Malware Analysis Report

2024-11-30 05:13

Sample ID 240519-sx1d4ada67
Target Loader.exe
SHA256 1e212baba428318ef6e3a80c7b8e68c61f5cb03e75e3821a6a706117e622f8f3
Tags
lumma stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1e212baba428318ef6e3a80c7b8e68c61f5cb03e75e3821a6a706117e622f8f3

Threat Level: Known bad

The file Loader.exe was found to be: Known bad.

Malicious Activity Summary

lumma stealer

Lumma Stealer

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Modifies data under HKEY_USERS

Checks SCSI registry key(s)

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Uses Volume Shadow Copy service COM API

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-19 15:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-19 15:31

Reported

2024-05-19 15:35

Platform

win10-20240404-en

Max time kernel

234s

Max time network

237s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

Signatures

Lumma Stealer

stealer lumma

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\$SysReset\Scratch\133ADD50-A650-44B4-96E5-251A33F3D0DE\dismhost.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Windows\system32\systemreset.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\Recovery\ReAgent.xml C:\Windows\system32\systemreset.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4388 set thread context of 2996 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml C:\Windows\system32\systemreset.exe N/A
File created C:\Windows\Logs\PBR\Panther\setup.etl C:\Windows\system32\systemreset.exe N/A
File opened for modification C:\Windows\Logs\PBR\Panther\unattend.xml C:\Windows\system32\systemreset.exe N/A
File opened for modification C:\Windows\Logs\PBR\Panther\_s_3C12.tmp C:\Windows\system32\systemreset.exe N/A
File created C:\Windows\Logs\PBR\setupact.log C:\Windows\system32\systemreset.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml C:\Windows\system32\systemreset.exe N/A
File opened for modification C:\Windows\Logs\PBR\INF\setupapi.offline.20170318_140323.log C:\Windows\system32\systemreset.exe N/A
File opened for modification C:\Windows\Logs\PBR\DISM\dism.log C:\Windows\system32\systemreset.exe N/A
File opened for modification C:\Windows\Logs\PBR\Panther\actionqueue\specialize.uaq C:\Windows\system32\systemreset.exe N/A
File created C:\Windows\Logs\PBR\Panther\_s_3C12.tmp C:\Windows\system32\systemreset.exe N/A
File created C:\Windows\Logs\PBR\BCDCopy C:\Windows\system32\systemreset.exe N/A
File created C:\Windows\Logs\PBR\setuperr.log C:\Windows\system32\systemreset.exe N/A
File opened for modification C:\Windows\Logs\PBR\Panther\cbs_unattend.log C:\Windows\system32\systemreset.exe N/A
File created C:\Windows\Logs\PBR\Panther\DDACLSys.log C:\Windows\system32\systemreset.exe N/A
File created C:\Windows\Logs\PBR\Panther\MainQueueOnline1.que C:\Windows\system32\systemreset.exe N/A
File created C:\Windows\Logs\PBR\Panther\setuperr.log C:\Windows\system32\systemreset.exe N/A
File created C:\Windows\Logs\PBR\Panther\_s_39DD.tmp C:\Windows\system32\systemreset.exe N/A
File opened for modification C:\Windows\Logs\PBR\ResetSession.xml C:\Windows\system32\systemreset.exe N/A
File created C:\Windows\rescache\_merged\4183903823\2290032291.pri C:\Windows\system32\taskmgr.exe N/A
File opened for modification C:\Windows\Logs\PBR\Panther\actionqueue\oobeSystem.uaq C:\Windows\system32\systemreset.exe N/A
File opened for modification C:\Windows\Logs\PBR\Panther\UnattendGC C:\Windows\system32\systemreset.exe N/A
File opened for modification C:\Windows\Logs\PBR\Panther\setuperr.log C:\Windows\system32\systemreset.exe N/A
File created C:\Windows\Logs\PBR\PushButtonReset.etl C:\Windows\system32\systemreset.exe N/A
File created C:\Windows\Logs\PBR\Panther\UnattendGC\diagwrn.xml C:\Windows\system32\systemreset.exe N/A
File opened for modification C:\Windows\Logs\PBR\Panther\UnattendGC\setupact.log C:\Windows\system32\systemreset.exe N/A
File opened for modification C:\Windows\Logs\PBR\Panther\Contents0.dir C:\Windows\system32\systemreset.exe N/A
File opened for modification C:\Windows\Logs\PBR\Panther\DDACLSys.log C:\Windows\system32\systemreset.exe N/A
File opened for modification C:\Windows\Logs\PBR\Panther\setup.etl C:\Windows\system32\systemreset.exe N/A
File opened for modification C:\Windows\Logs\PBR C:\Windows\system32\systemreset.exe N/A
File opened for modification C:\Windows\Logs\PBR\CBS C:\Windows\system32\systemreset.exe N/A
File opened for modification C:\Windows\Logs\PBR\Panther\setupinfo C:\Windows\system32\systemreset.exe N/A
File created C:\Windows\Logs\PBR\Timestamp.xml C:\Windows\system32\systemreset.exe N/A
File opened for modification C:\Windows\Logs\PBR\ReAgent\ReAgent.xml C:\Windows\system32\systemreset.exe N/A
File opened for modification C:\Windows\Logs\PBR\ReAgent C:\Windows\system32\systemreset.exe N/A
File opened for modification C:\Windows\Logs\PBR\Panther\UnattendGC\diagwrn.xml C:\Windows\system32\systemreset.exe N/A
File created C:\Windows\Logs\PBR\Panther\unattend.xml C:\Windows\system32\systemreset.exe N/A
File opened for modification C:\Windows\Logs\PBR\Panther\_s_39DD.tmp C:\Windows\system32\systemreset.exe N/A
File opened for modification C:\Windows\Logs\PBR\Timestamp.xml C:\Windows\system32\systemreset.exe N/A
File opened for modification C:\Windows\Logs\PBR\BCDCopy.LOG C:\Windows\system32\systemreset.exe N/A
File opened for modification C:\Windows\Logs\PBR\SessionID.xml C:\Windows\system32\systemreset.exe N/A
File opened for modification C:\Windows\Logs\PBR\BCDCopy.LOG2 C:\Windows\system32\systemreset.exe N/A
File opened for modification C:\Windows\Logs\DISM\dism.log C:\Windows\system32\systemreset.exe N/A
File created C:\Windows\Logs\PBR\Panther\actionqueue\oobeSystem.uaq C:\Windows\system32\systemreset.exe N/A
File created C:\Windows\Logs\PBR\Panther\actionqueue\specialize.uaq C:\Windows\system32\systemreset.exe N/A
File created C:\Windows\Logs\PBR\Panther\UnattendGC\setupact.log C:\Windows\system32\systemreset.exe N/A
File created C:\Windows\Logs\PBR\Panther\cbs.log C:\Windows\system32\systemreset.exe N/A
File created C:\Windows\Logs\PBR\Panther\_s_3AF7.tmp C:\Windows\system32\systemreset.exe N/A
File created C:\Windows\Logs\PBR\INF\setupapi.offline.20170318_140323.log C:\Windows\system32\systemreset.exe N/A
File created C:\Windows\Logs\PBR\Panther\diagerr.xml C:\Windows\system32\systemreset.exe N/A
File opened for modification C:\Windows\Logs\PBR\Panther\diagerr.xml C:\Windows\system32\systemreset.exe N/A
File opened for modification C:\Windows\Logs\PBR\Panther\MainQueueOnline1.que C:\Windows\system32\systemreset.exe N/A
File created C:\Windows\Logs\PBR\ReAgent\ReAgent.xml C:\Windows\system32\systemreset.exe N/A
File opened for modification C:\Windows\Logs\PBR\INF C:\Windows\system32\systemreset.exe N/A
File created C:\Windows\rescache\_merged\1601268389\715946058.pri C:\Windows\system32\taskmgr.exe N/A
File opened for modification C:\Windows\Logs\PBR\DISM C:\Windows\system32\systemreset.exe N/A
File opened for modification C:\Windows\Logs\PBR\Panther\diagwrn.xml C:\Windows\system32\systemreset.exe N/A
File opened for modification C:\Windows\Logs\PBR\setuperr.log C:\Windows\system32\systemreset.exe N/A
File created C:\Windows\Logs\PBR\Panther\setupact.log C:\Windows\system32\systemreset.exe N/A
File opened for modification C:\Windows\Logs\PBR\setupact.log C:\Windows\system32\systemreset.exe N/A
File created C:\Windows\Logs\PBR\INF\setupapi.setup.log C:\Windows\system32\systemreset.exe N/A
File opened for modification C:\Windows\Logs\PBR\CBS\CBS.log C:\Windows\system32\systemreset.exe N/A
File created C:\Windows\Logs\PBR\DISM\dism.log C:\Windows\system32\systemreset.exe N/A
File opened for modification C:\Windows\Logs\PBR\Panther\actionqueue C:\Windows\system32\systemreset.exe N/A
File created C:\Windows\Logs\PBR\Panther\UnattendGC\diagerr.xml C:\Windows\system32\systemreset.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_QEMU&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1" C:\Windows\system32\LogonUI.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Windows\system32\systemreset.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: 33 N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\systemreset.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\systemreset.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\systemreset.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\systemreset.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\systemreset.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\systemreset.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\systemreset.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\systemreset.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\systemreset.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\systemreset.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\systemreset.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\systemreset.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\systemreset.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\systemreset.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\systemreset.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Windows\system32\systemreset.exe N/A
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4388 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4388 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4388 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4388 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4388 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4388 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4388 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4388 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4388 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1476 wrote to memory of 2240 N/A C:\Windows\system32\systemreset.exe C:\$SysReset\Scratch\133ADD50-A650-44B4-96E5-251A33F3D0DE\dismhost.exe
PID 1476 wrote to memory of 2240 N/A C:\Windows\system32\systemreset.exe C:\$SysReset\Scratch\133ADD50-A650-44B4-96E5-251A33F3D0DE\dismhost.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\ExitSync.snd"

C:\Windows\system32\systemreset.exe

"C:\Windows\system32\systemreset.exe" -moset

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\$SysReset\Scratch\133ADD50-A650-44B4-96E5-251A33F3D0DE\dismhost.exe

C:\$SysReset\Scratch\133ADD50-A650-44B4-96E5-251A33F3D0DE\dismhost.exe {431E6601-5121-4483-8D40-D7BBB63B7B77}

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0 /state0:0xa3ab3855 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 8.8.8.8:53 sideindexfollowragelrew.pw udp
US 8.8.8.8:53 museumtespaceorsp.shop udp
US 172.67.184.107:443 museumtespaceorsp.shop tcp
US 8.8.8.8:53 buttockdecarderwiso.shop udp
US 172.67.218.187:443 buttockdecarderwiso.shop tcp
US 8.8.8.8:53 107.184.67.172.in-addr.arpa udp
US 8.8.8.8:53 averageaattractiionsl.shop udp
US 104.21.62.60:443 averageaattractiionsl.shop tcp
US 8.8.8.8:53 femininiespywageg.shop udp
US 104.21.71.3:443 femininiespywageg.shop tcp
US 8.8.8.8:53 employhabragaomlsp.shop udp
US 8.8.8.8:53 60.62.21.104.in-addr.arpa udp
US 8.8.8.8:53 187.218.67.172.in-addr.arpa udp
US 172.67.203.218:443 employhabragaomlsp.shop tcp
US 8.8.8.8:53 stalfbaclcalorieeis.shop udp
US 104.21.3.197:443 stalfbaclcalorieeis.shop tcp
US 8.8.8.8:53 civilianurinedtsraov.shop udp
US 104.21.49.245:443 civilianurinedtsraov.shop tcp
US 8.8.8.8:53 3.71.21.104.in-addr.arpa udp
US 8.8.8.8:53 218.203.67.172.in-addr.arpa udp
US 8.8.8.8:53 roomabolishsnifftwk.shop udp
US 104.21.55.87:443 roomabolishsnifftwk.shop tcp
US 8.8.8.8:53 245.49.21.104.in-addr.arpa udp
US 8.8.8.8:53 197.3.21.104.in-addr.arpa udp
US 8.8.8.8:53 87.55.21.104.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 252.15.104.51.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
NL 52.142.223.178:80 tcp

Files

memory/4388-3-0x0000000000870000-0x0000000000871000-memory.dmp

memory/2996-6-0x0000000000400000-0x0000000000456000-memory.dmp

memory/2996-5-0x0000000000400000-0x0000000000456000-memory.dmp

memory/2996-2-0x0000000000400000-0x0000000000456000-memory.dmp

memory/4388-1-0x0000000000870000-0x0000000000871000-memory.dmp

memory/4388-0-0x0000000000870000-0x0000000000871000-memory.dmp

memory/960-24-0x00007FF6A5630000-0x00007FF6A5728000-memory.dmp

memory/960-25-0x00007FFF9E970000-0x00007FFF9E9A4000-memory.dmp

memory/960-30-0x00007FFF9E550000-0x00007FFF9E567000-memory.dmp

memory/960-33-0x00007FFF9D5F0000-0x00007FFF9D601000-memory.dmp

memory/960-32-0x00007FFF9E510000-0x00007FFF9E52D000-memory.dmp

memory/960-31-0x00007FFF9E530000-0x00007FFF9E541000-memory.dmp

memory/960-26-0x00007FFF8D140000-0x00007FFF8D3F6000-memory.dmp

memory/960-28-0x00007FFF9EC10000-0x00007FFF9EC27000-memory.dmp

memory/960-27-0x00007FFFA1890000-0x00007FFFA18A8000-memory.dmp

memory/960-29-0x00007FFF9E6D0000-0x00007FFF9E6E1000-memory.dmp

memory/960-34-0x00007FFF8CF30000-0x00007FFF8D13B000-memory.dmp

memory/960-38-0x00007FFF9B700000-0x00007FFF9B718000-memory.dmp

memory/960-42-0x00007FFF9ABB0000-0x00007FFF9ABCB000-memory.dmp

memory/960-35-0x00007FFF8BE80000-0x00007FFF8CF30000-memory.dmp

memory/960-41-0x00007FFF9ABD0000-0x00007FFF9ABE1000-memory.dmp

memory/960-40-0x00007FFF9ABF0000-0x00007FFF9AC01000-memory.dmp

memory/960-39-0x00007FFF9B600000-0x00007FFF9B611000-memory.dmp

memory/960-43-0x00007FFF8BAD0000-0x00007FFF8BAE1000-memory.dmp

memory/960-37-0x00007FFF9B720000-0x00007FFF9B741000-memory.dmp

memory/960-36-0x00007FFF9B750000-0x00007FFF9B791000-memory.dmp

memory/960-55-0x00007FFF9E970000-0x00007FFF9E9A4000-memory.dmp

memory/960-54-0x00007FF6A5630000-0x00007FF6A5728000-memory.dmp

memory/960-56-0x00007FFF8D140000-0x00007FFF8D3F6000-memory.dmp

memory/960-57-0x00007FFF8BE80000-0x00007FFF8CF30000-memory.dmp

C:\Users\Admin\Desktop\ConfirmWatch.mov

MD5 f3ef7217db287a16a0ad1c064f331e22
SHA1 7ef58f7a5dce406c0bb3c6de2535ab6bec5aeba6
SHA256 a962fcc9f64d3947e5965f50e7b396a87c1b1cc1c5d35d9543a695e9bcc87b76
SHA512 be21c99d1a1b6d39e7a3c63213f643e88f8b8230627eb92e5904e9c2908d3c74c48b22cabde8d1094b8cd42eb177eb47a0ca7468ee168e32fa42ac5f60c8108f

C:\Users\Admin\Desktop\ConnectSelect.jpg

MD5 e9897c8a40508f2f0bf421bee7b22f94
SHA1 ccbea8a802334e5946c75f425d0ae77ad0d3200e
SHA256 dd36458b973d8423c74aa1239bada90fad03c3037d6e9e9e3496dbae14b265d3
SHA512 085c08b956b30797ad1b442732d75200020caf413656a56c37c6b031a633c46520a13b704144f0a20d0b430a1e5f8dee837f16eeb8a59119582a04f34e6446ad

C:\Users\Admin\Desktop\EnterDismount.sys

MD5 ed26ad775e8784bb9730a9d71cd019d6
SHA1 0561c188bc849fdbb4207dd3d485edfdaf766b2e
SHA256 00d3664383dfa4930c0573719cee9c38446b7eac99120b0cbbc061f93d351e84
SHA512 0ffd7d7a3a36a37f6ad1cadf95ca5cfebc1c89463b9d7200924a4af52045bdbb9df0bb3f37564e6bd73abc9efd304f9f7d6e304ed09169163e44fad4c2247746

C:\Users\Admin\Desktop\DismountCopy.css

MD5 de886941320756a06b83ebdebdfcc5cc
SHA1 96e21c471949ef03b25f1f86100d073e624beed7
SHA256 416f38e45129051d713dd11002889365f826792ef49d1319d3616391c4cfbdb9
SHA512 3ba1a75fbcc4f9c370c929c86ca93ccc42f816ec30bfbccffc120f0612be69bcdb55f7b4e0e3acfe26abb00f945fc6d3d1690a774297919a72cb51e0e684877f

C:\Users\Admin\Desktop\ExitSubmit.mpa

MD5 da58556906d3025f21c0f41d8d260afb
SHA1 0f317282222996b89d24e24165fe523ce43176e5
SHA256 5ed51e0f805a27923fa9134abe035194c4e0cd0a53e717d1f5addabc8ccfe71a
SHA512 61f3bb01b00af0947e0371a65bf0341afbc2600a59f7f5734a81fcd54ba7098901e80fdc11b7a6543d333e4799e47566bccd6bd3417dd8eb974a1fd7cc7f97b2

C:\Users\Admin\Desktop\ImportGet.cr2

MD5 6bf8dd542e0de5af5c7b5c78b42c92b8
SHA1 5af90f2a953bae8e460638352806c0ed9394a0bb
SHA256 ba7c1c48828b5f16cd5b7e8226e42769893bf6ddef0ff8b9a002e914a7324d9c
SHA512 d729584be3e4b959639e737e5cd1466cc87b2c5d64f674aa7327f428f4edd702a741b3d793f8910f709b710a113f6bcaec653f9c787178c67e7e6ccaff2b47c2

C:\Users\Admin\Desktop\InstallResize.svg

MD5 8bdef906625e5ba12a8a085b3da16bbf
SHA1 6a7fd54b72e6b4df1e8c985b2030f7ff782d1370
SHA256 ac72750680689e43ae312e9d72b7f7b63ed98e5282a0a65c8a918ac5027a004d
SHA512 f501ea847c77cc5bdfc84bed653ad3741ed1b15984547cad577f6a6d35a1ac82665de301f5c135656bc7bce026ed923ec967927f7c33d9dce329daf1fee0736f

C:\Users\Admin\Desktop\RestartWrite.dot

MD5 2cda442da08da825c045ae7a3be72d8e
SHA1 762ea5146c25a563b0da87626c54654a76ec18c0
SHA256 9acaa61be2d46d9150cda56587bf4262d41ea8b1df0ece595b2151db0b6fe48e
SHA512 d91c9345bc06aec3b01651f9a319b800acd4faef0280a482c59df003f300da868495060148e49b42f9ff31ce6e10fbe9e9d67b7e77832ef34766177e7de1af76

C:\Users\Admin\Desktop\ResolveWrite.nfo

MD5 d79a33d3c7202c01c258ab548d8c605d
SHA1 58387d1ce2a873417b618de3e8d6b147033d2715
SHA256 386b6bbf5700d6ef52ce9fe1b6a30deaad0262affd946fb3b89b244410c88277
SHA512 276cb24a34a34582d58c6139cc338c24a656acd86d743f783bce3d169cce92f098be949fa360c59aac2e4100e30b8d2ef193a2fbde3a92fc86a86128a7a4e56a

C:\Users\Admin\Desktop\RequestSend.wdp

MD5 5b36c7e1b0b60c379a02e4ee7ed69b77
SHA1 8b86cb51774110f12c7aa0b1a71821b699817db3
SHA256 1aea7f067bc2439dd18f941dcea658de17530878598dde97236d187cc34dced4
SHA512 cc6aec81e891cae2911fb58bc97890ba959f33306ed3ebad0de34142237fb51069aee181154bf614d32e512f006932de2d36453e13a85b18fba0d7927bccb067

C:\Users\Admin\Desktop\UnpublishCheckpoint.mpeg

MD5 8150b5985dc868a1929f56715040bfd0
SHA1 49c6f914322744d44c8e56513b4798e698b7dc56
SHA256 dbd94f1f968c5bcde9a285d9520f42efb2d40e85b2ad409ae8ba67b485e77af1
SHA512 1174fb2aa2ea937055c374b8025a7d335f8ffe86e5d06763182804cb011e3939347035e32a9b3965d0cc7a4d0dc2602b02809130abef78dbade7a3c301a5f9fb

C:\Users\Admin\Desktop\StepUse.ppt

MD5 084170b4b9afcea151cd0136f8544939
SHA1 defed17803ef33c249d91b2d73f3f5d5f0bffb71
SHA256 62cb5df75125895515d35e6d7e715c9ec33f25c77584c11ecb0dfa21577fcd9d
SHA512 099e5fd52e2f55a2edb55c4b96b47e4df6891173cfe1f6f42dabf47fc66b1dffa62cca38cfb9031f345f01219ebdf40fb45943f223340969374e71f38d4b2ead

C:\Users\Admin\Desktop\WatchNew.AAC

MD5 dbbca1d19dedcb729566e2c50db81c39
SHA1 d604f49c83acfd2cc142ea44b4980394ca2a5a6a
SHA256 b759691b4362bbf07c6da3bfb477ab424234ea5ffe003776c25bffbbd185de5c
SHA512 f14988ee233d48462a0a8e5ac8207fec8ab9863756402bae30cfb362764e8eae019ccbac2145f2f021d4e435da6fa06b347aea130e607a7508804ef7930c0bac

C:\Users\Public\Desktop\Google Chrome.lnk

MD5 eec2bc005e154df8616db5908abae352
SHA1 8928efe27f226e2a3525b8e66099c0cceb8b03d1
SHA256 56166d76af361defdc0f899a7ecfa04f721c8723b9d71a16bfee114adf1c5ab5
SHA512 5414580ad73a35f070a2c1f105abc6f052c0eb819a368db35858ce7f3be7a2a79fd7e3ca09665948e1e10170d21d6e5bf84058f658e77bbedb6947a3752f3453

C:\Users\Public\Desktop\Firefox.lnk

MD5 727e8d51e8bfe552a1e1d8d0f9abd4e2
SHA1 86c030bb74792a7b0326defaca114364213945b9
SHA256 acb08ee2bcb9d65b4e0443f5d68c3e204b5c8e7baab5208fe52ecdcb4313a87a
SHA512 fc7509cbeec353985601a2ab5eb1c609e1a4ab8be2acfddd91b13eccf57e30994a052618ec197f61f4b6ec5860c64432e021feb339362777dc3af7e412caf3fb

C:\Users\Public\Desktop\VLC media player.lnk

MD5 8332bfce613d0df38fb9e89761c894dd
SHA1 98ce9e69af406d5c037d0562c04709eaf4835fad
SHA256 c72c2e46c7bd4a89def8025fa0f0f299f94c87e7ce5b967093c8364fd592eb5f
SHA512 b98ea6408dcadb3f11ae034af1b21503eab5330eb91f65022cb74ff881e2be85a418f23064654484985fe8cace46c4ec6de647cfb159765582f76c073ae066dd

C:\Users\Public\Desktop\Acrobat Reader DC.lnk

MD5 1062e70d1b2cb35fb3f241eed8c144d5
SHA1 ad98028d31a049ca4d73c98b2ac66f4441b66156
SHA256 cc36ae1a83256b1e570eac585cbae58382927e5aef5c265063517f305a1b5aa7
SHA512 24e79228f97a00b38a791f363bac18e91103a4509d033a92fb044431bbc15be8829d89aa7b4fc2650ac20bee9293e1bd1d868b497a7ba769ad98388732227c5d

C:\Users\Admin\Desktop\InitializeUnregister.wma

MD5 c09b704b7db65a37a3a34d2bbde00d07
SHA1 216b4d7547db3916dffea7ab110b9d0a91109b63
SHA256 0f04c87a6e93b79c7fe1d252781fad1ae4825a400c42d86b7b1bd874a578d134
SHA512 def44d59d61d61b853994c2edcca25a4a07e8946d349485c47ec51361d524307c2e245d100b848e6018675255b5d4b9f4dd6e2e410ea119697aa662c1b7a5f92

C:\Users\Admin\Desktop\ConnectMerge.js

MD5 4ba232b11513fb94be083d6d1017bf4a
SHA1 6615c2955beeb5b799cdd87503680634cb3b810d
SHA256 54cf4d0d555918ccd0b65c4e35b9e6183cc26581eb91c728e233f58d269aac86
SHA512 ce5bff1c4d8185a3c81058c6f74b1ac87e7967668217bb1e56539ff5d3ed6bd633998d56c264be2806291bbdba4de21b607b860e2a4d008f3cd4b33a76e86f37

C:\Users\Admin\Desktop\ShowOut.html

MD5 178f8aa13e5f7eb9d8cdbad0fe4f3121
SHA1 e380fbe361c0d4098555a5781f6ba790549523db
SHA256 5ed37b538ec53afe1496ed7db960d38c55d54eaded6b94be29e26f0c16773f6c
SHA512 93aafd6229a7f6ebf6e4debe355409333d63a892569665985aabe3e67d0a21b8928d925cce08dab5ae5ecd787b15d3c4525537cd5252c6578ca18d98cd87d4eb

C:\Users\Admin\Desktop\RestoreAssert.txt

MD5 c89f75640d3bdc0297cb6cf3c580b320
SHA1 9a0f067fd873bd8117d2702e2e5c28f2414668d7
SHA256 b6a0af61cee8b78c07a91aa8e40c783d478fbaefd1db9072bb5e7f0a7209465c
SHA512 c15fadc8f75524e9f80ccfb86e5a41f1c55ec7a3892475a1ee60fd4952e9113bf128bda9f60e8fc10f356621be8b26862468e84070f5f97b6495ecf777276a6c

C:\Users\Admin\Desktop\RequestSave.html

MD5 e6689a08009bb89d3144df2c56629207
SHA1 a00db7d18fc68ad4b6517033c2b12e58b1395629
SHA256 0c0c3a8dcc323cb985efda6c35a97788af3290792646abd5a52eccb99c8c0aa0
SHA512 0a32dc26df800edb5cbc5818a186bcae4a1767eba4e34f37cd7f343770b30df0871263c89ea3deae3d04a8359e0e4e42b6d2f6c8128d0010c50c8a9bf82f5dba

C:\Users\Admin\Desktop\OptimizeExit.mp3

MD5 4a8336f64846514e4cfda93efcdee344
SHA1 4d72287ae7fdb944e537544adecc1582a3a27605
SHA256 9f63f7339b2090b0ef4b47949c82a645857098ba3a7ea05c0705d803a6190990
SHA512 ce3a1c09c00493ae839fb3a20da43970afdb5a58e0e311fbe90b3cee9292d9f5452c9a38f8d2d9439d87c25d354c3fa29db0c8c3eace2f8a169123b9400b920c

C:\Users\Admin\Desktop\InvokeUnlock.edrwx

MD5 ffab35be8b6d5be737d79ec5094a2719
SHA1 4e880c02dff1c3c429d641b407847be4a494444e
SHA256 c3df1ae3c131e3550e1afb5104b6a481d8e2c69b5b3ef63a88b92dfbf88e7f52
SHA512 9a57badb9de4d5648f14fec343f16c96bad30b2ef5b2414d66b18dc19ffb62bb9e5745284fad4c174060cd9c5df4a85417a6616efab876bf3f32a2ffffc97eeb

C:\$SysReset\Scratch\133ADD50-A650-44B4-96E5-251A33F3D0DE\DismHost.exe

MD5 9ad8d8d2c6126cf9f65f4ba4cd24bcd9
SHA1 505e851852228545903c2423afa81039e0bd9447
SHA256 3687d79e43b9c3aa9ff31dbaafdd2f4674ce0937c7fe34813f43531f32e7aded
SHA512 e38d6af47c7443119fb73fcd6bcb23dd6b96bce19c4a98802af96fd6751e12a8add8c48cc0062ffe315aa7a5ffa6c38787c4f2051a8f6b97ac0dc86b3f8d279e

C:\$SysReset\Scratch\133ADD50-A650-44B4-96E5-251A33F3D0DE\DismCorePS.dll

MD5 4e43afafe9483d72a5838cdb8ea8d345
SHA1 779d8c234343da4ca7fbdb16b5861eecb025f6e3
SHA256 80e83929245c4377ecc73b7596ebf885d8e919b69ef975701a082d2b5cf2150e
SHA512 22267fe42128333940b9574fc5f5a70f0411280bd4e294bb456f987eb30c5ec1be12f4e5ce44e7007d793a3924032315782eaea96ab18da832ce56c1f0a3fe3d

C:\$SysReset\Scratch\133ADD50-A650-44B4-96E5-251A33F3D0DE\dismprov.dll

MD5 2737782245a1d166a1f018b368815a16
SHA1 4fd57e0de191c817a733d07138c43ce9a010d64c
SHA256 498c301c9b5dfc36f1031988cb4a440ab17effd606345abd506a807f277b1938
SHA512 7830d377ae880183a2e51a9d557bf0fa324913df28b12f5d7aca815fb2e8a6b0373d76f36877f28cba4ce8bff32da62309fcdcb8ff3930c5f8a54963b7cfdeff

C:\$SysReset\Scratch\133ADD50-A650-44B4-96E5-251A33F3D0DE\OSProvider.dll

MD5 bb0d5feee5b2f65b28f517d48180ce7b
SHA1 63a3eee12a18bceec86ca94226171ffe13bd2fe3
SHA256 f6c4fd17a47daf4a6d03fc92904d0f9a1e6c68aadf99c2d11202d4d73606dc16
SHA512 d1fc630db506ad7174da9565fd658dc415f95bf9c2c47c21fa8fe41b0dbff9a585244a0b7079dfb31697f14edbc1c021fccff60ffd53b447c910c70de117dc5b

C:\$SysReset\Scratch\133ADD50-A650-44B4-96E5-251A33F3D0DE\LogProvider.dll

MD5 76dccc4bec94a870cb544ea0ac90d574
SHA1 0e500d42b98d340aadd3e886b0c4abefa8b92bc5
SHA256 53637290e64e395a0f07d7423096ccf341ccdf1dcb6e821f4e99d47197ea849e
SHA512 ef01adbf1dfb3856d5a84512556f38af291c0938c1267c8d627e1205385f7be56b0a7e2127f18818f987b53f0a3f910bc930d692be2a8429d03728d086e91a0b

C:\$SysReset\Logs\setupact.log

MD5 af6d7868cf3eb15e18f2667d07c37823
SHA1 c0db2c848792db2c67e11f5aed187e7b77f93c33
SHA256 d6e05281764ee190043e39f7ea67489e55167c43f6ae6e43d8afc4433621aed1
SHA512 370665f0f1559bca85687d774f4a5b3ad54ba354e70a7d82402d6df9a7559e1cd79b993902aff8c20d0478922d6fb5a04adc82d4c28a172828b328754fc7b7c5

C:\$SysReset\Logs\setupact.log

MD5 029f5c90892d5806dacc5fd935fa2f36
SHA1 b885626f87bc0d753331976ca2d9471c0cdd3616
SHA256 b63834dde23fa81865ccae36d4633a01e5ef77d5a7c61576c372e9e95d2a54e2
SHA512 417b0092770dd7137a72cca27d6fc999e8123c827499eeda4a6d600e8528b7f234a6483f7c7a37893627f4d1d4486bb7e61fbe6d0a2e402198ad88b530da3089

\$SysReset\Scratch\133ADD50-A650-44B4-96E5-251A33F3D0DE\DmiProvider.dll

MD5 a5661f7b81dc9ed60d9c3300188447e6
SHA1 9185aae37ad34a4e749de06b1df53d19d5b3aee2
SHA256 945ff6d452fd107e81176e28716bb2877a2ca00f3099634f949c795034788f45
SHA512 55598e15620699ea115e597783cd128c659d27eb5c18ee813bbeb266b7baf083f9012219b991fefa6b540b46552c73b5e7ca8fefa24e7b124017144b1dff1d8b

C:\Windows\System32\Recovery\ReAgent.xml

MD5 c977dd0c9b5598e35d36775d63fc141a
SHA1 4380a81221a3b4a20bb953032a4d409e8f7426f0
SHA256 4c6a21d57ba21990992f23ee935d4fea232d7c196dd91a3681f4b18042779c33
SHA512 a579b61fcf3b561919319a7bf1c71ae0943e556d1ca62de1f2b275f4d2d94fa636ba53c8f8f8b9804f9947ab827441819aa92bee697a61b257c82cbdb29fff95

C:\Windows\Logs\PBR\DISM\dism.log

MD5 a7452820852c41d9d36919ced0610611
SHA1 f8776aa52d1f0197d9c75f67830175e99cc9b229
SHA256 656f05b97e98c08e6b8f012a6e06280801c0bcabf8d5a1a6bc53dbdb8fc55f77
SHA512 7c231fdd150ca48dd20ca570a2970fd035cb3cef3ade9c06618a5a132387ab5e5675e3dc36f458cf89f6f0c6f2d0ac11cf4965f591befc9a811454e03fc4aba7

C:\Windows\Panther\UnattendGC\diagerr.xml

MD5 13414a0ff080846fca254292bff2c0a2
SHA1 ca3aa95a8d95cf27bbc4f5343632edf71981bd35
SHA256 eb219a48b63492a20a33091cb3cbb55f8e1ea5bd1336e98992f14cc33d2cc379
SHA512 598a620c3288e08e398655b2aa3990f31c4a5193667e83b598fdff8e486f8f979079d55f07164fda22b89d129bd1ccc04a645b27db1815382bd11b0b36f246dd

C:\Windows\Panther\UnattendGC\diagwrn.xml

MD5 d0736e1ca2903a0d89de5bdb4bf7c1a7
SHA1 f3229710946ecdbe55fac2dc3558fcf161a9ca02
SHA256 316edd14b00e375978e999611e9072ac7481f174551e893db54c0562ca8f3b93
SHA512 807ece55cb68f7d041307f9e56926bb0d3fc21c55214809bc5be61f74a3af1084b7408680ef7128bae693b2d1c3b361821693adf34a323e2cf419adc820fcef9

C:\Windows\Logs\PBR\ResetSession.xml

MD5 d94e56a930b00a93fa412cbed80416ec
SHA1 b983ea4d9e6c9d77c2e82b5f67fd17fb26c6d4d4
SHA256 cf98aa80663668d3ba3636015374858e4ad97d07a6150924aed24259f3505a5f
SHA512 33d3713d47c49d9b9e4e2389b3c0e3f6f7ef3c832153bc7eabd9af1960530b6711d89faa8a406fc113e174f64dd21cffabab32e29dffc3a605a2ec902760411a

C:\Windows\Logs\PBR\SessionID.xml

MD5 308fae0d078256d8fdda8333530bf495
SHA1 1c607b3319e03fcf45334aa1d1655e14d99524cf
SHA256 2c1759b6eed0a54ed40422c1647f64847fc45824ef9e5d136c7dcb8c19e887f9
SHA512 40feb60135b727a886a7b0dcc6309e1465efc2904b586bd91008ebf33a18e1e412896f65824d2b9021444042fe05971bd37d590110a7b277e7b507cbbb3e9244

C:\Windows\Logs\PBR\Timestamp.xml

MD5 ebcafd292cf9f5b0c6ba1e374e088203
SHA1 8d60934a4013a87550ff4e7eaeda8f7906c5f097
SHA256 63b49c96846f1c92385765ff8088ed9eab2437f1e0f158084240df4c2be19ab6
SHA512 b203430b466d92720354f8d294c7e0c607a5f3ba9dd3fceb0ca5873c94584e34b03e17c010e926d56e8b5a3d824c15b522f3cab052d8920dd4fcd984336a8725

C:\$SysReset\Logs\setuperr.log

MD5 6df6d7b878d74c29315a1557d88d21c4
SHA1 ed2fa679666e25f0bb01b99fc651ac4ce8cfe95c
SHA256 3bd8390d76effcf1cb29ef016d0d2561d54211486b27eb63d6a0033284bcaf45
SHA512 250c76293ccc88609febe3b8175cea37b1b7a497dab365d17940b354959917ad475e61f7d2e33558a6c6884cb40bc02fd08afdfcb48e6a5586c5de83145fa9dc

C:\$SysReset\Logs\setupact.log

MD5 22cef8e6b59dbb4d5bb475056d4e3285
SHA1 ee8a99700cb58ea268643ba8492324d07f51d102
SHA256 cfd7a1640c59f4a4d71dba6a7e010bd1a73813d016aa04569264931b07454b82
SHA512 518284685241e4e9a2fd105c4cc22054abce750674233491642e1d5cd4903815d3713734ca5def5b92c7ed20e7447debeed58a9738d0ddaa36f0f1d41928b49b