Malware Analysis Report

2024-09-23 11:17

Sample ID 240615-l6ltqswgnc
Target rcsetup153.exe
SHA256 b3df198d64ba6f401611f56743bd344c1b02915f9e5d571d271ef8557feaf56c
Tags
bootkit discovery persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

b3df198d64ba6f401611f56743bd344c1b02915f9e5d571d271ef8557feaf56c

Threat Level: Shows suspicious behavior

The file rcsetup153.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit discovery persistence spyware stealer

Reads user/profile data of web browsers

Enumerates connected drives

Writes to the Master Boot Record (MBR)

Checks installed software on the system

Loads dropped DLL

Executes dropped EXE

Drops file in Program Files directory

Registers COM server for autorun

Unsigned PE

Program crash

Enumerates physical storage devices

Modifies Internet Explorer settings

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

Suspicious use of FindShellTrayWindow

Modifies registry class

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Checks processor information in registry

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-15 10:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-15 10:08

Reported

2024-06-15 10:11

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_108_\lang-1025.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_108_\lang-1025.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
BE 88.221.83.226:443 www.bing.com tcp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
BE 88.221.83.226:443 www.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 226.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
IE 52.111.236.22:443 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-15 10:08

Reported

2024-06-15 10:11

Platform

win7-20240611-en

Max time kernel

118s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3004 -s 224

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-15 10:08

Reported

2024-06-15 10:11

Platform

win7-20240221-en

Max time kernel

120s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1628 -s 220

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-15 10:08

Reported

2024-06-15 10:11

Platform

win10v2004-20240611-en

Max time kernel

93s

Max time network

98s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_107_\$_107_\pfUI.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2384 wrote to memory of 4524 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2384 wrote to memory of 4524 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2384 wrote to memory of 4524 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_107_\$_107_\pfUI.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_107_\$_107_\pfUI.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 4524 -ip 4524

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 832

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
BE 88.221.83.249:443 www.bing.com tcp
US 8.8.8.8:53 249.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 205.131.50.23.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-06-15 10:08

Reported

2024-06-15 10:11

Platform

win7-20240220-en

Max time kernel

120s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_108_\lang-1030.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_108_\lang-1030.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-06-15 10:08

Reported

2024-06-15 10:11

Platform

win7-20240508-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_108_\lang-1032.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_108_\lang-1032.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-06-15 10:08

Reported

2024-06-15 10:11

Platform

win10v2004-20240611-en

Max time kernel

93s

Max time network

101s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_108_\lang-1032.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_108_\lang-1032.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.184:443 www.bing.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 184.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 52.111.227.11:443 tcp
US 8.8.8.8:53 221.131.50.23.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 10:08

Reported

2024-06-15 10:11

Platform

win7-20240221-en

Max time kernel

94s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Program Files\Recuva\recuva64.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Program Files\Recuva\recuva64.exe N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Recuva\Lang\lang-1046.dll C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1026.dll C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1059.dll C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1031.dll C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1041.dll C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1048.dll C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1054.dll C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1029.dll C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1032.dll C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
File created C:\Program Files\Recuva\Lang\lang-9999.dll C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
File created C:\Program Files\Recuva\SomeRandomTmpFile748329742893.tmp C:\Program Files\Recuva\recuva64.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1036.dll C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1038.dll C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
File created C:\Program Files\Recuva\Lang\lang-5146.dll C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1066.dll C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
File created C:\Program Files\Recuva\RecuvaShell64.dll.new C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1053.dll C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1051.dll C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
File created C:\Program Files\Recuva\recuva64.exe C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1028.dll C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1061.dll C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
File created C:\Program Files\Recuva\Lang\lang-2052.dll C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1027.dll C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1045.dll C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
File created C:\Program Files\Recuva\Lang\lang-3098.dll C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1058.dll C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1060.dll C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1035.dll C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1063.dll C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1067.dll C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1079.dll C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
File opened for modification C:\Program Files\Recuva\RecuvaShell64.dll C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1034.dll C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1043.dll C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1055.dll C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
File created C:\Program Files\Recuva\Lang\lang-2074.dll C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1071.dll C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1044.dll C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1040.dll C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1050.dll C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1068.dll C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1057.dll C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1049.dll C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1030.dll C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1052.dll C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1062.dll C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
File created C:\Program Files\Recuva\uninst.exe C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1037.dll C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
File created C:\Program Files\Recuva\Lang\lang-1025.dll C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
File created C:\Program Files\Recuva\recuva.exe C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{435E5DF5-2510-463C-B223-BDA47006D002}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{435E5DF5-2510-463C-B223-BDA47006D002}\InprocServer32\ = "C:\\Program Files\\Recuva\\RecuvaShell64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{435E5DF5-2510-463C-B223-BDA47006D002}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Program Files\Recuva\recuva64.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Recuva\recuva64.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Recuva\recuva64.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor C:\Program Files\Recuva\recuva64.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DOMStorage\ccleaner.com C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f65ff768da7d0c41a2a4117a5d06da09000000000200000000001066000000010000200000001bda84d8c32ae088179c768e9acce37fba19c4a98ef51b770f4b652ea60a86cb000000000e8000000002000020000000e1edc83ea60eba5c2c8778a6b5f2f5b39e06e509a435a900b016786009f5082a90000000261de7e6a48ebc68c0348865a3b46c3f142e95bf48acb6f9a516e09b1bee7ec61c490a1b8e7bf4bc9e5a4649f2e01138330f9d5d2b198426a820ca5cb1f9a0de44061f5ddd12117c084b8dbb878defce075eb3f553840784b307254c86ca79c7ce346f7df8c9bf2322238828d5e00e917cc166549d3eeb1b4ea16a6c6bcf9c7762bff4e6be94b33f29c56b47581772b440000000d2128a122221301860c9f98412d0f368acd0feb8b7484bccec9103245804ba4f1348bc3e71cea89afc0218fab569852193ef1bd1a185536ced94b5fc94daba66 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DOMStorage\ccleaner.com\NumberOfSubdomains = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.ccleaner.com C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DOMStorage\ccleaner.com\Total = "22" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.ccleaner.com\ = "0" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00d2824e0cbfda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.ccleaner.com\ = "22" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DOMStorage\ccleaner.com\Total = "0" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{760EF6F1-2AFF-11EF-8356-E61A8C993A67} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DOMStorage C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f65ff768da7d0c41a2a4117a5d06da0900000000020000000000106600000001000020000000a749088b0ce63cd68b0576e904042ac466a12992b61f47d4a270a401f18ab0fc000000000e80000000020000200000002c904536742f1779933b8e99664891a6cd978a6ff799fc07bc94e1a4db2a686720000000491ad419b7e5bfedf1bb923dd441b723dbc725caec3db28dc3e5c0baf98224fb400000009d036a8923027f1cd5131e8331e992fbca15f257eb22a289458c47e3cd8852df771c70f71eec734f19aef977f105d4814d3abf2f0cfd9fb0852340140b22d58c C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "22" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Piriform\Recuva C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
Key created \REGISTRY\USER\S-1-5-19 C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Piriform C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-19\Software\Piriform\Recuva\Language = "1033" C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Piriform\Recuva C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
Key created \REGISTRY\USER\S-1-5-19 C:\Program Files\Recuva\recuva64.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Piriform\Recuva C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Piriform C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Piriform C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Piriform\Recuva\Language = "1033" C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
Key created \REGISTRY\USER\S-1-5-20 C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Piriform\Recuva\Language = "1033" C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
Key created \REGISTRY\USER\S-1-5-18 C:\Program Files\Recuva\recuva64.exe N/A
Key created \REGISTRY\USER\S-1-5-20 C:\Program Files\Recuva\recuva64.exe N/A
Key created \REGISTRY\USER\.DEFAULT C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Piriform\Recuva C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Software\Piriform\Recuva\Language = "1033" C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{435E5DF5-2510-463C-B223-BDA47006D002}\InprocServer32\ = "C:\\Program Files\\Recuva\\RecuvaShell64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\RecuvaShellExt\ = "{435E5DF5-2510-463C-B223-BDA47006D002}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}\1.0\ = "RecuvaShell 1.0 Type Library" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}\1.0\FLAGS\ = "0" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\RecuvaShell.DLL\AppID = "{80109467-DE5A-42A1-9445-7E3952C80B6E}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}\1.0\0\win64 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Software\Piriform\Recuva C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{435E5DF5-2510-463C-B223-BDA47006D002}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}\1.0\HELPDIR C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Software C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{80109467-DE5A-42A1-9445-7E3952C80B6E} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}\1.0\HELPDIR\ = "C:\\Program Files\\Recuva" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}\1.0\0 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\RecuvaShell.DLL C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{435E5DF5-2510-463C-B223-BDA47006D002}\ = "RecuvaShellExt Class" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{435E5DF5-2510-463C-B223-BDA47006D002}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Software\Piriform C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{80109467-DE5A-42A1-9445-7E3952C80B6E}\ = "RecuvaShell" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{435E5DF5-2510-463C-B223-BDA47006D002} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\RecuvaShellExt C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\RecuvaShellExt\ = "{435E5DF5-2510-463C-B223-BDA47006D002}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}\1.0\FLAGS C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}\1.0\0\win64\ = "C:\\Program Files\\Recuva\\RecuvaShell64.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_Classes\Software\Piriform\Recuva C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\RecuvaShellExt C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}\1.0 C:\Windows\system32\regsvr32.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Program Files\Recuva\recuva64.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Program Files\Recuva\recuva64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 C:\Program Files\Recuva\recuva64.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Program Files\Recuva\recuva64.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\Recuva\recuva64.exe N/A
Token: SeBackupPrivilege N/A C:\Program Files\Recuva\recuva64.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\Recuva\recuva64.exe N/A
Token: SeBackupPrivilege N/A C:\Program Files\Recuva\recuva64.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\Recuva\recuva64.exe N/A
Token: SeBackupPrivilege N/A C:\Program Files\Recuva\recuva64.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\Recuva\recuva64.exe N/A
Token: SeBackupPrivilege N/A C:\Program Files\Recuva\recuva64.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\Recuva\recuva64.exe N/A
Token: SeBackupPrivilege N/A C:\Program Files\Recuva\recuva64.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\Recuva\recuva64.exe N/A
Token: SeBackupPrivilege N/A C:\Program Files\Recuva\recuva64.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\Recuva\recuva64.exe N/A
Token: SeBackupPrivilege N/A C:\Program Files\Recuva\recuva64.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\Recuva\recuva64.exe N/A
Token: SeBackupPrivilege N/A C:\Program Files\Recuva\recuva64.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\Recuva\recuva64.exe N/A
Token: SeBackupPrivilege N/A C:\Program Files\Recuva\recuva64.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\Recuva\recuva64.exe N/A
Token: SeBackupPrivilege N/A C:\Program Files\Recuva\recuva64.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A
N/A N/A C:\Program Files\Recuva\recuva64.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2972 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2972 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2972 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2972 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2972 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2972 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2972 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1200 wrote to memory of 612 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1200 wrote to memory of 612 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1200 wrote to memory of 612 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1200 wrote to memory of 612 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1200 wrote to memory of 612 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1200 wrote to memory of 612 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1200 wrote to memory of 612 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2972 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe C:\Program Files\Recuva\recuva64.exe
PID 2972 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe C:\Program Files\Recuva\recuva64.exe
PID 2972 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe C:\Program Files\Recuva\recuva64.exe
PID 2972 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe C:\Program Files\Recuva\recuva64.exe
PID 2972 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2972 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2972 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2972 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2972 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe C:\Program Files\Recuva\recuva64.exe
PID 2972 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe C:\Program Files\Recuva\recuva64.exe
PID 2972 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe C:\Program Files\Recuva\recuva64.exe
PID 2972 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe C:\Program Files\Recuva\recuva64.exe
PID 2596 wrote to memory of 2084 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2596 wrote to memory of 2084 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2596 wrote to memory of 2084 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2596 wrote to memory of 2084 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe

"C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /I "C:\Program Files\Recuva\RecuvaShell64.dll" /s

C:\Windows\system32\regsvr32.exe

/I "C:\Program Files\Recuva\RecuvaShell64.dll" /s

C:\Program Files\Recuva\recuva64.exe

"C:\Program Files\Recuva\recuva64.exe" /installationComplete "bin|folders|allusers"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://www.ccleaner.com/go/app_releasenotes?p=2&v=1.53.2096&l=1033&b=1&a=0

C:\Program Files\Recuva\recuva64.exe

"C:\Program Files\Recuva\recuva64.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2596 CREDAT:275457 /prefetch:2

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 analytics.ff.avast.com udp
US 34.117.223.223:443 analytics.ff.avast.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 172.217.169.67:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 172.217.169.67:80 o.pki.goog tcp
US 8.8.8.8:53 service.piriform.com udp
BE 104.68.86.143:443 service.piriform.com tcp
US 8.8.8.8:53 license.piriform.com udp
BE 104.68.86.143:443 license.piriform.com tcp
US 8.8.8.8:53 analytics.ff.avast.com udp
US 34.117.223.223:443 analytics.ff.avast.com tcp
US 8.8.8.8:53 www.ccleaner.com udp
BE 104.90.25.36:80 www.ccleaner.com tcp
BE 104.90.25.36:80 www.ccleaner.com tcp
US 8.8.8.8:53 www.microsoft.com udp
BE 104.90.25.36:443 www.ccleaner.com tcp
US 8.8.8.8:53 analytics.ff.avast.com udp
BE 104.90.25.36:80 www.ccleaner.com tcp
US 34.117.223.223:443 analytics.ff.avast.com tcp
BE 104.90.25.36:443 www.ccleaner.com tcp
BE 104.90.25.36:443 www.ccleaner.com tcp
BE 104.90.25.36:443 www.ccleaner.com tcp
BE 104.90.25.36:443 www.ccleaner.com tcp
US 8.8.8.8:53 cdn.cookielaw.org udp
US 8.8.8.8:53 widget.trustpilot.com udp
US 8.8.8.8:53 assets.adobedtm.com udp
BE 104.90.25.36:443 www.ccleaner.com tcp
BE 104.90.25.36:443 www.ccleaner.com tcp
US 8.8.8.8:53 s1.pir.fm udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 s7.addthis.com udp
GB 142.250.187.196:443 www.google.com tcp
GB 142.250.187.196:443 www.google.com tcp
SE 23.34.232.228:443 assets.adobedtm.com tcp
US 104.19.178.52:443 cdn.cookielaw.org tcp
SE 23.34.232.228:443 assets.adobedtm.com tcp
US 104.19.178.52:443 cdn.cookielaw.org tcp
BE 23.41.178.112:443 s1.pir.fm tcp
BE 23.41.178.112:443 s1.pir.fm tcp
BE 104.68.81.91:443 s7.addthis.com tcp
BE 104.68.81.91:443 s7.addthis.com tcp
GB 54.192.137.49:443 widget.trustpilot.com tcp
GB 54.192.137.49:443 widget.trustpilot.com tcp
GB 172.217.169.67:80 o.pki.goog tcp
GB 172.217.169.67:80 o.pki.goog tcp
GB 172.217.169.67:80 o.pki.goog tcp
GB 172.217.169.67:80 o.pki.goog tcp
US 8.8.8.8:53 cdn-production.ccleaner.com udp
BE 104.90.25.36:443 cdn-production.ccleaner.com tcp
BE 104.90.25.36:443 cdn-production.ccleaner.com tcp
BE 104.90.25.36:443 cdn-production.ccleaner.com tcp
BE 104.90.25.36:443 cdn-production.ccleaner.com tcp
BE 104.90.25.36:443 cdn-production.ccleaner.com tcp
US 8.8.8.8:53 dev.visualwebsiteoptimizer.com udp
US 34.96.102.137:443 dev.visualwebsiteoptimizer.com tcp
US 34.96.102.137:443 dev.visualwebsiteoptimizer.com tcp
US 8.8.8.8:53 s.go-mpulse.net udp
BE 23.55.96.141:443 s.go-mpulse.net tcp
BE 23.55.96.141:443 s.go-mpulse.net tcp
US 8.8.8.8:53 ocsp.starfieldtech.com udp
US 8.8.8.8:53 ocsp.starfieldtech.com udp
US 8.8.8.8:53 geolocation.onetrust.com udp
US 192.124.249.36:80 ocsp.starfieldtech.com tcp
US 192.124.249.36:80 ocsp.starfieldtech.com tcp
US 172.64.155.119:443 geolocation.onetrust.com tcp
US 172.64.155.119:443 geolocation.onetrust.com tcp
US 8.8.8.8:53 c.go-mpulse.net udp
BE 23.55.96.141:443 c.go-mpulse.net tcp
BE 23.55.96.141:443 c.go-mpulse.net tcp
US 8.8.8.8:53 connect.facebook.net udp
US 8.8.8.8:53 snap.licdn.com udp
US 8.8.8.8:53 static.hotjar.com udp
US 8.8.8.8:53 static.ads-twitter.com udp
US 8.8.8.8:53 bat.bing.com udp
US 8.8.8.8:53 amplify.outbrain.com udp
US 8.8.8.8:53 c5.adalyser.com udp
US 8.8.8.8:53 s.yimg.com udp
US 8.8.8.8:53 mstatic.ccleaner.com udp
US 8.8.8.8:53 www.mczbf.com udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
US 151.101.188.157:443 static.ads-twitter.com tcp
US 151.101.188.157:443 static.ads-twitter.com tcp
US 13.107.21.237:443 bat.bing.com tcp
US 13.107.21.237:443 bat.bing.com tcp
IE 52.49.191.165:443 c5.adalyser.com tcp
IE 52.49.191.165:443 c5.adalyser.com tcp
SE 23.201.43.51:443 snap.licdn.com tcp
SE 23.201.43.51:443 snap.licdn.com tcp
GB 163.70.147.23:443 connect.facebook.net tcp
GB 163.70.147.23:443 connect.facebook.net tcp
GB 13.224.245.61:443 static.hotjar.com tcp
GB 13.224.245.61:443 static.hotjar.com tcp
SE 23.34.233.58:443 amplify.outbrain.com tcp
GB 87.248.114.12:443 s.yimg.com tcp
SE 23.34.233.58:443 amplify.outbrain.com tcp
GB 87.248.114.12:443 s.yimg.com tcp
NL 20.50.2.53:443 mstatic.ccleaner.com tcp
NL 20.50.2.53:443 mstatic.ccleaner.com tcp
GB 216.58.201.98:443 googleads.g.doubleclick.net tcp
GB 216.58.201.98:443 googleads.g.doubleclick.net tcp
GB 143.204.194.59:443 www.mczbf.com tcp
GB 143.204.194.59:443 www.mczbf.com tcp
GB 13.224.245.61:443 static.hotjar.com tcp
GB 13.224.245.61:443 static.hotjar.com tcp
SE 23.201.43.51:443 snap.licdn.com tcp
SE 23.201.43.51:443 snap.licdn.com tcp
SE 23.34.233.58:443 amplify.outbrain.com tcp
SE 23.34.233.58:443 amplify.outbrain.com tcp
GB 13.224.245.61:443 static.hotjar.com tcp
GB 13.224.245.61:443 static.hotjar.com tcp
GB 13.224.245.61:443 static.hotjar.com tcp
SE 23.201.43.51:443 snap.licdn.com tcp
SE 23.201.43.51:443 snap.licdn.com tcp
GB 13.224.245.61:443 static.hotjar.com tcp
SE 23.34.233.58:443 amplify.outbrain.com tcp
SE 23.34.233.58:443 amplify.outbrain.com tcp
US 104.19.178.52:443 cdn.cookielaw.org tcp
SE 23.201.43.51:443 snap.licdn.com tcp
SE 23.201.43.51:443 snap.licdn.com tcp
SE 23.34.233.58:443 amplify.outbrain.com tcp
SE 23.34.233.58:443 amplify.outbrain.com tcp
US 8.8.8.8:53 stats.g.doubleclick.net udp
US 8.8.8.8:53 www.google.co.uk udp
US 8.8.8.8:53 region1.analytics.google.com udp
BE 108.177.15.157:443 stats.g.doubleclick.net tcp
BE 108.177.15.157:443 stats.g.doubleclick.net tcp
GB 142.250.200.3:443 www.google.co.uk tcp
GB 142.250.200.3:443 www.google.co.uk tcp
US 216.239.34.36:443 region1.analytics.google.com tcp
US 216.239.34.36:443 region1.analytics.google.com tcp
GB 172.217.169.67:80 o.pki.goog tcp
GB 172.217.169.67:80 o.pki.goog tcp
US 8.8.8.8:53 cdn-uat.ccleaner.com udp
BE 104.90.25.36:443 cdn-uat.ccleaner.com tcp
BE 104.90.25.36:443 cdn-uat.ccleaner.com tcp
SE 23.34.232.228:443 assets.adobedtm.com tcp
IE 52.49.191.165:443 c5.adalyser.com tcp
US 13.107.21.237:443 bat.bing.com tcp
US 151.101.188.157:443 static.ads-twitter.com tcp
US 8.8.8.8:53 zn4i1jhjmxub1nc6y-gendigital.siteintercept.qualtrics.com udp
US 104.17.209.240:443 zn4i1jhjmxub1nc6y-gendigital.siteintercept.qualtrics.com tcp
US 104.17.209.240:443 zn4i1jhjmxub1nc6y-gendigital.siteintercept.qualtrics.com tcp
US 8.8.8.8:53 684dd328.akstat.io udp
BE 23.55.96.141:443 684dd328.akstat.io tcp
US 104.17.209.240:443 zn4i1jhjmxub1nc6y-gendigital.siteintercept.qualtrics.com tcp
US 8.8.8.8:53 analytics.ff.avast.com udp
US 34.117.223.223:443 analytics.ff.avast.com tcp

Files

\Users\Admin\AppData\Local\Temp\nso10F4.tmp\UserInfo.dll

MD5 2f69afa9d17a5245ec9b5bb03d56f63c
SHA1 e0a133222136b3d4783e965513a690c23826aec9
SHA256 e54989d2b83e7282d0bec56b098635146aab5d5a283f1f89486816851ef885a0
SHA512 bfd4af50e41ebc56e30355c722c2a55540a5bbddb68f1522ef7aabfe4f5f2a20e87fa9677ee3cdb3c0bf5bd3988b89d1224d32c9f23342a16e46c542d8dc0926

\Users\Admin\AppData\Local\Temp\nso10F4.tmp\System.dll

MD5 cff85c549d536f651d4fb8387f1976f2
SHA1 d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
SHA256 8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
SHA512 531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

\Users\Admin\AppData\Local\Temp\nso10F4.tmp\g\gcapi_dll.dll

MD5 2973af8515effd0a3bfc7a43b03b3fcc
SHA1 4209cded0caac7c5cb07bcb29f1ee0dc5ac211ee
SHA256 d0e4581210a22135ce5deb47d9df4d636a94b3813e0649aab84822c9f08af2a0
SHA512 b6f9653142ec00b2e0a5045f0f2c7ba5dbbda8ef39edf14c80a24ecab3c41f081eb466994aaf0879ac96b201ba5c02d478275710e4d08b3debc739063d177f7e

\Users\Admin\AppData\Local\Temp\nso10F4.tmp\ui\pfUI.dll

MD5 f7222368c66e02ee333e6fca4fdccb66
SHA1 b2c6c1d24f78cb4a6de87eba5480f3a6f6b278b5
SHA256 b09f1359c68947c7d13123dda3ab56360b982befb43c134be815934ed4879215
SHA512 ab6158735234cbbc7ccfdee3c8e247d196070aa234e6bcb6b4cc6c13b4d0f1c85d84afe5c7d3f98349b32a4d4bc84750335fc9f1d8032e759ea03cea1e11a839

\Users\Admin\AppData\Local\Temp\nso10F4.tmp\nsDialogs.dll

MD5 6c3f8c94d0727894d706940a8a980543
SHA1 0d1bcad901be377f38d579aafc0c41c0ef8dcefd
SHA256 56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2
SHA512 2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

memory/2972-85-0x00000000003F0000-0x00000000003F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nso10F4.tmp\ui\res\Recuva_Logo_72px.png

MD5 6a2e01749e591a1ce8216daed41b8721
SHA1 a4aa31d936a33eb7d58e809b738184f6b2c7e1c2
SHA256 f72782600989eff0aa13ff7c63875538c9042c32b77862475c899514f61c9290
SHA512 262e6b6ed89fa30f954dc73c1bb329d9ea256fefa172e12b23610e7c1ab6dad3b698cbcdc010f8c16e90b0bdd6e96d60e8aba50b876d69f9fb1f2889ac14f0fe

C:\Users\Admin\AppData\Local\Temp\nso10F4.tmp\ui\res\PF_logo.png

MD5 079cca30760cca3c01863b6b96e87848
SHA1 98c2ca01f248bc61817db7e5faea4a3d8310db50
SHA256 8dd37d3721e25c32c5bf878b6dba9e61d04b7ce8aec45bdf703a41bc41802dfa
SHA512 3e25c10e3a5830584c608b9178ab062e93e0e9009a7d897bb5e3561180b0b0910bd4178063d982eb33806a005c93931ae2ec5be520ec0d0c9a7c452cb78fd6a8

C:\Users\Admin\AppData\Local\Temp\nso10F4.tmp\ui\res\RC_Computer.png

MD5 67f13e50fa75087ef8c2074a52cc8bb1
SHA1 8f31cf48fab91b9e263105289d17c146d088274b
SHA256 044ec2d36e9f573d762fc8a43eb09f7b24eb30094a4e61b5d606fd96f72d391f
SHA512 44ee943ae440d93d7ec78393749667680abbe379f9e21fb10244362c2c3f9df790170c541aa30a8487ef25952068c78e44dacd48def29aa84cee78d1c1ce63ae

memory/2972-103-0x0000000004C60000-0x0000000004C70000-memory.dmp

memory/2972-109-0x0000000004E00000-0x0000000004E10000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log

MD5 c7302ad12bc282d80df792aa04ac2ef3
SHA1 45890f3b6812321b2450d44ba5f6df8ee12b0692
SHA256 ab79631d4d570b020d4de145e7033bf587b3ec5e7e7d040f738af87a27e3bc5b
SHA512 c9652fa90b1fa43c2904a70ce0ffdd75af264bc4bec049b06217ab9ec39150a7629a0958ca465bdd62e24eff478e7846352123e9c65c63417a74e309e695a9c5

memory/2972-132-0x0000000007420000-0x0000000007428000-memory.dmp

memory/2972-135-0x00000000075A0000-0x00000000075A8000-memory.dmp

memory/2972-137-0x0000000007410000-0x0000000007411000-memory.dmp

memory/2972-142-0x00000000073C0000-0x00000000073C1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

MD5 b917fcd793e953c6352071d40d4e33e2
SHA1 48ab03d1298952c319a058a1582aff9436a8f40f
SHA256 7e9d8855027f137d4c81fbe2319197498b1cde06d612f917332c4b580ec46022
SHA512 7d41e7c790c619291b361b5c020acce4213bb6e6ab4e5aa0717dea694b7437cebbcf98dce68cefb973032fa15f0408d0db6a8314e293ae7dc59438a63f327d14

memory/2972-187-0x0000000007430000-0x0000000007438000-memory.dmp

memory/2972-190-0x00000000075A0000-0x00000000075A8000-memory.dmp

memory/2972-192-0x0000000007420000-0x0000000007421000-memory.dmp

memory/2972-197-0x00000000071B0000-0x00000000071B1000-memory.dmp

\Users\Admin\AppData\Local\Temp\nso10F4.tmp\ButtonEvent.dll

MD5 c24568a3b0d7c8d7761e684eb77252b5
SHA1 66db7f147cbc2309d8d78fdce54660041acbc60d
SHA256 e2da6d8b73b5954d58baa89a949aacece0527dfb940ca130ac6d3fd992d0909d
SHA512 5d43e4c838fd7f4c6a4ab6cc6d63e0f81d765d9ca33d9278d082c4f75f9416907df10b003e10edc1b5ef39535f722d8dbfab114775ac67da7f9390dcc2b4b443

C:\Users\Admin\AppData\Local\Temp\nso10F4.tmp\p\InstallerHelper.dll

MD5 75167037fb3c8aeee24125d6f299788b
SHA1 ffa0a17ae8c31b034c8b7493f0c0475707b22244
SHA256 b4d5b08719dde73fdc10d40021ab90c8bd1e83115156c35188bcecb48a1620b0
SHA512 da2ca9e243c1b369e067a0c242bcba41d34a883b8172c938808b5fe33d204e702e4b599408bb89d925ff750e893575e15bc3a461ab34f0384e83b33655ef3525

\Users\Admin\AppData\Local\Temp\nso10F4.tmp\INetC.dll

MD5 7760daf1b6a7f13f06b25b5a09137ca1
SHA1 cc5a98ea3aa582de5428c819731e1faeccfcf33a
SHA256 5233110ed8e95a4a1042f57d9b2dc72bc253e8cb5282437637a51e4e9fcb9079
SHA512 d038bea292ffa2f2f44c85305350645d504be5c45a9d1b30db6d9708bfac27e2ff1e41a76c844d9231d465f31d502a5313dfded6309326d6dfbe30e51a76fdb5

\Program Files\Recuva\recuva64.exe

MD5 a6e75ac54ca80764ed631be8a0259ef5
SHA1 5e362445783d2800ec7f2c377ed005a58ecb3ba7
SHA256 b640f712a5dc9ab2bb5dd7c7957cf13da520aae74851770437165ede54f3dff4
SHA512 8d8a082a5269706bcfaf6696cff5488b3a3f93d10aa056055726a1c7c6fa2cb77af5bf66d1507c7e1b1e9a844ea37349307511566ba50397e31ac6b4aa405aa9

\Program Files\Recuva\RecuvaShell64.dll

MD5 28f7b04a5a2b00f8cd7bb9ac8c926561
SHA1 66326430cd2bcaa39a30095ece30a4b4e673d9a7
SHA256 6974a6b2c5b4ff0ce7e4ea7385787d36d5793cc344f03710c24b994699a5c2ef
SHA512 49c7c5532ebaa70042fcd275452bcd8c2d795bae9adb37fb5c55e16519a99f25842a19f07b6f2dfebaf3fc8f9a5a85f5fd3a3f94f267d2611566c6931258fc45

C:\Program Files\Recuva\lang\lang-1025.dll

MD5 9ddb914c12b8931300badf0af3007afc
SHA1 ca12b9a7928e73a94db8ea43aa3969508c219ef5
SHA256 3986bfe961bbd9cfa4f157755aef89ee064f6dcd33419d79d8edb09d72153df7
SHA512 f76cc7d441275be6bf5fbf7684aad98ce9b43bac4a9fc3579770ab2fb79282c25e478c4601682ae73175fb443205e7005907b1317ac7f07a9d74e4f159cb0830

C:\Program Files\Recuva\lang\lang-1026.dll

MD5 e481a7929bb5259c2c3109f715898446
SHA1 2fd5ab1da7f07d73a60866d83dea01315f8b98d0
SHA256 a3ffcfe0a2f99be55ca688e069a401a1c662d81e103760e87bce33fe6bde6395
SHA512 4e6e1354323235176d556dc2b3ebb037120deb509009f66272bc17d381e9c7a802340939560c6d4c8aac27585300d8484f43eb8fbdb8c840fde3f20817362fab

C:\Program Files\Recuva\lang\lang-1027.dll

MD5 2facb5e65c8480fc8a0c3ddca8469020
SHA1 0eff87f3c92a039fd1807fb06633be83c7e1f640
SHA256 8d989a3a83df8150bead76dd49cc8c32b4242d006347061cedd06759e9e20f79
SHA512 7739c700d7c9bf011b7ac2d59786e20a54644603b1d42ea9c28fe43c0aae86968d38ef131abbf7030b289e389bbc96bb664215f729b17020975412a237d49d16

C:\Program Files\Recuva\lang\lang-1029.dll

MD5 b795c500b754cb89fa59a75e93ec2995
SHA1 9f6b82938fdcc3d40912f8dd6b7b9c793e62a282
SHA256 c20b2fbdf7abfe43715fbd9a885e77e19048be0f6e43a68068bb72abec0d886b
SHA512 c4505108c5ad0d996d78d49b8f0909d76bee5de591c857c53700fdd022a5fffd311626d7f3624e73b982b570922d64daa72b59363a4f41e9ff97624ed442a03f

C:\Program Files\Recuva\lang\lang-1031.dll

MD5 265be91935b61c63cba03f4b7f05cf7f
SHA1 569a8cf145dd27a087cbf8cdedf1330b4c52659c
SHA256 7c357f11264c03e881cd604b3e8d1d36eff1cc0bf0f9728e478b178c25a962de
SHA512 e7f204fc7806280e36bc15c7c92ad46919288848e50688d2b95ca0c8d1e65856508409ca0c28fce177ce4cb8ffa7c21c0690ba701399504d9cca6d37242d7f7b

C:\Program Files\Recuva\lang\lang-1032.dll

MD5 2951aff067cebc29a13b20b921416b86
SHA1 49c528c482ac6c48b36f5f011ea9aece7413e3eb
SHA256 bbc893ff8dd4279e7f822bd6f14c454db229cd85c09e44f45503bbe938343013
SHA512 7a1b2c27eead257ec441be1e3028bb02c8d0248503467188b83eae9e80f12a7e888277d6f17372fc2a008fb92848ba035b3e10ed31189e914fd920f6446bc5f4

C:\Program Files\Recuva\lang\lang-1034.dll

MD5 6efdee57ce0538d5dc2f32caf88a16a2
SHA1 76e181620caa2907b9d2b2427a46c9e6861c6db8
SHA256 6f744599b2622a60f0f7dbc7e6ccfe3973349c523781c61a8bdf66527bdb33ec
SHA512 e30539419e610ed81a337344ed73d35f3fc99702e3de931a5bebaef1178699813452be96280a6a2859bfd28980539b0b0c687df12ca48db894bd77586d3e9889

C:\Program Files\Recuva\lang\lang-1036.dll

MD5 adbca31238c5bdb2b100fd0677d81090
SHA1 d402da5441ec418f20789dc2db50c34bf6b3de17
SHA256 ac082917e481081c653d2e897dd6a0b58e4ac7cbf42b17ad45d7b281ca9a423a
SHA512 fdfa289aacb78069e898a8727013b14185da5536ebcddb0de4881a77d8ce65868d694a6b2cef0a3d540276808004811d22020bc5595b5edd9e5bdb4f96034995

C:\Program Files\Recuva\lang\lang-1038.dll

MD5 2a1fc614dfd7fefa59ce5663454f0121
SHA1 305dccbd90a884242f3e7944ea513af806da9c9d
SHA256 c5e9f5112e9d3b2edec3e74f08426128bba6de68bbe9637308dee033693ba0f8
SHA512 0ec44ae4ee4ea3394d03b1e7601043dc5e2fdcb9c180270fcb94809287e7eb88d99e38302a0add80ac78e81dc6d6dfdb88faff9f97d773c98414e51bc8a02e2f

C:\Program Files\Recuva\lang\lang-1040.dll

MD5 1b76d1e1721505bb78e244ca9f4b4592
SHA1 0d6cc6fca0efe58137efc4a55896f8f07177f611
SHA256 7000a53f92557e349fd06a7d8c243d15eb934f07e85fb384b331eebb429296c2
SHA512 57618c4d7f43b5a30b4dbce162b600579c72b539814e9d46940d2e54b6f73f9daf1de242b597f18334168ce59fbb868bec5e1b9364e56963f218e748e24f1be1

C:\Program Files\Recuva\lang\lang-1041.dll

MD5 10cec1e9de4c2e3b3e3c0caed9b69d0b
SHA1 33587bbc8387a368749c1d1e2dc151306f277475
SHA256 e33dde8ed6dbefc2945a6c0ff82eb148e432f9f8e771e7af0a040111d9d23e43
SHA512 257f1998aa57c1fe07f0a0220dda8dfe31a5b52c89d95e087f744ba2885e515d693c2a6b071d55eddf7914f70eb6d98cc745c5c1364465f45cfef22a5f4aacea

C:\Program Files\Recuva\lang\lang-1043.dll

MD5 aa9aad1c5c880ea0f48095d50d302fd6
SHA1 0015ff4fc557f87fe06d9e5dc6018536398c34c4
SHA256 08b61f09ba0997a01a82ee650e1d7efb14380f98d76ae905fdc80659aa5db70a
SHA512 d5a8704ae380ecd2c953ae0cde8da14a7f4b23073c054ecc2c981bfed3632fd43830bf99d5b9a79a37663b189feb302a0a6d71665929eba86c55fa1308ed311a

C:\Program Files\Recuva\lang\lang-1044.dll

MD5 ed87eb680f9d852195da551b84afb425
SHA1 bf8cfc4fde0fbd84240cf5851c3065f70c63a854
SHA256 9ecbf11a016f8151c671f79ccfc61b28484de18d1dd3e85abb46b703eddb8446
SHA512 7c2676606be168793b3524cce32482eb3edc744f27cfcb929716021c7875700b11d3b52a148fee0442d3e114805b168c1c6740bbdd0acd180f3d4273c0354829

C:\Program Files\Recuva\lang\lang-1045.dll

MD5 a067aa2bf30758d3d09b34e9b8183077
SHA1 18632f5ea547181dfb90a88c11f5e13985e697cb
SHA256 d38466c9213410b0696a48f8d2d157f42939c38a14640c5c8d8ed410855b13fd
SHA512 e2ed920dccf1d47b18612c49776f2d9052cf6558265c60d965f7740dbcdc1975ba88ecf652282b7189f5ecd7fb80b025dd4dddd41b248ac6114d86a353b46338

C:\Program Files\Recuva\lang\lang-1048.dll

MD5 8d80b9957c8078007c3a877516a0d690
SHA1 63e46c2e641f33732537f5e1e7e8739895902cba
SHA256 0dfaf1ae45faa5517a400f939b3f1a7ce21e2fbf79bc06110bfbcb550cbbd61f
SHA512 7f9a49ac4d2108d41cf80122b91cc14d49c633092972de643366ca68051edeaf25e7b8a6591abe58819684bbc948cba329049c8676f667ab3ddd899660a148c0

C:\Program Files\Recuva\lang\lang-1050.dll

MD5 779065193a184dc0319d68db5db8b9a8
SHA1 672193f1597d0a2eaa973f5202507db0f3ba39f4
SHA256 0d2d6f46941caf0f76a814d7c11bb5c3e023fb54a0cd7c20ef2207bd860696fe
SHA512 bb1e39efe6e1f90ff1aa0e1e8bb9e8da2e14f51b72c20430f0cdaff0e4ba99ebb22b964c30892e15450d28f77bdb86fa8e0c2ee8d801ce56963e6468ad02c5cf

\Program Files\Recuva\Lang\lang-1049.dll

MD5 5966407028d5712ae7ee5d874908c97a
SHA1 6fde76062502185daabcb74613e3b08f7ead763e
SHA256 a5b7dd96329547ea34358d4f64e57908cfb6bd06cf78e2cb6db33f9c1870a2e9
SHA512 213d229fa00c1f9f97fd1e337ebef1efe5c2ba9460c9d7cefc6995444c5126c0cf38e99f7c0b046adcb8d1a1b469a4392e0dac23fc670f40ad2e5aab34023d93

\Program Files\Recuva\Lang\lang-1046.dll

MD5 fb8966bc3f0fa0c7ef6e3990473ac07c
SHA1 feb021157028ab5f0204ee8af3febb3f476b4751
SHA256 72d15f6d90c8ac7df717b67f7a1126b5e79ee6566a33ee4b6b0d3ba9088525d6
SHA512 f066f9cab13f460f05d4d058fd5b569ab9e7baec9914a657a8fa682b84fb2b6ff4a46867eab1c1dfe7bf2d5a9637653cfbb526dd3096512700b36f2d8108d60d

\Program Files\Recuva\Lang\lang-1037.dll

MD5 a4fcb6a262236d69465adbfec1c23268
SHA1 0d621ca4b34ce23784135d06a71e78b92dad6060
SHA256 c12a16c4cd4acccf23357864b5db0740cbcf1c1d424a07ed3230000cefe8fa60
SHA512 7076e7469917f392407e86dec32b6f44deeac689bdb08d8cbf67464844936947c9189b3e92f2c3ce8a43694f02b159e9504c2aabec7364b979874b784f1db5b4

\Program Files\Recuva\Lang\lang-1035.dll

MD5 36ce745af843c782552193365133e304
SHA1 b98974efe324e006d5ce8a37287ffa1506a5187b
SHA256 ec57eab3e52753d0321efe8f5cdd277a5cd1f6057a9ef61576703aff21664fe1
SHA512 58616abfc5caad0ab7875ee695ad3f2abd06ad1955f3d0bdf7859f148e84332921b5d4461227e118a745d3102a16b198a613d77427abb43215e9e750bb676aa6

\Program Files\Recuva\Lang\lang-1030.dll

MD5 44bbf13452ffb6fc77a1cab6b3eb70a3
SHA1 2e06230f1efa667ad271898caf82925162ee4984
SHA256 dd392a083f67df1d2ecacae0131800c232040b84b5b8fce4df477a70930b4eb7
SHA512 3ec1e86310e8ba96b992c961ffe49bcbc0ceea02ccf66ce183a429301dfd9021b953602e8880aa66c689966aaa2ca61131971612da422d4932fa2d29a30db509

\Program Files\Recuva\Lang\lang-1028.dll

MD5 de8dcf8665fbf2125e03e13fa0af7e5c
SHA1 df9f08b3f6145d30205d290e1e4c56b74bc04734
SHA256 636075af19d92afd327fe831b28836c1fd196d10279f0fa046b6e0de870c5a0f
SHA512 2b3283d413938db03f61cda75646f1b8aedb869240416b35501cf0079666841d1ec85e49e9c7e9c97b5415bc6de6960f6f07ed410afdade12ffd1e80ceb51a1a

memory/2972-349-0x00000000003F0000-0x00000000003F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nso10F4.tmp\ui\res\Montserrat-Regular.otf

MD5 27e50ffd6a14cbc8221c9dbd3b5208dc
SHA1 713c997ce002a4d8762c2dcc405213061233e4bc
SHA256 40fc1142200a5c1c18f80b6915257083c528c7f7fd2b00a552aeebc42898d428
SHA512 0a602f88cfba906b41719943465edb09917c447d746bfed5c9ce9c75d077f6aed2f8146697acd74557359f1ae267ca2a8e3a2ca40fb1633bde8e6114261abd90

C:\Users\Admin\AppData\Local\Temp\CabF180.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\TarF28A.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarF71E.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c2ef65c68d94603d25277d3b57769549
SHA1 69778daead46dce60ef8b1b6bb5b81e7499abc18
SHA256 efa5f6d7230d47e07bd7bc49eb9f1c2b6538cb37d910830da0a7efaad171bfa3
SHA512 b90c1929b1ae5bba14d4b6a89869dad5805253f791c0aed1491e822157867982c29f8b4167ab6721c22e671da701fe30a105778c4cf1bd55cef32f52bb1a7777

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 470466325b23e150625d97a4dac5f063
SHA1 662797d1c41d109796a2b8f77df97f9890e7d5f8
SHA256 efc1dc3eb8e8b662579f73412dc06f07ddea7940c00f62960a375450e7f5e063
SHA512 2b426556bcdc314869da7760b06518b64fd55dc76529377a3a332cad4b73ae5788b8309de2a84df535e9c002ad96aa2b594442e5eb800d51517aa5014c847b8d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 03b22dcefa0a6e91329db7a48946f906
SHA1 2111337461afed2c54b88ca714ca779ee549d6b5
SHA256 3a609c5c8db55cb70eff5fa971be0ba9404502201cb0a7524a863d6648085b2e
SHA512 dee4fb590bfd8a2fe0ce84875ff950818a4c124d8633c28445750707ef02e4ceb633274405570d7cef7ac95c76668083ca00727cc0c91066e3cb21f2cddfbd74

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

MD5 55540a230bdab55187a841cfe1aa1545
SHA1 363e4734f757bdeb89868efe94907774a327695e
SHA256 d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb
SHA512 c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1413c77c74758bde870886ad0389650b
SHA1 3f4c53d5198aaaf45973a5c895fb944529792ee0
SHA256 7a1ae07baea54edcacf422980a0842d73261cae07d4a3258db7062b46782cfa2
SHA512 b2632b8f2309ed2a7f12a7dd7639e3311c6ab4fd374136c74ec9e56a70cab6653b6f6d988b9da675a797868c875b173af38c100799b430bffada226e3c779f4a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

MD5 f2e9f9501467aefaff28f927a6cc30c0
SHA1 a3d8ac6bee88130da1bf36e84bd8fb3f105bf885
SHA256 6146394c865cfb587d6d87b43828010e9ace82bb8cf17e890e7c6cdf2a2feee2
SHA512 d5243db979ecd8ba78b24f2972b46abda40ba2f58516ed76ef10382e4d278aaeb56f96d214a379c2de176fac351f3bca3cd49b87abfa25087bb145dd6313b95a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 f49437124d00077fb0b96151989d079c
SHA1 d567bab545667f7b6ba4990ae86ea45cbdcade02
SHA256 91b8bdfe44b8935e147ba1e28867fcaf6657412a8bb4c498d4115fece1c6a370
SHA512 6b8a59849084b5fed7c679444ee114b7af10c81c8e66bb6dafb4ee3258bbf109c71058fdd4b722a500ee38b0588269d888a8fca59e6854dd367d595988e042c4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2691b5421256b78101f547714136f80e
SHA1 01f73a2502add9e425208a889db9fd927595ee60
SHA256 dd3baf69a26745c1cc0c36b54cf8243a52e8d544f36f23a7cabb0eeddc9ef351
SHA512 b7b5acd5867d74724c54223b104ac876f6d99d8b9650578a9fa6c895acf189897403339ddf0b815a0db15b6e05c86ca6d821627653e816bda28075cfad677ab2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c4de61d70b844306222a6722ce7b7c79
SHA1 ffce8c5d74c16a9d02f0b09f5c6fbc1656a218e1
SHA256 42359e99717bd9f67412d1a1d5d7b21129bf4b0bfc249bab9c8b18f6b109f2c1
SHA512 525b4be64d6269342dc6e9eaadd9ed6b08f0cbf99f7cabb653086913eb16521df813c1dd06613974a9c19478ac437e15d5c46cda881ba4d9f16b6962dcba81e7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d16ffd974df45e58a1dbcf880a7b85ed
SHA1 70969222d4c89cd7eaef4394454fa8158f5b6878
SHA256 3d540e0b5cf816ca7aa2bec042b623ee1f191982e37aa0d8b943813c9a5e1e84
SHA512 038aca2074e4941df65dd1cb8fa9feb3065ffc8971d062b3e5a5897617bd81063cd8dd13fc9d19c9b6f2b779de91d9149f0b7c90c2eef0f57ce7bad7caea0fda

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cb9f1203d5b854f494fc5281d1eca92a
SHA1 184e8d56d8612fa4ac1c914be6e66981c3aa1770
SHA256 ac9e1414d84b15f418c87666f6ace50f4be5eae908cb0304dfb6e4b78e7cb24a
SHA512 3a8aec0d465c5ec647c007950956acbf752385e9c43f57946dd0ace18feeb1573281a876993abafbe79c63997be3d2f7faf6d1b4b2fcc69d26b1f1290c7b2169

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6c67c4e14dad23e13ca6bcdd640e117c
SHA1 dce4b4d06f00273b04b8425617b39ad3dad151df
SHA256 4e4f0d76ac895d089216f9b1ae41ab170ba09e06f56a0aa52b1ee003a5771079
SHA512 4bf695fb3613e1cb02050114e9a57b95ec65348c8f4daf14f587f4dc31da0281491e40a580c63adad966fa96fba677321bfb17dacce805e1ea7ed9e2d029eb60

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 04e3c707dcd84658750f9bbfa9f10ecf
SHA1 70d87767c0462349a2d4cdb75786ad3c7f25a0b0
SHA256 867ce4c64dfc4bbb6fc084efb1a728bb92a50b535dc1a56364e0e9d1559a78fd
SHA512 9e3ea5c945a886ef4ae77ff431bc123ee19f9d651239ddc262e4aaf5bdf45610f0c480443efcc31d5b142b5495af6dad04d9dc57256e5dbf110469139ad3ed23

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5OCCPTL4\apiary-legacy-vue[1].css

MD5 10775f84f522eb270cb11f3914a711ef
SHA1 2ff8a0e8fc4d1250501fb0f51ce098bd94ed690f
SHA256 d3a62f9f540342284b4fa0352da601a081d052d98032f93f782bdf5ddd41a34a
SHA512 5f2b38c69ded6423b2fa8d88803c36ce89be83be1b014386c8d0ae7c02823d60842461cdd077dbf79acfd2cf19dd4e5011257c50234f02ab078785a27bf1e76e

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5OCCPTL4\css[1].css

MD5 4c76be68c3b3fb30a9e6a6bbfa5bdf6e
SHA1 a496d6a322eac6380f8abc3f9f60d9b8b28df936
SHA256 622138e1bf87dcd617e8abc9c8cc33ea6286817b94ef97cfa88140b25d4b31b2
SHA512 14cdb7f3a48996e2bd7a626b86a7de7f978ed5f389176816d4e2c8fc0a9d97081aa242b66bc88b9db373403e025c1b3d8a333b856a75e08329d364ffe019f634

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3NPBB818\apiary-legacy-native[1].css

MD5 4e0fbdf485dd06ab6caca06e370e24e1
SHA1 f9b3583633ad1d9bef05c6eb35bd9553b7b6ebfd
SHA256 90ec25ebc730e72db17894e00efd99996ea5ef61e1ab90fc6302eabfd51f48b6
SHA512 dd25fa9b1b6d4a990414073bc8528c1019d37e01ec5b2d81df8691a377a81205edb2cc9fbb7f06dc67e7d8235b5d0a651c58bb2f2c1379f0b409abfa8c792010

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EDQW9R5V\OtAutoBlock[1].js

MD5 63c3184c909bc7998bd23dd5bb0f77b3
SHA1 3ef36e419274135b4adc487bbfefb10f0569c9c6
SHA256 26448efe01d31ef2f622c08599388578effc22441ed1c77f2d7b9d69be9bd117
SHA512 4144e19495049b59362189b72b046b4955b90db9ea89ddc1be3437a7a451e458a1d2efe1a20a15f80e3a11c139a0c960b0288c4328ca76fff6569305e3f42fc8

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5OCCPTL4\otSDKStub[1].js

MD5 f18b357811c039616eb24f0baa46360e
SHA1 7ef528148c7fa2df751baa512f8ea24c84a7c19a
SHA256 5be2dfa172d505acb197760b55c4731347cc239a7a046013c251948bb8214dbc
SHA512 f9498e8904ab5f3bd1d4ff6506007acce1e0a0ec989e3cab9801cb5a3020a0bc3504260b0a97bc90b4ea1f07e66d58916070c5ec0cdcea23d36ba17fc5277284

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e14ac209fc78c9126416dc55fd5d1069
SHA1 cba03d4a97596bf369b5ef3edc5a9b2c80abc7f2
SHA256 57f8a8b91e66cd6894c905c9f62993fc5d95755d70eb9a3bd097716371434607
SHA512 7d9ff6a18a8b7e7480959c39afb1e9d3efea71cc3ecb988fdc88ee799f65ae098a33694295241207326072f7969b126b601526531d7d8f01d12359fe047abe23

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3NPBB818\memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsiH0B4gaVQ[1].woff

MD5 9c845091c3e04d05faba9fa0a7dd3f87
SHA1 87588c9a58a0e2069439e138fb09427a208baf64
SHA256 d4964864e91e640a2b1008f4eca62cb388db555a4b1e86fac028ba01d139db97
SHA512 8d7804b5b4105fb671a5e5fd27543faa297ef62a690feafeb8807878684daa77324b189940445afaf507ee1c16ac4503023e6cef3ade21f47b81fcc3eb38a0f2

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EDQW9R5V\memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B4gaVQ[1].woff

MD5 3408fcf92be2fc1ccbcf3b6b5a8c6c71
SHA1 1d48da2c117877e6b718cbb0a9e6da2e62fec833
SHA256 377f3fdb92b81f0045c2e22da66b40f00d432b6322581f19d6dd0eb7c245afc6
SHA512 a5fa1d450193a96e58727eb4e1339d91607c720aa4fa059bb4413db2001e98b8ada8b37c94a0c89b1bfc816a0845a94371c685ebe86c09b5ce03e0f1e9b870fe

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EDQW9R5V\memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsgH1x4gaVQ[1].woff

MD5 bbdd84b53ccca9252a2eec6dc1b3e7e7
SHA1 4b997e961a6013fb67c28a1afed5a6bce371185a
SHA256 bf07d6a79fa4d9884810ec79b457dc2e4b583393b1efe93621dce64fcdad59a0
SHA512 5749b11c29b62166788df0ad07d109380151293fbeb6d23b000da2a4d62268be2ff09b76226a89aa4a9f9891738e6087eb84131c357b2d9e9f45cdcd0ce620fa

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3NPBB818\memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsg-1x4gaVQ[1].woff

MD5 c132b75443276419fd8c1c25deaebf28
SHA1 53fcdcf3c135284a585689f98e0ea41ecbef1dc5
SHA256 ad10e734c779c95dc5b34407165e6f1ed5d7d108cc6fc882d72c436cb83c131e
SHA512 67e13fc5149f746513602d0cabb3c7c33c5eb52d6e6b82a8c622a272230cceb7c6b97199f8d7f7778470ebf256a873f57f4582563bfb0d4a04b3644d51428183

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7061bc35e80c55e334ca4b550481ead2
SHA1 32d0c99fd592953a1b3c64e4cfd2115b8f97b96a
SHA256 9dc029a7bffc13caef2dff6aa9524954dce3ce43334607c96f3d8aaaf75a47e4
SHA512 92099b18cf52b450cdfd9926d3fe6e914f4879bb78a24fc959dd1c83b4224f1b4250ff61d6af651cc19eb139e5b2ae415e6b1042fb342e923c3dd6873b9981fa

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B1014REI\vue.global.prod.min-3.2.21[1].js

MD5 8fdef0c1e8850d0c97dda608f0bf891c
SHA1 3a35526c86d5eca2cc1ca5bfe47d4f00a7f0ef30
SHA256 0830994c5c05693539a9d8bcd3649a3b5f2aac58a9845d16f495bd53c5811f80
SHA512 e8120c3b85c8e7fec25589a98f0c00a54b77840717b842b7e9ac78b6b3cee180c57f7471bc2a30a3ac97e7bf8878432e1a39f9f15ff5ded436c7ea1dd5ec2310

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 edd54285c25cfda23f79dfe0efe515cd
SHA1 f7542c7e5ea15a700221b80d1f342579c955fc71
SHA256 c7fb5d888dde118c9bd12a01a59431948954a157cfed901f9b0040d402693135
SHA512 219c1065b8add0719ec985e65fe17c1a5c687a4b003dfbee9a975bed305d6c9ae70c041f45d5eb5238ef0334aa08f0623ed498b5983f7f8d2bb4a432d4ca2248

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B1014REI\jquery-3.6.4.min[1].js

MD5 954f70f07f05742168adceba796dda72
SHA1 edf8a6a066f201b1ffad32c585bd79c9982d4433
SHA256 4da87c258eca460d39cdb0f6158cbf69af539d05a1d14f1bc011518511d02228
SHA512 66ee57172810e0002c308c1fd5fc008c1c64573602627ca0313d97742d830c72bb7d26dd3b069e1835c5e3d6f8721f856809eb9ccef18ce8934ff7758f645717

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4f822be6652621b5efa43208ab2b7bc2
SHA1 e2567493263c204ab4a5bdcdfa81750e9045017d
SHA256 16aa527abfbe287eadc873d38dfe42d1e74b0851d907253133c0b9dbeca38586
SHA512 2990228922a2fd39be4eb5e1df661b9e4cfbca4b858773dac7a7e4f7f5e8babb36e3e5e0f04787a8f6f8b35db2fe6a5df3e392c88c284c3d17a67c664ac893e9

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B1014REI\apiary-legacy-native.iife[1].js

MD5 9d5af0efa8e5d98b8706923043aeb39c
SHA1 c0cab3679b98816d62e510d000a6f719b7e02967
SHA256 79ca070c7d427f7c4e6a47326a880e4d9784025c50efc03737195998c0c31a81
SHA512 bdbe74a9298b2354d6045cd56774cd06b94ce03943b3ef827499e841adf946cabd9b89a350e43259555dbf0607c8982647bc5c75e99358ac57994d612812fbeb

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B1014REI\apiary-legacy-vue.iife[1].js

MD5 99e27999aca338d85147ae3b4e19e4fa
SHA1 e8b60cf759b04000f0d69d8601eab53e24bd2ce2
SHA256 ce367ec856930b4143d3075aac46e9751469295b8995cfb3bd3f31a833e54ad5
SHA512 eba76530d59cdf4d6258ba75fb8dfbefbe8559c8d1d3a409ce7b85231164ab81d13b2d5241afda912af457c2ad48b74eba889792905141015ba34435e7fae4c1

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B1014REI\addthis_widget[1].js

MD5 de3701eecb9340ae075e05b04bb05a6b
SHA1 1262474193bc31e859367df01c4b2b26214a375c
SHA256 f475c34186022ba531ebc8bba97fc10df7e4c3ea854f314a18ab0644c851620d
SHA512 4cce11abf10df2640900c923b0cac9ae1b80890f52701d5b57ab937c4752e91aea392ed9439ee24357a6f88ac6f0f79b160a9c080f5670220c29c81b5148c69e

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3NPBB818\api[1].js

MD5 858a688cfc2341d705b9040939ea5d09
SHA1 83b67aa83140f6ecbe1ab06b141125fde682947a
SHA256 80bc7506b24b576af0b9d481457238c362991a03137ee0daa1fc86ee42eb5e84
SHA512 560448684b02d10f244e9b7e46aba93a51fad60c1a569daea2ac46704a44960bec7dc3cf1cb813f81dbb9a165c8c2027ca4c331d69ca87788782e0735e4cd693

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 12809db4cfb24d203a30ce61a02e953b
SHA1 655c56c42e37e167106deb5a5fe60dffb37935ea
SHA256 e50bebac5a1d2afc32174adadd11d5934466b9b8537d92a7fcc2efbe274a9dcf
SHA512 dde5386ba78b57056013f5b7dd035431232e0397038dabf2d0ba7a0a7197bcafa8753a0566aa6f396f5d046c1c2d3dc5ea33403e472137b7dc005469a57ec795

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\IW1IBFS1\www.ccleaner[1].xml

MD5 c1ddea3ef6bbef3e7060a1a9ad89e4c5
SHA1 35e3224fcbd3e1af306f2b6a2c6bbea9b0867966
SHA256 b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db
SHA512 6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0bb2e76388a4bba7f76debaf1ed56875
SHA1 e28e3ec52754f628194e6a05c459b32e2c756ddc
SHA256 8ee704d09bcc24a61e5077bfac6335ed5881ce836ae450051eebfbd27b4a3ad2
SHA512 63683a0f1033a2b46ac27ba4fff86d41f1c27fe4ae32e3e2b77948a7b5f1bd49bc4810b8ae416497a476466491821b98d2efc51f58712c58f5b2ce27b11497f5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 31b4d6e8de76e00ea60cd40c9991d46f
SHA1 8923d74f1ebf6488ff8dc036898c2b51ca6b5d36
SHA256 44685d0016de1679f8584d778cc428b8978ee914172dc56f6c6ad20f202b510b
SHA512 a08b36b9e3f26702fc2a91c8d9c15904acfa5dcea2702ec5f7c473ae554c16723ae9d8550d02f3e41d0bc2fde76cf7dc092b3e4043b5ca86f06c1b77c3205496

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 57463a63efaaf19a439cd7c24fd58021
SHA1 cfa0e5fe3496793c5adee583b206165ba0e7f1c5
SHA256 15993fa6c3fa856eed3847e107d465360615b35d3e0c448cf659750a8ad533aa
SHA512 55e444b442f35161b7d1d30443002ac088a3042d2cff27353048e8a2769b573fbe735300b2f5ac51597d0b19c05cbd07772c486332703cf5d8a79b01f3b54cba

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a6f497001c029f20fd76ded3ae08f4f9
SHA1 2c4943e7f0806909eabaf6729fd5c68fc00a153c
SHA256 1756a0da62c5769104fd9c31959d965dce4e1e2b22804538b1dbe34a3bfd55bb
SHA512 72a14a8d58a8b344edba0b65d536b797dcd9a0ef5ae666a50521cfb3407b8778cb6153c9a06fc281c4b2724c24730cb0582fd2f1bbd7ea2d75e03c6a915ca697

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f83a3327c6c5629bc7fa5a1e7eec6915
SHA1 a21a84222b7487e13523d34527d4afe496ee2158
SHA256 1efc4f5dabae06c5f94e23b02a1b06343ac23c0a50a49a79bbb53e5f568f6588
SHA512 871b86b06cc84434c3514a262f1b9a9e414a47fd1805ede1a953f17ab90a202e9c1a5c022a3579135e7e5f1771b6f19840fb3960828dc6bc31e6f3967b0d6bb0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 39555d3caa2811ab69d13c9b1b76ae1e
SHA1 82cc0a07cdf1fc8073204c06d556db58356eb42c
SHA256 9035b63747f4e1ed08d0570e2cf9ba025870a545bcdae7b66540d6e54c351528
SHA512 24bb5520dca56aa2a7d1531a89ac0b04b4039bfbed71dcbb979e511cbd2fdc1bb39adca3a972fe05811daee1f9668977fa81709f246e507ee3421ee43bd16d4a

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B1014REI\analytics[1].js

MD5 575b5480531da4d14e7453e2016fe0bc
SHA1 e5c5f3134fe29e60b591c87ea85951f0aea36ee1
SHA256 de36e50194320a7d3ef1ace9bd34a875a8bd458b253c061979dd628e9bf49afd
SHA512 174e48f4fb2a7e7a0be1e16564f9ed2d0bbcc8b4af18cb89ad49cf42b1c3894c8f8e29ce673bc5d9bc8552f88d1d47294ee0e216402566a3f446f04aca24857a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9ab2d4d4e4287d6de9c07c4744f0d6fa
SHA1 ec74fc5ede85c3fa5a894d61f9b6b1f7afac02ab
SHA256 f4143b8bf129f552e8102ac6630b4164c346fa2b33078a2e08314559548318bb
SHA512 b865fd6957b934627ed6e94147601c122d4be4c71805e13a73364565e455500a82500d9431aec63cf0e9172759258c0bc310b8f3402215db0487cf936d84454d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 83f767dce06667cb92c4c62e87998d8b
SHA1 53edb71048412b5faa61d6a1003435f49a4553ef
SHA256 a4b3d8937e7c25dee835ca144c5d4d4209bbb869501e556fcb04e9f9d43e13d3
SHA512 8192740fc860ef82fd540f9b17cb5c4c29fd3cc2ad464385c3d802ba20f666ae1c48cdbdd98700a465d5b01cfb6e33a51c88fc9239815871cb96336f282a3eb7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 40c84d2e306cfcd7948966240b450632
SHA1 f72279e3b59d78933a3a4a7fd4f366618db76fa6
SHA256 08897ec8dc2daf54ff423202aeadc4b686a3051d2180f38b89b56f3b745da488
SHA512 a9910db08aaad09fc45f32895e2afcf9a5df1756cfe1fed19c50df6cd507d3d625c30735bc05b1f1b3b87177639d406810ba0191b62eba664f5e1d2af39bf96e

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EDQW9R5V\js[1].js

MD5 76e707c03628b7ccd323f2d2debe38d3
SHA1 7f9d33f49a07db1cb1d40974a2cdce4062dedbdd
SHA256 5548ce3793cb9e0e66b86bcc3403a6c842cef36719454a879d1705bf07af3ebf
SHA512 8f348a93680b4f8efa4cf4f0c3ea0d07416186bda83d0c13a3467bd41e7e6e1892d96183d1030aa73a7d436201c5e5e33f9cd1fc22029c2280bb75d3c0e3870d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7885faddf61a2c77910b7f4b1325f088
SHA1 44b17aa66bf1a2fc6aea435d8a25e389066a561e
SHA256 cb3566ec1334f36c44af83ddb3877ca7e148701d37750861a59d580f1a1c78a4
SHA512 d47d95d342f6a2587ff5aa8aafdc24c368461ea9e2613e916a66d266ee0d68543a7570820b9c68b9b3264532adfb2119a29e6006dc1120e1b62872a2d0d3d03e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e5d58001f93e4b765400f178a6c8ef9b
SHA1 6324628ceadb3da76537f6f10f4cd4659738db7e
SHA256 7daa3e3a0536da03d927a4b1bb9b7a9c4ce64d723942d635c53fc44ce3e8ef02
SHA512 b3432d968ebc1a8456455632c058c11f68c5e40be2601abea7e2bf4a57fd21fe39044fa7feae2084d9ae196b9f328010965863775be5f739383c9d9b2c9e00c7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1023e65273f0400f9a243028647f1365
SHA1 183082374fc6aee5cea9bd5cb78c6d0fd57c3c1e
SHA256 09a94e1a96419d8b21ebc7f76a746dd24e2fe01107b627b81f1a66eb00227cf2
SHA512 b28b815ec61ecca211f24bd2dbfb807f8bc6ad41f9428873c945cc8a0dd3869838e46bc479bd58d3a7515899249cf1e769015beffd3f666d663041b00911acdb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 65cfe465ae1e9cf965657e7c45f1271f
SHA1 7f5c5301f14325bd0971a4741ec0fe424f61e0f3
SHA256 07f311c81584162d2e26f947ee1a7e0c49b502a9b2d252028e2acc13c1c282fb
SHA512 4b3845fa13af42f81929f5d1e2f3bfb3cadc9a922ee539a81edaf240a0b5d43b0ebaa87853aa3598765dfd542f0fd925ce81ca4eac2df488e7e0216a11eed191

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3NPBB818\ga-audiences[1].gif

MD5 d89746888da2d9510b64a9f031eaecd5
SHA1 d5fceb6532643d0d84ffe09c40c481ecdf59e15a
SHA256 ef1955ae757c8b966c83248350331bd3a30f658ced11f387f8ebf05ab3368629
SHA512 d5da26b5d496edb0221df1a4057a8b0285d15592a8f8dc7016a294df37ed335f3fde6a2252962e0df38b62847f8b771463a0124ef3f84299f262ed9d9d3cee4c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f22966d2f7c883c8f217227a8c796b5f
SHA1 3b24384ac0c2d88087f9bff06b94c6ef49f5c44d
SHA256 44a51c237bc8ea86a31790da0b8badf463ff5d10b22c64e371eb96c0121485c2
SHA512 2df219f5e8332f96f3881507354f4effcf6b0690b234762c74352764f7d611b6f22611171281beb0b7775245e0fa57ff9a64da7ec9271b087679b5fd4dbe6e3c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 87218ed2a4eda8ae03482529c343c8b1
SHA1 272f4dbdca74ca32d8edfccb59ac8403d8367d9d
SHA256 ada18bbfcd8250a16d23f66e5fba0186479583dbfed108a497af59909bf66bd5
SHA512 1b30a9d254090520ad0313c74d2bc7f0ae6ad5a7a9bc07a9c66ac175c20a7f1dbb9faa86a0f1c275acc75fa61be673f1e2e53b6976768cf8f342f4bca5dd5cab

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f35cee11bbc4f241a2b6e1b453a4956b
SHA1 5179d6fbd26a91a2593abf7c72697bbcc3a6e963
SHA256 8c213bd6a0e07b0c5dc499908f55f4a528e625a727fcac31203f2562fc71bfee
SHA512 9a372f209337297b3e884ce18fb6f3b31df1d632a4a0092c5889dcef28e993ed38be4532c4de7470ab61dbfa5c52fb5b7b9cd83e41ce087b49cca6fe71cdd682

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0fb44902367678d638856f0bbeb28419
SHA1 a80d2ff1021fd1af72dea1bc27dcdb6a90016598
SHA256 d767fc3e148cb0a4917d89e3d5e9ef7ec452ab765b62d9b8030546ca7186f661
SHA512 f34a27ef7a39be043cd827f67518a9cd1f7feb5cd9d1d3168e70c82ca90abcabffd015da09f26be2a16612baf1eca1de2bb5a76f88496e06442a75f1d29e2461

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a498dcec7681f8d0a73e75c096ddb177
SHA1 e517440b789f66f87b6f48f5bf79f2cb3a486310
SHA256 071df2bfd8efbd9e47aff08e1f6a5e2c108269da2abb913d7e3b8eb168785e6b
SHA512 7c3e0cdc19435254db445391bc6cac43f812c8fe2c36582e70a450d2f927f8bc499bfdc5f2c9fe8c01cd9528e2f7192a8169d25b8c77ee728855c4f711555811

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 31fe511d10a86e1e9fee8587f0bf5999
SHA1 87b446f75ddb2db38a1ca23ed0733863b424dce2
SHA256 93f824cd4840787a89329c8c0b146d06ff5cd8dc89f3d39400b06951b289d86b
SHA512 f41e28d4b50ce4bac59142a68a74014f15d90e5061915a839347ce2deeae12cb86419565172e92f8a54239eb24f8c8108fd5c864b7aaee168693454200db6698

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4b4978e3604d50a641c8dc251c3ab56d
SHA1 d227d3540c7e1ba635aa4a2a1cdd60501a840c20
SHA256 329cc715e6c1ed2e24ae53536cbf231de26a2558cb4cf80f430f0a6746144e9e
SHA512 4d5b4f360e016327cd678bf0e3c25552f3edbbbe89169d1783e692a4e637a814ca374794d2c1452d6213b1521e96c08bf1de7be4814e92e1e061d5a713888e31

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 40b38c9b688250bcd63aa6c97e69c957
SHA1 cbac0500e37a78e3b7be2a20629344941f998444
SHA256 a3b2b1015b53a84d5e9da1c1d510fc7d870f920d87817ca6c959253c2a15087a
SHA512 610a7f32aba9a2c10a293e76a21ff73b1466ee17e9f4dc2925c5d29f729c6b97ca253f54db099dfb6fb5bec19980c5e5fc786964cda97ce06377bf8ec0d1a3e8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0650875048398b55097ac3589a22d91c
SHA1 9ba97e46f5ad7e13ae740279479cbfe755f01127
SHA256 f6c25ffaacd86016b68f0dbb5ad588271f8087ec22220435d998b528a5bbaecf
SHA512 9aedd078de01ffeec359ef9f4e46ad537ede4f52a8d911654fad70ba5e7d3c31960de1705788073020881ddc9f38116c6f8b8871b341a5949beb798eeaaac2cd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ba8e72ccaffc63593cdd84682aa65990
SHA1 ea926e2cccd9e0dd08b8a11de6055325b7db8927
SHA256 051379d7d657a503dfe5bcd532ceb083dcb163211f97b4e6b78d647c7cc23e37
SHA512 1465edbf82d99582761ee053b0090268ff2f9af3f9d3843fb3d8a41c9cf742ff6b3097d686b50cebb86c33501bb545e6ce5fbc469b531280bc5ced6d01b150ff

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 07777fbdcb0ab20745a630a46ffad8f4
SHA1 49b6071b7fbee42ae63d1096a5127e36ae5983a4
SHA256 4fb0906e5773ae15f728d0ea921412b8ed9b9192d5b9cb833e7f86893bd555ca
SHA512 e4ba585ce33871c6d7ccf0ab1cde63490c9eefb8f8024a550974c7b0b47fb6d1e2bc98e28efacc32b27fd892cc0b34488e081cf6c4d378d7dd54387b18ece0c0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b09f92f83c7197d4131108f35dff131e
SHA1 d07d5fc6c7af0dbf62e5d80ff5fa7eff48b9b64b
SHA256 b7856d58c158a27b5628301fbaab1c7c032c694876c940af73e82b6d0fe92458
SHA512 a1eb07cc5b57019db3ce740f143ecddfc1744b1e74028c3e85dc1be2d4445b9980176586c71e00f56cf002baf05b66750168951b171fbd7d19aa842a218c58a8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7437910fc659c118c499fc156b4da2d2
SHA1 cb8d16b82f86439592c9ce452777cb038ae31c3b
SHA256 906a214c7e129f2e44ab4408d7415ed94f74643efa66c12dec02d0befe742c1f
SHA512 0d1677f1a9e2e38bad657d9e39cd07432703caa7f072fce6f88bd4385721819bc1588c4a0e76c9801376143a51cf40bdc478c5d22864602c2dbcb33ed5491c8e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7cda0ecfca82fe9aebd7800b547cd532
SHA1 3a8352b659baceb88e9af29f87e62e0957df5917
SHA256 0469e1c76dcf8080eb144deb44b511214226f05e92dbe3ec69605fb0da9f34df
SHA512 eddda53d2e1eb8c78c677932ddc8f5ee5958a49ae24695c3151ca52c0a3a2551dc612cb9dc42b9d9d166b40504051e1cdef7257228cb2d357d6d26b83ec34296

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fa795e92d096cd0037b2b5a1a3ffa12d
SHA1 5a6e22a1617790789b29cddd42c76cbdf5476643
SHA256 5209d943fcfd90ec5ecb7271d1e0cd52762fb1226796225da981f989a7500164
SHA512 5d320f0b345156a670e29cacb50ff516184fc3834f89affa133675b8d6df5fe91b4895c9ead27ca5cacfdf85785fd0b0497d89d39e972a9057890c908443b40a

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5OCCPTL4\favicon-32x32[1].png

MD5 4c6f3de823f62f41d3e6fba169eaedc0
SHA1 598a304e6bf43026a0893b806b11706630ce7ccb
SHA256 e22085101d303df48a273f69d17393a20d3844d7e69cfdc701e4cd2d61357722
SHA512 82d7b8bae72b21a280f0318ea1405f2639aa714509529b5d5fd9c9009879b435588cb6e8fd91ae03ec24b0b3818b29d3093fa054aca77cf82599a85625de2405

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aed886c1a190c7ca194955f559c1abcb
SHA1 ead24ece0c944fd7b73f5cfb6cbf9575588dc72a
SHA256 8d06af95740db3ac4c31d109a868d205c66a711ea8ed8aa735aa512df47b475d
SHA512 152a6ce88463f6a537f2c5b3a86aab293fe56ab41e0c172367f544e0df968483f534d2ae619a228ec04f0e832e611bec93f1a2a1002c6e1b122e289ee94abf5f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 86becad5806a664cf5f53f01c20b8506
SHA1 72a6392c2b975e22ba6aa1d8a0339db867ba4231
SHA256 c8ef081adfdcae1b746555822d3e860678f5eea3f00d908eccf9bd366bd213cf
SHA512 4ea9602e88809889d94040e69e63cf200ecbfd64ea0a16ddd083bbcfda7b15a37c09e1984b5e94ccfca0c6b3c1302a2fa7d7389412e53386cf3fe78d32cd476d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7c8f9b8c15cc8d3230568b4b0bdb73cf
SHA1 d9e4a968d2a46323ba780780c22dec61c4b95f61
SHA256 50818eee1998fdf33d04d6b4d470c7abb04f954986c03882d3cf8a555d739ea7
SHA512 8233b5991bc53b861dfaae91f2c6098bea520e2b99aa3ea100ab06584931ae3bad5f690ab185fb44948ea2d275872f9221e1421835c9f98d69ab60bc7ba83e3d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 55d7f8e0540244d5eec09f851d33af85
SHA1 1dd027c52b520c596fcfddbdfbef12cc685acf78
SHA256 50ff04b1fd1f630f2d894e8ec01472fa05331dc829499eff5614cde40e4ea8d6
SHA512 82bb928143cb23e2f4b0f848c72bfb24fdde21f15514b4823788384f17b115b6cad75f6c9f45d2ceb206f8affbb85a53b3ae156b6608b522c6de7ebd2817b01b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 097d579a66c7f1bd48c618616b0f34b7
SHA1 6de4b2b8a8551532fce67a61c00daf6ae0a6c53d
SHA256 86677b7d9c63fcd6a2e33343ae42353d6b4cdc8a2488ea3cce69502dbdf9b6fe
SHA512 b34f68032c07d5eaff7b8b4fb8bbc3b60330ea15c1b8d5cb2662b66039d0ad9c89cdc40c3b26f1f966847461ac1f95ba3f740045c7d43d388a139f0933095f6a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ce3b847d22a67392fde61b85dcab9ad0
SHA1 595be4138a6bb8a62dd051f221ab8dec29d6c39f
SHA256 237c5f5921a735c6e2b481f81fe852e9c12763061946aa293df0c52461d3c8f6
SHA512 f573093067d453afd3da86ac78b3737ce22c31541a9a42bf203f64afd4b7fdabfa4f9b2106c7d663c9fa1963c6639a22c06a227ce0be06570b570ff77ed48fba

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 88f2577ebf425c12aa5716e20e100ba2
SHA1 e4ac25d45bdbafabf4b25be60e0fe951d0956bcc
SHA256 582c7746295f01a9e850d9661611a77265913f25bd13a7077ea083b4aa277bfb
SHA512 8d9e7b7d0034508e84e82383ea66858c7cba715f1bd4e1ceab25e6990e738daa2aaf401710569cd58464c45e49473fc8f5a22d96ff9f8121414dc46dce101b4d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5baea14b1bea7f5718c9b5d70b5b7d1f
SHA1 1f6f57ea8b5c501fc71a7d67590bb1513f531f4a
SHA256 55758a14d755fd3851d43c4c631d13e9802c4e78d9581c3693979242262daa87
SHA512 fb72d0ad14a6e6c9b94729064f6033dc16c9078898b9aac2e38dbbb44770eef105d0627ad9c5b2a695eec13c3d2311e3fc76e0f37f46927509e8efab62326d06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5bb0e72ba4adc8eae5bb1ddd5f88667a
SHA1 99116f7b4608fc211e02ceb750ca6ecfa0269a5b
SHA256 7e3f069b421eb32587775b5429228e33d5a1bca9aabfb36ff1d0015b7169a65c
SHA512 093124f29889a54e8009bb141652805f66a6b5fddbdbedfd363e160f37c3f8bc16d948a8df974576c00f4fc4f282bc0007d284796269b1bf9f08cc9d392ada65

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e4c27586e394167e8e8e7ec6a59dce0a
SHA1 9f6de5b10804fd6ede7ce0e4da4356a5462d4097
SHA256 09ef7f2e0a7227741fc41c23e7339045ebfdf2b01cdef1be5eb124d878833cf9
SHA512 096ccd0de4de543afe01503d7032987ad4c5f42095a5a42126bfd95f02373a3071bdf21a52d40f4ccc4b2947ec43180cab85281f4c207cbb3f7f0d8dc0efced8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9b9b7dbd1f67c1305a6cfd2ac15b08bf
SHA1 7501b97db3488435cbda8800ba8aaeb1e841701c
SHA256 951eb0a9ffb0a1d33a39cca9df1f08a3c8b2452e592153db3d5b73a3e5475d9e
SHA512 e2dab493ebaed5723c1baf5999e5e7d26cb01a7562eef1276fce8a89386776390847d96da4081d0c159def581de41038e88b0145b0d7d3132b9b31ac0a5166c3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d7f1a5dc7ce27e495dec36c94f4faff3
SHA1 18056d6b68b0b6d461d24f33244eaf90646d2481
SHA256 2a9b4638e0a7245da875328ceeea6b415f2b8a6d29c91d43d4b617eeb221ab3d
SHA512 1ef0431a27e224c679ff72f66759818eeff24bb1567859b164f3fabb1ca97ed80de0ce8015c3dcc72b768d0463e38f3b59338f8d8a3fa3eadd58a574a4320963

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7720f2e577afd27851fe968cc0c84c86
SHA1 f9c4bdf23d8d3642d4ae2f6372c650d19d7c6b87
SHA256 a76fc4dba942383e5c5b490adb83bd5461ce37413db86702ec48981735e5c1fa
SHA512 56d40eebadb2d25b32a364889db03ff212d447b4b1f43fcc7e50e4d9c7d0bb1466ca5b007f2790f8d8f47b06382cfc97e35caad077fea7bcb3058eebf0091eb4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d914016502cb897227605a29df110c1b
SHA1 0cc3daeede38eb39c90321b03a80778dd14995e5
SHA256 1c6bdd21abc0359a8e34c4e1035a8c5ca63879a6dd52bc94551207f7a22260bb
SHA512 aeb2006788c8acd20f79c6fd93a9c025ab1faee27adfab2796f11045f8ca436c9cac6ebf545760cdffa0c86eafb607fa4c32a2b0b317fa50d3ae6ff62ef542c4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cc5ba9c66ababc9079257d5624842ba1
SHA1 b685ceb8e540d9530650a3f6d0e5d3bf06c81f63
SHA256 42bf4098c41a2ba04dc4a230800653f6484f760fefc32a8bd35419c694f3f72a
SHA512 4dcbfadd99b03786115a8786301b929406a76fda4990e3487d23145b6f9ce8790b272f87ab1ad38c8cb4482bdd783860aea0b81433a01ed6e7b66a2e25b0a43f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b6d63c4705f7ae9953ef39afbd90eca3
SHA1 21d30cd6550d2265c5775a25b3621b478e72acbf
SHA256 ce0065b8b136716648203f13218813ec1f375d8c368ac363c64283d160016d7f
SHA512 4fe066ae2ada778798006ef2233b69a3b0e3842b8393fe5a351299991341f252a3fd276da26c017c6bbf5a9a42d7b4143fa83bb36e6ef28374004770b33dde3e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9f5394357856926398523f5a0408e1c3
SHA1 7925332a551e57a056b49631e5706420de7b8a9b
SHA256 62e200cb0863fe3e213875a948c7d13e8388e23a85fc589b2d738db339f2492c
SHA512 eac3aad2f81050b338eb8c2d99b8aea209774325e4294929fa1e6aea718f764964627c491e021eadf0349063bece704358042272a621fb160f1175f0d48aa98d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5c83d9659ecb10fb6b2d5fb740e48be0
SHA1 0e418a8b84f7b51395f960d3e170011280c895c1
SHA256 1cfed749eaaf994df6760a1f5b9571a99ca23dc35469c92cca0086e748f5babb
SHA512 9bf5c98d77c62ee01b032b3dc3820c523abab8ad3fda82ce1c4a7b6f3bac2f75e3f760f1c71d5a192a42060b3379e139da14eb20c8c83d701941d0966751f2e5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 db0712e141d405250270fe7562fb9755
SHA1 8657069f36aca58bd7c5a112f4166c3c9e2e82ee
SHA256 b3b639aea15f1f67626c1f6aadf0d89ee15aaa609496efd2bd84c22a77e8fa00
SHA512 d2f0b676ce74362f67d16a78b05b1235d8cccc9067defee054816e22b958be9fbebc96bb38b2ba8820fe8c042452c12d28c8faf2dcaee597c1ecbce6f8e0e019

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-15 10:08

Reported

2024-06-15 10:11

Platform

win7-20240508-en

Max time kernel

118s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_107_\$_107_\pfUI.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_107_\$_107_\pfUI.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_107_\$_107_\pfUI.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 420

Network

N/A

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-06-15 10:08

Reported

2024-06-15 10:11

Platform

win7-20240611-en

Max time kernel

122s

Max time network

128s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_108_\lang-1028.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_108_\lang-1028.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-06-15 10:08

Reported

2024-06-15 10:11

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_108_\lang-1027.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_108_\lang-1027.dll,#1

Network

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-15 10:08

Reported

2024-06-15 10:11

Platform

win7-20240611-en

Max time kernel

45s

Max time network

17s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2412 -s 240

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-15 10:08

Reported

2024-06-15 10:12

Platform

win10v2004-20240508-en

Max time kernel

79s

Max time network

106s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2588 wrote to memory of 3020 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2588 wrote to memory of 3020 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2588 wrote to memory of 3020 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3020 -ip 3020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 636

Network

Country Destination Domain Proto
US 52.111.229.43:443 tcp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-06-15 10:08

Reported

2024-06-15 10:11

Platform

win10v2004-20240508-en

Max time kernel

90s

Max time network

52s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_108_\lang-1026.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_108_\lang-1026.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-06-15 10:08

Reported

2024-06-15 10:11

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_108_\lang-1029.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_108_\lang-1029.dll,#1

Network

Country Destination Domain Proto
US 52.111.229.48:443 tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 10:08

Reported

2024-06-15 10:11

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe

"C:\Users\Admin\AppData\Local\Temp\rcsetup153.exe"

Network

Files

C:\Users\Admin\AppData\Local\Temp\nsm574A.tmp\UserInfo.dll

MD5 2f69afa9d17a5245ec9b5bb03d56f63c
SHA1 e0a133222136b3d4783e965513a690c23826aec9
SHA256 e54989d2b83e7282d0bec56b098635146aab5d5a283f1f89486816851ef885a0
SHA512 bfd4af50e41ebc56e30355c722c2a55540a5bbddb68f1522ef7aabfe4f5f2a20e87fa9677ee3cdb3c0bf5bd3988b89d1224d32c9f23342a16e46c542d8dc0926

C:\Users\Admin\AppData\Local\Temp\nsm574A.tmp\System.dll

MD5 cff85c549d536f651d4fb8387f1976f2
SHA1 d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
SHA256 8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
SHA512 531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

C:\Users\Admin\AppData\Local\Temp\nsm574A.tmp\g\gcapi_dll.dll

MD5 2973af8515effd0a3bfc7a43b03b3fcc
SHA1 4209cded0caac7c5cb07bcb29f1ee0dc5ac211ee
SHA256 d0e4581210a22135ce5deb47d9df4d636a94b3813e0649aab84822c9f08af2a0
SHA512 b6f9653142ec00b2e0a5045f0f2c7ba5dbbda8ef39edf14c80a24ecab3c41f081eb466994aaf0879ac96b201ba5c02d478275710e4d08b3debc739063d177f7e

C:\Users\Admin\AppData\Local\Temp\nsm574A.tmp\ui\pfUI.dll

MD5 f7222368c66e02ee333e6fca4fdccb66
SHA1 b2c6c1d24f78cb4a6de87eba5480f3a6f6b278b5
SHA256 b09f1359c68947c7d13123dda3ab56360b982befb43c134be815934ed4879215
SHA512 ab6158735234cbbc7ccfdee3c8e247d196070aa234e6bcb6b4cc6c13b4d0f1c85d84afe5c7d3f98349b32a4d4bc84750335fc9f1d8032e759ea03cea1e11a839

C:\Users\Admin\AppData\Local\Temp\nsm574A.tmp\nsDialogs.dll

MD5 6c3f8c94d0727894d706940a8a980543
SHA1 0d1bcad901be377f38d579aafc0c41c0ef8dcefd
SHA256 56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2
SHA512 2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

C:\Users\Admin\AppData\Local\Temp\nsm574A.tmp\ui\res\PF_logo.png

MD5 079cca30760cca3c01863b6b96e87848
SHA1 98c2ca01f248bc61817db7e5faea4a3d8310db50
SHA256 8dd37d3721e25c32c5bf878b6dba9e61d04b7ce8aec45bdf703a41bc41802dfa
SHA512 3e25c10e3a5830584c608b9178ab062e93e0e9009a7d897bb5e3561180b0b0910bd4178063d982eb33806a005c93931ae2ec5be520ec0d0c9a7c452cb78fd6a8

C:\Users\Admin\AppData\Local\Temp\nsm574A.tmp\ui\res\Recuva_Logo_72px.png

MD5 6a2e01749e591a1ce8216daed41b8721
SHA1 a4aa31d936a33eb7d58e809b738184f6b2c7e1c2
SHA256 f72782600989eff0aa13ff7c63875538c9042c32b77862475c899514f61c9290
SHA512 262e6b6ed89fa30f954dc73c1bb329d9ea256fefa172e12b23610e7c1ab6dad3b698cbcdc010f8c16e90b0bdd6e96d60e8aba50b876d69f9fb1f2889ac14f0fe

C:\Users\Admin\AppData\Local\Temp\nsm574A.tmp\ui\res\RC_Computer.png

MD5 67f13e50fa75087ef8c2074a52cc8bb1
SHA1 8f31cf48fab91b9e263105289d17c146d088274b
SHA256 044ec2d36e9f573d762fc8a43eb09f7b24eb30094a4e61b5d606fd96f72d391f
SHA512 44ee943ae440d93d7ec78393749667680abbe379f9e21fb10244362c2c3f9df790170c541aa30a8487ef25952068c78e44dacd48def29aa84cee78d1c1ce63ae

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-15 10:08

Reported

2024-06-15 10:11

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1812 wrote to memory of 1116 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1812 wrote to memory of 1116 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1812 wrote to memory of 1116 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1116 -ip 1116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-06-15 10:08

Reported

2024-06-15 10:11

Platform

win7-20240611-en

Max time kernel

118s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_108_\lang-1029.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_108_\lang-1029.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-15 10:08

Reported

2024-06-15 10:11

Platform

win7-20240220-en

Max time kernel

120s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_108_\lang-1025.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_108_\lang-1025.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-15 10:08

Reported

2024-06-15 10:11

Platform

win7-20240611-en

Max time kernel

118s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ButtonEvent.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ButtonEvent.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ButtonEvent.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 316 -s 220

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-15 10:08

Reported

2024-06-15 10:11

Platform

win7-20240611-en

Max time kernel

121s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 236

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-15 10:08

Reported

2024-06-15 10:11

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3100 wrote to memory of 1468 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3100 wrote to memory of 1468 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3100 wrote to memory of 1468 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1468 -ip 1468

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 2.17.107.107:443 www.bing.com tcp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 107.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 200.64.52.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-06-15 10:08

Reported

2024-06-15 10:11

Platform

win7-20240221-en

Max time kernel

121s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_108_\lang-1027.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_108_\lang-1027.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-06-15 10:08

Reported

2024-06-15 10:11

Platform

win10v2004-20240611-en

Max time kernel

92s

Max time network

100s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_108_\lang-1031.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_108_\lang-1031.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 13.107.21.237:443 g.bing.com tcp
BE 88.221.83.187:443 www.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 187.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-06-15 10:08

Reported

2024-06-15 10:11

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

54s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_108_\lang-1028.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_108_\lang-1028.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-06-15 10:08

Reported

2024-06-15 10:11

Platform

win7-20240508-en

Max time kernel

119s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_108_\lang-1031.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_108_\lang-1031.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-15 10:08

Reported

2024-06-15 10:11

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ButtonEvent.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4248 wrote to memory of 3404 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4248 wrote to memory of 3404 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4248 wrote to memory of 3404 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ButtonEvent.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ButtonEvent.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3404 -ip 3404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3404 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.178:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 178.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 52.111.227.11:443 tcp
US 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-06-15 10:08

Reported

2024-06-15 10:11

Platform

win7-20240508-en

Max time kernel

121s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_108_\lang-1026.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_108_\lang-1026.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-06-15 10:08

Reported

2024-06-15 10:11

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_108_\lang-1030.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_108_\lang-1030.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-15 10:08

Reported

2024-06-15 10:11

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3980 wrote to memory of 3540 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3980 wrote to memory of 3540 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3980 wrote to memory of 3540 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3540 -ip 3540

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4028,i,13281073920029625837,8253721632651544158,262144 --variations-seed-version --mojo-platform-channel-handle=4164 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-15 10:08

Reported

2024-06-15 10:11

Platform

win7-20240611-en

Max time kernel

120s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\g\gcapi_dll.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1916 wrote to memory of 1796 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1916 wrote to memory of 1796 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1916 wrote to memory of 1796 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1916 wrote to memory of 1796 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1916 wrote to memory of 1796 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1916 wrote to memory of 1796 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1916 wrote to memory of 1796 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\g\gcapi_dll.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\g\gcapi_dll.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-15 10:08

Reported

2024-06-15 10:11

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

51s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\g\gcapi_dll.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4520 wrote to memory of 3732 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4520 wrote to memory of 3732 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4520 wrote to memory of 3732 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\g\gcapi_dll.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\g\gcapi_dll.dll,#1

Network

Files

N/A