6483f7c7a37893627f4d1d4486bb7e61fbe6d0a2e402198ad88b530da3089

          • C:\$SysReset\Logs\setuperr.log

            Filesize

            504B

            MD5

            6df6d7b878d74c29315a1557d88d21c4

            SHA1

            ed2fa679666e25f0bb01b99fc651ac4ce8cfe95c

            SHA256

            3bd8390d76effcf1cb29ef016d0d2561d54211486b27eb63d6a0033284bcaf45

            SHA512

            250c76293ccc88609febe3b8175cea37b1b7a497dab365d17940b354959917ad475e61f7d2e33558a6c6884cb40bc02fd08afdfcb48e6a5586c5de83145fa9dc

          • C:\$SysReset\Scratch\133ADD50-A650-44B4-96E5-251A33F3D0DE\DismCorePS.dll

            Filesize

            160KB

            MD5

            4e43afafe9483d72a5838cdb8ea8d345

            SHA1

            779d8c234343da4ca7fbdb16b5861eecb025f6e3

            SHA256

            80e83929245c4377ecc73b7596ebf885d8e919b69ef975701a082d2b5cf2150e

            SHA512

            22267fe42128333940b9574fc5f5a70f0411280bd4e294bb456f987eb30c5ec1be12f4e5ce44e7007d793a3924032315782eaea96ab18da832ce56c1f0a3fe3d

          • C:\$SysReset\Scratch\133ADD50-A650-44B4-96E5-251A33F3D0DE\DismHost.exe

            Filesize

            140KB

            MD5

            9ad8d8d2c6126cf9f65f4ba4cd24bcd9

            SHA1

            505e851852228545903c2423afa81039e0bd9447

            SHA256

            3687d79e43b9c3aa9ff31dbaafdd2f4674ce0937c7fe34813f43531f32e7aded

            SHA512

            e38d6af47c7443119fb73fcd6bcb23dd6b96bce19c4a98802af96fd6751e12a8add8c48cc0062ffe315aa7a5ffa6c38787c4f2051a8f6b97ac0dc86b3f8d279e

          • C:\$SysReset\Scratch\133ADD50-A650-44B4-96E5-251A33F3D0DE\LogProvider.dll

            Filesize

            139KB

            MD5

            76dccc4bec94a870cb544ea0ac90d574

            SHA1

            0e500d42b98d340aadd3e886b0c4abefa8b92bc5

            SHA256

            53637290e64e395a0f07d7423096ccf341ccdf1dcb6e821f4e99d47197ea849e

            SHA512

            ef01adbf1dfb3856d5a84512556f38af291c0938c1267c8d627e1205385f7be56b0a7e2127f18818f987b53f0a3f910bc930d692be2a8429d03728d086e91a0b

          • C:\$SysReset\Scratch\133ADD50-A650-44B4-96E5-251A33F3D0DE\OSProvider.dll

            Filesize

            126KB

            MD5

            bb0d5feee5b2f65b28f517d48180ce7b

            SHA1

            63a3eee12a18bceec86ca94226171ffe13bd2fe3

            SHA256

            f6c4fd17a47daf4a6d03fc92904d0f9a1e6c68aadf99c2d11202d4d73606dc16

            SHA512

            d1fc630db506ad7174da9565fd658dc415f95bf9c2c47c21fa8fe41b0dbff9a585244a0b7079dfb31697f14edbc1c021fccff60ffd53b447c910c70de117dc5b

          • C:\$SysReset\Scratch\133ADD50-A650-44B4-96E5-251A33F3D0DE\dismprov.dll

            Filesize

            242KB

            MD5

            2737782245a1d166a1f018b368815a16

            SHA1

            4fd57e0de191c817a733d07138c43ce9a010d64c

            SHA256

            498c301c9b5dfc36f1031988cb4a440ab17effd606345abd506a807f277b1938

            SHA512

            7830d377ae880183a2e51a9d557bf0fa324913df28b12f5d7aca815fb2e8a6b0373d76f36877f28cba4ce8bff32da62309fcdcb8ff3930c5f8a54963b7cfdeff

          • C:\Users\Admin\Desktop\ConfirmWatch.mov

            Filesize

            307KB

            MD5

            f3ef7217db287a16a0ad1c064f331e22

            SHA1

            7ef58f7a5dce406c0bb3c6de2535ab6bec5aeba6

            SHA256

            a962fcc9f64d3947e5965f50e7b396a87c1b1cc1c5d35d9543a695e9bcc87b76

            SHA512

            be21c99d1a1b6d39e7a3c63213f643e88f8b8230627eb92e5904e9c2908d3c74c48b22cabde8d1094b8cd42eb177eb47a0ca7468ee168e32fa42ac5f60c8108f

          • C:\Users\Admin\Desktop\ConnectMerge.js

            Filesize

            499KB

            MD5

            4ba232b11513fb94be083d6d1017bf4a

            SHA1

            6615c2955beeb5b799cdd87503680634cb3b810d

            SHA256

            54cf4d0d555918ccd0b65c4e35b9e6183cc26581eb91c728e233f58d269aac86

            SHA512

            ce5bff1c4d8185a3c81058c6f74b1ac87e7967668217bb1e56539ff5d3ed6bd633998d56c264be2806291bbdba4de21b607b860e2a4d008f3cd4b33a76e86f37

          • C:\Users\Admin\Desktop\ConnectSelect.jpg

            Filesize

            204KB

            MD5

            e9897c8a40508f2f0bf421bee7b22f94

            SHA1

            ccbea8a802334e5946c75f425d0ae77ad0d3200e

            SHA256

            dd36458b973d8423c74aa1239bada90fad03c3037d6e9e9e3496dbae14b265d3

            SHA512

            085c08b956b30797ad1b442732d75200020caf413656a56c37c6b031a633c46520a13b704144f0a20d0b430a1e5f8dee837f16eeb8a59119582a04f34e6446ad

          • C:\Users\Admin\Desktop\DismountCopy.css

            Filesize

            166KB

            MD5

            de886941320756a06b83ebdebdfcc5cc

            SHA1

            96e21c471949ef03b25f1f86100d073e624beed7

            SHA256

            416f38e45129051d713dd11002889365f826792ef49d1319d3616391c4cfbdb9

            SHA512

            3ba1a75fbcc4f9c370c929c86ca93ccc42f816ec30bfbccffc120f0612be69bcdb55f7b4e0e3acfe26abb00f945fc6d3d1690a774297919a72cb51e0e684877f

          • C:\Users\Admin\Desktop\EnterDismount.sys

            Filesize

            153KB

            MD5

            ed26ad775e8784bb9730a9d71cd019d6

            SHA1

            0561c188bc849fdbb4207dd3d485edfdaf766b2e

            SHA256

            00d3664383dfa4930c0573719cee9c38446b7eac99120b0cbbc061f93d351e84

            SHA512

            0ffd7d7a3a36a37f6ad1cadf95ca5cfebc1c89463b9d7200924a4af52045bdbb9df0bb3f37564e6bd73abc9efd304f9f7d6e304ed09169163e44fad4c2247746

          • C:\Users\Admin\Desktop\ExitSubmit.mpa

            Filesize

            255KB

            MD5

            da58556906d3025f21c0f41d8d260afb

            SHA1

            0f317282222996b89d24e24165fe523ce43176e5

            SHA256

            5ed51e0f805a27923fa9134abe035194c4e0cd0a53e717d1f5addabc8ccfe71a

            SHA512

            61f3bb01b00af0947e0371a65bf0341afbc2600a59f7f5734a81fcd54ba7098901e80fdc11b7a6543d333e4799e47566bccd6bd3417dd8eb974a1fd7cc7f97b2

          • C:\Users\Admin\Desktop\ImportGet.cr2

            Filesize

            230KB

            MD5

            6bf8dd542e0de5af5c7b5c78b42c92b8

            SHA1

            5af90f2a953bae8e460638352806c0ed9394a0bb

            SHA256

            ba7c1c48828b5f16cd5b7e8226e42769893bf6ddef0ff8b9a002e914a7324d9c

            SHA512

            d729584be3e4b959639e737e5cd1466cc87b2c5d64f674aa7327f428f4edd702a741b3d793f8910f709b710a113f6bcaec653f9c787178c67e7e6ccaff2b47c2

          • C:\Users\Admin\Desktop\InitializeUnregister.wma

            Filesize

            358KB

            MD5

            c09b704b7db65a37a3a34d2bbde00d07

            SHA1

            216b4d7547db3916dffea7ab110b9d0a91109b63

            SHA256

            0f04c87a6e93b79c7fe1d252781fad1ae4825a400c42d86b7b1bd874a578d134

            SHA512

            def44d59d61d61b853994c2edcca25a4a07e8946d349485c47ec51361d524307c2e245d100b848e6018675255b5d4b9f4dd6e2e410ea119697aa662c1b7a5f92

          • C:\Users\Admin\Desktop\InstallResize.svg

            Filesize

            217KB

            MD5

            8bdef906625e5ba12a8a085b3da16bbf

            SHA1

            6a7fd54b72e6b4df1e8c985b2030f7ff782d1370

            SHA256

            ac72750680689e43ae312e9d72b7f7b63ed98e5282a0a65c8a918ac5027a004d

            SHA512

            f501ea847c77cc5bdfc84bed653ad3741ed1b15984547cad577f6a6d35a1ac82665de301f5c135656bc7bce026ed923ec967927f7c33d9dce329daf1fee0736f

          • C:\Users\Admin\Desktop\InvokeUnlock.edrwx

            Filesize

            319KB

            MD5

            ffab35be8b6d5be737d79ec5094a2719

            SHA1

            4e880c02dff1c3c429d641b407847be4a494444e

            SHA256

            c3df1ae3c131e3550e1afb5104b6a481d8e2c69b5b3ef63a88b92dfbf88e7f52

            SHA512

            9a57badb9de4d5648f14fec343f16c96bad30b2ef5b2414d66b18dc19ffb62bb9e5745284fad4c174060cd9c5df4a85417a6616efab876bf3f32a2ffffc97eeb

          • C:\Users\Admin\Desktop\OptimizeExit.mp3

            Filesize

            179KB

            MD5

            4a8336f64846514e4cfda93efcdee344

            SHA1

            4d72287ae7fdb944e537544adecc1582a3a27605

            SHA256

            9f63f7339b2090b0ef4b47949c82a645857098ba3a7ea05c0705d803a6190990

            SHA512

            ce3a1c09c00493ae839fb3a20da43970afdb5a58e0e311fbe90b3cee9292d9f5452c9a38f8d2d9439d87c25d354c3fa29db0c8c3eace2f8a169123b9400b920c

          • C:\Users\Admin\Desktop\RequestSave.html

            Filesize

            127KB

            MD5

            e6689a08009bb89d3144df2c56629207

            SHA1

            a00db7d18fc68ad4b6517033c2b12e58b1395629

            SHA256

            0c0c3a8dcc323cb985efda6c35a97788af3290792646abd5a52eccb99c8c0aa0

            SHA512

            0a32dc26df800edb5cbc5818a186bcae4a1767eba4e34f37cd7f343770b30df0871263c89ea3deae3d04a8359e0e4e42b6d2f6c8128d0010c50c8a9bf82f5dba

          • C:\Users\Admin\Desktop\RequestSend.wdp

            Filesize

            243KB

            MD5

            5b36c7e1b0b60c379a02e4ee7ed69b77

            SHA1

            8b86cb51774110f12c7aa0b1a71821b699817db3

            SHA256

            1aea7f067bc2439dd18f941dcea658de17530878598dde97236d187cc34dced4

            SHA512

            cc6aec81e891cae2911fb58bc97890ba959f33306ed3ebad0de34142237fb51069aee181154bf614d32e512f006932de2d36453e13a85b18fba0d7927bccb067

          • C:\Users\Admin\Desktop\ResolveWrite.nfo

            Filesize

            281KB

            MD5

            d79a33d3c7202c01c258ab548d8c605d

            SHA1

            58387d1ce2a873417b618de3e8d6b147033d2715

            SHA256

            386b6bbf5700d6ef52ce9fe1b6a30deaad0262affd946fb3b89b244410c88277

            SHA512

            276cb24a34a34582d58c6139cc338c24a656acd86d743f783bce3d169cce92f098be949fa360c59aac2e4100e30b8d2ef193a2fbde3a92fc86a86128a7a4e56a

          • C:\Users\Admin\Desktop\RestartWrite.dot

            Filesize

            191KB

            MD5

            2cda442da08da825c045ae7a3be72d8e

            SHA1

            762ea5146c25a563b0da87626c54654a76ec18c0

            SHA256

            9acaa61be2d46d9150cda56587bf4262d41ea8b1df0ece595b2151db0b6fe48e

            SHA512

            d91c9345bc06aec3b01651f9a319b800acd4faef0280a482c59df003f300da868495060148e49b42f9ff31ce6e10fbe9e9d67b7e77832ef34766177e7de1af76

          • C:\Users\Admin\Desktop\RestoreAssert.txt

            Filesize

            140KB

            MD5

            c89f75640d3bdc0297cb6cf3c580b320

            SHA1

            9a0f067fd873bd8117d2702e2e5c28f2414668d7

            SHA256

            b6a0af61cee8b78c07a91aa8e40c783d478fbaefd1db9072bb5e7f0a7209465c

            SHA512

            c15fadc8f75524e9f80ccfb86e5a41f1c55ec7a3892475a1ee60fd4952e9113bf128bda9f60e8fc10f356621be8b26862468e84070f5f97b6495ecf777276a6c

          • C:\Users\Admin\Desktop\ShowOut.html

            Filesize

            268KB

            MD5

            178f8aa13e5f7eb9d8cdbad0fe4f3121

            SHA1

            e380fbe361c0d4098555a5781f6ba790549523db

            SHA256

            5ed37b538ec53afe1496ed7db960d38c55d54eaded6b94be29e26f0c16773f6c

            SHA512

            93aafd6229a7f6ebf6e4debe355409333d63a892569665985aabe3e67d0a21b8928d925cce08dab5ae5ecd787b15d3c4525537cd5252c6578ca18d98cd87d4eb

          • C:\Users\Admin\Desktop\StepUse.ppt

            Filesize

            332KB

            MD5

            084170b4b9afcea151cd0136f8544939

            SHA1

            defed17803ef33c249d91b2d73f3f5d5f0bffb71

            SHA256

            62cb5df75125895515d35e6d7e715c9ec33f25c77584c11ecb0dfa21577fcd9d

            SHA512

            099e5fd52e2f55a2edb55c4b96b47e4df6891173cfe1f6f42dabf47fc66b1dffa62cca38cfb9031f345f01219ebdf40fb45943f223340969374e71f38d4b2ead

          • C:\Users\Admin\Desktop\UnpublishCheckpoint.mpeg

            Filesize

            294KB

            MD5

            8150b5985dc868a1929f56715040bfd0

            SHA1

            49c6f914322744d44c8e56513b4798e698b7dc56

            SHA256

            dbd94f1f968c5bcde9a285d9520f42efb2d40e85b2ad409ae8ba67b485e77af1

            SHA512

            1174fb2aa2ea937055c374b8025a7d335f8ffe86e5d06763182804cb011e3939347035e32a9b3965d0cc7a4d0dc2602b02809130abef78dbade7a3c301a5f9fb

          • C:\Users\Admin\Desktop\WatchNew.AAC

            Filesize

            345KB

            MD5

            dbbca1d19dedcb729566e2c50db81c39

            SHA1

            d604f49c83acfd2cc142ea44b4980394ca2a5a6a

            SHA256

            b759691b4362bbf07c6da3bfb477ab424234ea5ffe003776c25bffbbd185de5c

            SHA512

            f14988ee233d48462a0a8e5ac8207fec8ab9863756402bae30cfb362764e8eae019ccbac2145f2f021d4e435da6fa06b347aea130e607a7508804ef7930c0bac

          • C:\Users\Public\Desktop\Acrobat Reader DC.lnk

            Filesize

            2KB

            MD5

            1062e70d1b2cb35fb3f241eed8c144d5

            SHA1

            ad98028d31a049ca4d73c98b2ac66f4441b66156

            SHA256

            cc36ae1a83256b1e570eac585cbae58382927e5aef5c265063517f305a1b5aa7

            SHA512

            24e79228f97a00b38a791f363bac18e91103a4509d033a92fb044431bbc15be8829d89aa7b4fc2650ac20bee9293e1bd1d868b497a7ba769ad98388732227c5d

          • C:\Users\Public\Desktop\Firefox.lnk

            Filesize

            1000B

            MD5

            727e8d51e8bfe552a1e1d8d0f9abd4e2

            SHA1

            86c030bb74792a7b0326defaca114364213945b9

            SHA256

            acb08ee2bcb9d65b4e0443f5d68c3e204b5c8e7baab5208fe52ecdcb4313a87a

            SHA512

            fc7509cbeec353985601a2ab5eb1c609e1a4ab8be2acfddd91b13eccf57e30994a052618ec197f61f4b6ec5860c64432e021feb339362777dc3af7e412caf3fb

          • C:\Users\Public\Desktop\Google Chrome.lnk

            Filesize

            2KB

            MD5

            eec2bc005e154df8616db5908abae352

            SHA1

            8928efe27f226e2a3525b8e66099c0cceb8b03d1

            SHA256

            56166d76af361defdc0f899a7ecfa04f721c8723b9d71a16bfee114adf1c5ab5

            SHA512

            5414580ad73a35f070a2c1f105abc6f052c0eb819a368db35858ce7f3be7a2a79fd7e3ca09665948e1e10170d21d6e5bf84058f658e77bbedb6947a3752f3453

          • C:\Users\Public\Desktop\VLC media player.lnk

            Filesize

            923B

            MD5

            8332bfce613d0df38fb9e89761c894dd

            SHA1

            98ce9e69af406d5c037d0562c04709eaf4835fad

            SHA256

            c72c2e46c7bd4a89def8025fa0f0f299f94c87e7ce5b967093c8364fd592eb5f

            SHA512

            b98ea6408dcadb3f11ae034af1b21503eab5330eb91f65022cb74ff881e2be85a418f23064654484985fe8cace46c4ec6de647cfb159765582f76c073ae066dd

          • C:\Windows\Logs\PBR\DISM\dism.log

            Filesize

            214KB

            MD5

            a7452820852c41d9d36919ced0610611

            SHA1

            f8776aa52d1f0197d9c75f67830175e99cc9b229

            SHA256

            656f05b97e98c08e6b8f012a6e06280801c0bcabf8d5a1a6bc53dbdb8fc55f77

            SHA512

            7c231fdd150ca48dd20ca570a2970fd035cb3cef3ade9c06618a5a132387ab5e5675e3dc36f458cf89f6f0c6f2d0ac11cf4965f591befc9a811454e03fc4aba7

          • C:\Windows\Logs\PBR\ResetSession.xml

            Filesize

            6KB

            MD5

            d94e56a930b00a93fa412cbed80416ec

            SHA1

            b983ea4d9e6c9d77c2e82b5f67fd17fb26c6d4d4

            SHA256

            cf98aa80663668d3ba3636015374858e4ad97d07a6150924aed24259f3505a5f

            SHA512

            33d3713d47c49d9b9e4e2389b3c0e3f6f7ef3c832153bc7eabd9af1960530b6711d89faa8a406fc113e174f64dd21cffabab32e29dffc3a605a2ec902760411a

          • C:\Windows\Logs\PBR\SessionID.xml

            Filesize

            106B

            MD5

            308fae0d078256d8fdda8333530bf495

            SHA1

            1c607b3319e03fcf45334aa1d1655e14d99524cf

            SHA256

            2c1759b6eed0a54ed40422c1647f64847fc45824ef9e5d136c7dcb8c19e887f9

            SHA512

            40feb60135b727a886a7b0dcc6309e1465efc2904b586bd91008ebf33a18e1e412896f65824d2b9021444042fe05971bd37d590110a7b277e7b507cbbb3e9244

          • C:\Windows\Logs\PBR\Timestamp.xml

            Filesize

            42B

            MD5

            ebcafd292cf9f5b0c6ba1e374e088203

            SHA1

            8d60934a4013a87550ff4e7eaeda8f7906c5f097

            SHA256

            63b49c96846f1c92385765ff8088ed9eab2437f1e0f158084240df4c2be19ab6

            SHA512

            b203430b466d92720354f8d294c7e0c607a5f3ba9dd3fceb0ca5873c94584e34b03e17c010e926d56e8b5a3d824c15b522f3cab052d8920dd4fcd984336a8725

          • C:\Windows\Panther\UnattendGC\diagerr.xml

            Filesize

            10KB

            MD5

            13414a0ff080846fca254292bff2c0a2

            SHA1

            ca3aa95a8d95cf27bbc4f5343632edf71981bd35

            SHA256

            eb219a48b63492a20a33091cb3cbb55f8e1ea5bd1336e98992f14cc33d2cc379

            SHA512

            598a620c3288e08e398655b2aa3990f31c4a5193667e83b598fdff8e486f8f979079d55f07164fda22b89d129bd1ccc04a645b27db1815382bd11b0b36f246dd

          • C:\Windows\Panther\UnattendGC\diagwrn.xml

            Filesize

            14KB

            MD5

            d0736e1ca2903a0d89de5bdb4bf7c1a7

            SHA1

            f3229710946ecdbe55fac2dc3558fcf161a9ca02

            SHA256

            316edd14b00e375978e999611e9072ac7481f174551e893db54c0562ca8f3b93

            SHA512

            807ece55cb68f7d041307f9e56926bb0d3fc21c55214809bc5be61f74a3af1084b7408680ef7128bae693b2d1c3b361821693adf34a323e2cf419adc820fcef9

          • C:\Windows\System32\Recovery\ReAgent.xml

            Filesize

            1KB

            MD5

            c977dd0c9b5598e35d36775d63fc141a

            SHA1

            4380a81221a3b4a20bb953032a4d409e8f7426f0

            SHA256

            4c6a21d57ba21990992f23ee935d4fea232d7c196dd91a3681f4b18042779c33

            SHA512

            a579b61fcf3b561919319a7bf1c71ae0943e556d1ca62de1f2b275f4d2d94fa636ba53c8f8f8b9804f9947ab827441819aa92bee697a61b257c82cbdb29fff95

          • \$SysReset\Scratch\133ADD50-A650-44B4-96E5-251A33F3D0DE\DmiProvider.dll

            Filesize

            389KB

            MD5

            a5661f7b81dc9ed60d9c3300188447e6

            SHA1

            9185aae37ad34a4e749de06b1df53d19d5b3aee2

            SHA256

            945ff6d452fd107e81176e28716bb2877a2ca00f3099634f949c795034788f45

            SHA512

            55598e15620699ea115e597783cd128c659d27eb5c18ee813bbeb266b7baf083f9012219b991fefa6b540b46552c73b5e7ca8fefa24e7b124017144b1dff1d8b

          • memory/960-38-0x00007FFF9B700000-0x00007FFF9B718000-memory.dmp

            Filesize

            96KB

          • memory/960-25-0x00007FFF9E970000-0x00007FFF9E9A4000-memory.dmp

            Filesize

            208KB

          • memory/960-29-0x00007FFF9E6D0000-0x00007FFF9E6E1000-memory.dmp

            Filesize

            68KB

          • memory/960-34-0x00007FFF8CF30000-0x00007FFF8D13B000-memory.dmp

            Filesize

            2.0MB

          • memory/960-40-0x00007FFF9ABF0000-0x00007FFF9AC01000-memory.dmp

            Filesize

            68KB

          • memory/960-42-0x00007FFF9ABB0000-0x00007FFF9ABCB000-memory.dmp

            Filesize

            108KB

          • memory/960-28-0x00007FFF9EC10000-0x00007FFF9EC27000-memory.dmp

            Filesize

            92KB

          • memory/960-26-0x00007FFF8D140000-0x00007FFF8D3F6000-memory.dmp

            Filesize

            2.7MB

          • memory/960-35-0x00007FFF8BE80000-0x00007FFF8CF30000-memory.dmp

            Filesize

            16.7MB

          • memory/960-41-0x00007FFF9ABD0000-0x00007FFF9ABE1000-memory.dmp

            Filesize

            68KB

          • memory/960-39-0x00007FFF9B600000-0x00007FFF9B611000-memory.dmp

            Filesize

            68KB

          • memory/960-31-0x00007FFF9E530000-0x00007FFF9E541000-memory.dmp

            Filesize

            68KB

          • memory/960-32-0x00007FFF9E510000-0x00007FFF9E52D000-memory.dmp

            Filesize

            116KB

          • memory/960-33-0x00007FFF9D5F0000-0x00007FFF9D601000-memory.dmp

            Filesize

            68KB

          • memory/960-30-0x00007FFF9E550000-0x00007FFF9E567000-memory.dmp

            Filesize

            92KB

          • memory/960-27-0x00007FFFA1890000-0x00007FFFA18A8000-memory.dmp

            Filesize

            96KB

          • memory/960-24-0x00007FF6A5630000-0x00007FF6A5728000-memory.dmp

            Filesize

            992KB

          • memory/960-43-0x00007FFF8BAD0000-0x00007FFF8BAE1000-memory.dmp

            Filesize

            68KB

          • memory/960-37-0x00007FFF9B720000-0x00007FFF9B741000-memory.dmp

            Filesize

            132KB

          • memory/960-36-0x00007FFF9B750000-0x00007FFF9B791000-memory.dmp

            Filesize

            260KB

          • memory/960-57-0x00007FFF8BE80000-0x00007FFF8CF30000-memory.dmp

            Filesize

            16.7MB

          • memory/960-56-0x00007FFF8D140000-0x00007FFF8D3F6000-memory.dmp

            Filesize

            2.7MB

          • memory/960-54-0x00007FF6A5630000-0x00007FF6A5728000-memory.dmp

            Filesize

            992KB

          • memory/960-55-0x00007FFF9E970000-0x00007FFF9E9A4000-memory.dmp

            Filesize

            208KB

          • memory/2996-2-0x0000000000400000-0x0000000000456000-memory.dmp

            Filesize

            344KB

          • memory/2996-5-0x0000000000400000-0x0000000000456000-memory.dmp

            Filesize

            344KB

          • memory/2996-6-0x0000000000400000-0x0000000000456000-memory.dmp

            Filesize

            344KB

          • memory/4388-1-0x0000000000870000-0x0000000000871000-memory.dmp

            Filesize

            4KB

          • memory/4388-0-0x0000000000870000-0x0000000000871000-memory.dmp

            Filesize

            4KB

          • memory/4388-3-0x0000000000870000-0x0000000000871000-memory.dmp

            Filesize

            4KB