Malware Analysis Report

2024-07-28 14:32

Sample ID 240613-syya5avbmf
Target help mev.ps1
SHA256 d8a928b2043db77e340b523547bf16cb4aa483f0645fe0a290ed1f20aab76257
Tags
execution
score
3/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
3/10

SHA256

d8a928b2043db77e340b523547bf16cb4aa483f0645fe0a290ed1f20aab76257

Threat Level: Likely benign

The file help mev.ps1 was found to be: Likely benign.

Malicious Activity Summary

execution

Command and Scripting Interpreter: PowerShell

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
PowerShell
T1059.001
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-13 15:32

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 15:32

Reported

2024-06-13 15:35

Platform

win7-20231129-en

Max time kernel

110s

Max time network

110s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\help mev.ps1"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4F3B4711-299A-11EF-BD3E-4EA2EAC189B7} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingDelete C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{05C410D3-8EE0-11EE-BD3E-4EA2EAC189B7}.dat = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Windows\system32\SndVol.exe N/A
N/A N/A C:\Windows\system32\SndVol.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\SndVol.exe N/A
N/A N/A C:\Windows\system32\SndVol.exe N/A
N/A N/A C:\Windows\system32\SndVol.exe N/A
N/A N/A C:\Windows\system32\SndVol.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1792 wrote to memory of 2220 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1792 wrote to memory of 2220 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1792 wrote to memory of 2220 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1792 wrote to memory of 2220 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1792 wrote to memory of 820 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1792 wrote to memory of 820 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1792 wrote to memory of 820 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1792 wrote to memory of 820 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\help mev.ps1"

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1792 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1792 CREDAT:275463 /prefetch:2

C:\Windows\system32\SndVol.exe

SndVol.exe -f 46269596 32723

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x1

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 23.200.189.225:80 www.microsoft.com tcp
US 23.200.189.225:80 www.microsoft.com tcp
NL 23.62.61.168:80 www.bing.com tcp
NL 23.62.61.168:80 www.bing.com tcp

Files

memory/2988-4-0x000007FEF53FE000-0x000007FEF53FF000-memory.dmp

memory/2988-5-0x000000001B780000-0x000000001BA62000-memory.dmp

memory/2988-6-0x0000000001D20000-0x0000000001D28000-memory.dmp

memory/2988-7-0x000007FEF5140000-0x000007FEF5ADD000-memory.dmp

memory/2988-8-0x000007FEF5140000-0x000007FEF5ADD000-memory.dmp

memory/2988-9-0x000007FEF5140000-0x000007FEF5ADD000-memory.dmp

memory/2988-10-0x000007FEF5140000-0x000007FEF5ADD000-memory.dmp

memory/2988-11-0x000007FEF5140000-0x000007FEF5ADD000-memory.dmp

memory/2988-12-0x000007FEF5140000-0x000007FEF5ADD000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar7B4.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 897d2a0262f06d1a026da04d283308cb
SHA1 8320669443112f68daef993ae4b22a3aab2922af
SHA256 d16972ab71e9ad9ca9d23f4d7aebd6dede4fbe97ceca8335504501e6b391cad3
SHA512 f5bf9711d5be3e1d5460f70e0d4f2bfdce244fb70dcabac934ff0c023da87a58f685246071f2d87cb64f100972438e9cfb2460ee3361ba78507f517b42593c22

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 201b54d5bc6cd493c68fbd08355aa55f
SHA1 53b668804e0186f6fdffc57f9d960a7499915f15
SHA256 337af2e7ee2a23985ca521469519a20d54aa074efd04ea9e07166ea79f2b88a1
SHA512 8e776a20102e9da67dad1cd374f39b726a679b4f8ed21a6f1bae5cfd704e5b18d0e0985608a1a92c43110c0f1de075b6a46396c5a1c9545d1d94398f6e084383

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 4d039316f56320369963331b8055f681
SHA1 c1397129106a89e03eac6d25626f7f39254c9376
SHA256 794a7465472754e1470d5ce339e642c55349452b797f3e5017139b288e3a61c1
SHA512 87eeb0fb897b4fcc6a21f4a967dbab7e2fc307451dfbfc381e513f769a5f004d34869196dc15f4268ad48462f829224cf59481724a9185f31180503a0749838d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bd9b98a3e1e75be3ea9b53ebc4399058
SHA1 3770804901cfb65a5b1fcb0b8afc2d7607f734c7
SHA256 b17790a81437ab2511be37390f0b296274a64f03d055059e4614440102bda5b6
SHA512 d908bf12752e31a834e8f497d7ad66ec02a0cc7342c21632f2c0beae685d8fdeeae1ec458fb1f54ed48f8cff2f6cb2e49e7d0d7d8496f6f995c3588d192e7456

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6df7e05e13a516c1423dc0efbe1d3c1f
SHA1 0f2036ef797fc3cf7f289102368b8cd7fbb56bd0
SHA256 6128d79bc8ef65cba2f7efc80d9c086eed91f63791815e8a49e6bcdbe0d58788
SHA512 1dd68600dc5c0d759cc68f26961b7112c533525fc93c60275f5ffd332d7255032615ae46c04325ffbbe94654c9f3a7688175f2cef02c29d3d8f50d34b473ff6d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5e604d9b165397ae6c2607a8ab136954
SHA1 e966c444fd5a41e53d8cdf7b7b98497bc357395f
SHA256 919e2290a4dcbb3587c361c23f18ed0fdae69b6166aba2fe93cf6bb598d7b2b9
SHA512 59b21a74d4bda0e6522bf11fef2f8ad5c963cf509e9c1c71e3a04d062a66a036953f64bb2b4ff5b3d0610f89ca4698a73710c0c84554f9224f670f3a1aa570f6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f1fd8c70f5b966a27eb533928f302fd1
SHA1 968df00371a4c5647beea41a6154fefcc199be08
SHA256 c2bbbc6edd5e5a54dc502a76017961d41b159925f66baf4ecbcc0b9979f97a83
SHA512 404d048268a0980043f13c3d66261968829df3dfea13d1cecbdc74483d5da843eef628d84120632c186950aab8dcd0247b599a98970809130f10dbafa7b31176

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 46dd9cf541cc6eff217508ac62b0ee0b
SHA1 284cc4a8c60ecb871fc4db83ec3bce97d311e4ca
SHA256 5b89947a53616982f08d2a6c74f62b48009e4714187d611b0f972f3b7a57317e
SHA512 3a27dfa3cd2f9a3d15c1e27b3a0c984c1bd6ca60ab0c2f1cdc3aa632ba6adb57d4eb62c509773dfedf29a854c13b18f8bb858c0334d0e7adf8f1d3860dbce8d6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e5001773e8f8c21171dfdd87d468b50a
SHA1 8bf5a36e2dccfe2f1844e9b2fb4361574f522d17
SHA256 02a5397b414824b93c6a7cec14b62ed3536da4676c8cba9526eeb740fdedbcb3
SHA512 9d17a6fccde2b9efb5e48146eb56370779baaeab46c98e9ef5893f8c29bfb67b9b88476cae9b87c85f73765a9532c2430358cd5a750e90ae5dc788ceb66565b4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9d53b1ae22a9e023970b893ce8f4ee79
SHA1 63098f10bf2a0affa20456673076f1c742ece25b
SHA256 eafcedf9e1708224c7474251c74d1e5e2924b6fae2115afdedc00b4455375a74
SHA512 cfed4459d1efa24c776077a4d99778e086607e4509bb85d0c70da1113d61b18ef0715035275b7194e7f16a8f9b6542eab74a81c677fd97e13fffa1115142b165

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a067650e51c68aaa44921622b1505f0e
SHA1 cd315f5ec18289624d7060d9e894d8e64be34813
SHA256 cee148521707d21e3d3a72cf20458b630e5899609b9b4850f81f15ca75d1cca7
SHA512 ed6fafed58ffa2daa5331f4bbb5daabc49b3e0e86111c364bec29f74d8c3aa37c8ee153f826d5b9eaa12fde15c43720d654a118868c9d0cf3c5e9444ee7315f6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dd699332a9ad6c7a9a584f9bc5386660
SHA1 7c271bc1d6e1fc3cece611c262516157a487123d
SHA256 4d59edeb42e053f64970929d5a32d0540f7dfa68d734522954fdecfcfe092535
SHA512 b4bd33d611a04eecd6d38dcf49b9f33290d0ff48bf6cb7a021a367a48c8193e409c30453493edfe40fa8a89cb8228ad32a4def680885824eb4de4d1f0f124c7e

C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

MD5 da597791be3b6e732f0bc8b20e38ee62
SHA1 1125c45d285c360542027d7554a5c442288974de
SHA256 5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07
SHA512 d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

C:\Users\Admin\AppData\Local\Temp\~DFBB7C02F4F39E96C1.TMP

MD5 4fdc1e2e29d7141a491bcbf9ca1ca85f
SHA1 c1c49ca988ce5a890c92b1b7424dbb0130930ed7
SHA256 81d93d57af97b277619edfbdefab89c3e4189180f84cc0179b844bcaa2700838
SHA512 de4cd9cf4e33154f99fa2b2b84687459c2c9d003cb6e6fc5bf4ee9bf45c5e1440c8be99b157b4f820ebb219589a1658001aaf6a59ba11c1402d51e49a0d000d3

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 3676d14838a404cda8acc302d18cef2e
SHA1 6ba2785d86a0a72d8071af81289c752c30fc1fa8
SHA256 b51bd9f47cac370fe6ff1b8aa62b0ce4210ebb8a969d01c9dd88ee9427597096
SHA512 e67e623477dffe641cb81e2dd291f87df193a0211c9a7b92022b773c5a68b89d923a107a80a08ead3bbfc4003829d8fce2372fc38b49ea44851a305ae99bf69b