Malware Analysis Report

2025-08-10 21:20

Sample ID 241031-ma9flavkhw
Target 8a9130e9050d81e009d9c04885d25bac59a32662058b32e43afed381e8b33a04
SHA256 8a9130e9050d81e009d9c04885d25bac59a32662058b32e43afed381e8b33a04
Tags
discovery evasion trojan
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

8a9130e9050d81e009d9c04885d25bac59a32662058b32e43afed381e8b33a04

Threat Level: Shows suspicious behavior

The file 8a9130e9050d81e009d9c04885d25bac59a32662058b32e43afed381e8b33a04 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion trojan

Checks whether UAC is enabled

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Modifies system certificate store

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Enumerates system info in registry

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-31 10:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-31 10:16

Reported

2024-10-31 10:19

Platform

win7-20241023-en

Max time kernel

122s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8a9130e9050d81e009d9c04885d25bac59a32662058b32e43afed381e8b33a04.exe"

Signatures

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\8a9130e9050d81e009d9c04885d25bac59a32662058b32e43afed381e8b33a04.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8a9130e9050d81e009d9c04885d25bac59a32662058b32e43afed381e8b33a04.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\8a9130e9050d81e009d9c04885d25bac59a32662058b32e43afed381e8b33a04.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\8a9130e9050d81e009d9c04885d25bac59a32662058b32e43afed381e8b33a04.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\8a9130e9050d81e009d9c04885d25bac59a32662058b32e43afed381e8b33a04.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\8a9130e9050d81e009d9c04885d25bac59a32662058b32e43afed381e8b33a04.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Users\Admin\AppData\Local\Temp\8a9130e9050d81e009d9c04885d25bac59a32662058b32e43afed381e8b33a04.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\8a9130e9050d81e009d9c04885d25bac59a32662058b32e43afed381e8b33a04.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a907cc1344750743988d8bab481dbfbf0000000002000000000010660000000100002000000077da53735d883480fccffcd3ea8d353695ba3805fda6decf6428bf25466389ba000000000e8000000002000020000000967ea949082c3eafed31e854e0457afaff25bee2e276c7491763ba1e77c64f129000000071d84426f4dc652ba75a46e177692b194d6212900ac888cc285d1c4a1d572d872e248cc82983355e881b2b4fb5823a2081dcf886e8eed6ae2115862977b1e64776adc298b3d9e817b9305a5af415628a17d9b7285f6cab093c98bd3b49ff66033608415d5b420857979caae8c005e0c4b15a96ca8ba1c2db4bd5a488d6affeccc70c52390451ba61e799783cfd3cb4d140000000ef91a54a7b593de862f4ff7094acd598ae46d40fdb1de5a8e087bac20686cc8170ac6b9377b624fc695626d4cba5a2eef3e9f04b3c92318242205bb1d07b3d83 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a907cc1344750743988d8bab481dbfbf000000000200000000001066000000010000200000002b34ca5022f3ea4357afe5868ff380c157d90d01aef221f9841e3388c4a7f48e000000000e8000000002000020000000927c13173b3a262e618761d62c15fa4f7b5c97b06764e11e22560d88e461410f200000005c7cf1d9bd90bba982fdf1919fe190eaa284b05c055a9aabda518d3541307aaf400000007ce0f87472ef8e6c82ce6d0bda8817366293d99fce9e50a13615ad747a384c84a8abc5b5fad92d4cbce6bd316e89c6255469d8538e02fee0641797e99cd921b8 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4A739C61-9771-11EF-B1C8-5275C3CFE04E} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "436531699" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 406ee1207e2bdb01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\8a9130e9050d81e009d9c04885d25bac59a32662058b32e43afed381e8b33a04.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54362000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\8a9130e9050d81e009d9c04885d25bac59a32662058b32e43afed381e8b33a04.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd90b000000010000001200000044006900670069004300650072007400000014000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd155090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\8a9130e9050d81e009d9c04885d25bac59a32662058b32e43afed381e8b33a04.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 1900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c543604000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\8a9130e9050d81e009d9c04885d25bac59a32662058b32e43afed381e8b33a04.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8a9130e9050d81e009d9c04885d25bac59a32662058b32e43afed381e8b33a04.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8a9130e9050d81e009d9c04885d25bac59a32662058b32e43afed381e8b33a04.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8a9130e9050d81e009d9c04885d25bac59a32662058b32e43afed381e8b33a04.exe

"C:\Users\Admin\AppData\Local\Temp\8a9130e9050d81e009d9c04885d25bac59a32662058b32e43afed381e8b33a04.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://buy-download.norton.com/downloads/2024/22.24.7/DSPN360/GE/DSP-N360-ESD-22.24.7.8-GE.exe

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2472 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 stats.norton.com udp
US 13.64.142.149:443 stats.norton.com tcp
US 13.64.142.149:443 stats.norton.com tcp
US 8.8.8.8:53 faults.norton.com udp
US 172.172.227.142:443 faults.norton.com tcp
US 8.8.8.8:53 buy-download.norton.com udp
GB 184.26.56.35:443 buy-download.norton.com tcp
GB 184.26.56.35:443 buy-download.norton.com tcp
GB 184.26.56.35:443 buy-download.norton.com tcp
GB 184.26.56.35:443 buy-download.norton.com tcp
GB 184.26.56.35:443 buy-download.norton.com tcp
GB 184.26.56.35:443 buy-download.norton.com tcp
GB 184.26.56.35:443 buy-download.norton.com tcp
GB 184.26.56.35:443 buy-download.norton.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\ProgramData\Norton\{086A63F0-6B13-4F29-9695-134E7A01E963}\LC.INI

MD5 7d5962a2be824da6ee96b1affbf8e5b2
SHA1 98323d861995356a5fea5ba94f663963c6a7ec1e
SHA256 8e896cbdd9b377f0b5db5f9a4f4a30e2f6cabcacdbf8beb6762c9f8cf07190bc
SHA512 86a508bb794bcf7f2fd53ae0e5b902547bbbc8befd036ca9ede95216e1efb0e9f72951db027cd79faff98c012de90f369b276a380525b2982005d5fec68ecd37

C:\Users\Admin\AppData\Local\Temp\CabC86F.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

memory/1644-25-0x00000000008E0000-0x00000000008E1000-memory.dmp

C:\ProgramData\Norton\FSDErMgt\ErrMgmt\SQCLIENT.dat

MD5 bbe8e2f10e87919a4d83aa2cb3de700d
SHA1 85ccacfd611638113134a04e7fc42e65f05a6658
SHA256 69e94a8671d503dfde5c57e0992f4d26f25b4d96e04b3405c15b740110e0c17d
SHA512 bbabc19be58dc5038ffcce5f612d45426e00c68bae3bbbfbfa2a9d68ed0af20a01ef94fcb914cddcdb306caa2652d77115a8ec3b2f32a39a46b4fba2d0d64a2f

C:\ProgramData\Norton\FSDErMgt\ErrMgmt\SQCLIENT.dat

MD5 b2442d9b4d22c778ebef7778b6d5d7ea
SHA1 f8282d24d329f4eeda93f16ec2445eeb9d2b1f4a
SHA256 69359c62ac9c6e01af85c96e35b727c863ef035cbb0cefe31111d02171e8f4d5
SHA512 5f8735f52add83d50ab0ccda8430d4462c287352a8476967bec43ddbb1c587d5d22f4c12cfbeb02229465e6d0826838dbd68ace12c8e5b9a46e8ae70ffaefd41

C:\ProgramData\Norton\FSDErMgt\ErrMgmt\SQCLIENT.dat

MD5 f4a7b56ac390c1618a7db3c87e975a06
SHA1 eb209063cfed78c55f464b4d44ee4b30f507fb66
SHA256 9281527c89362c9e67050f9f19a1576a1d69a239d8e329d0555a21b367a0d0c9
SHA512 ac0adfdc53688df3d81221858debf770e38ad86c9e4f1617f2e07d53d823e01258dd4f64f556ea0c83bd4acd655443f78966d76f5265368fc236c46fff34a86e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 99a84c7772252d1a8abf937ed96cee83
SHA1 a8666504f84aff4a22f229512300537fab1c03ea
SHA256 23c1ea925e08f3c95051e9b42e3a89bdde0943bf484029ba6cfc9a4bdd04a546
SHA512 722db79c34d8566734e4cdfbb6941dc184c9177ae64ede5530114b26549fc5d45369479d3aa281490fa470cac59e6fbfcd528d39a4a575e0136dce63790c61cf

C:\Users\Admin\AppData\Local\Temp\Tar16AE.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 844ef258fa5273eea1a1c71a472b0e59
SHA1 596ecd66d63300487fa1d94b8418f1cec0d0c667
SHA256 1a3cea90c9cb56eb5c5b26a2238cc842c209f4a0f8b45300fc529763e3fc3951
SHA512 ec4587247dc91721c2b10dcc9a01b481e36203ee06aebeb397d9f0e795153a3c5ac446e679eb1e6dc378eef483e55eb5a30b3f467c935153f0d35a14b727d116

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 513c9f0653d3236301326ce9797fd9fc
SHA1 6d8e3b3908ff5811623284c5c7a5dd2c4a3e6981
SHA256 c892c7c1ae6aa023e8793e5d1338789d3ce6bbb4794f695c20fe7d5764849cc1
SHA512 f26d5a6d0140a715069df6ab3c873594d9bb97adcd36ff6296d62e205762215d3c207d382d16dd888fcdc9d36f0f33555c69bfdc3a1ec5f6a9477e467d5877f0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 181ab9f0b7d50084cf70da8129af70a2
SHA1 7d62c516111e4231d5d940f80000de081b52cd35
SHA256 d56f2fee13261d9d11b24e7b3b58949ba1a2bccc32b2409f7708ac3f586663c3
SHA512 a4726282ef74013bb8966ed3eb35bbbcd0e6f68dcd299642eb2049e1bb4528f8703d22808d7125e085a9732c2673f90d930146f72738f7de7162466f9cef5f15

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 35d86ba1c05f0c20e4c42ac0547b34f0
SHA1 127e38bd1f02ac94f032f683ad49b6823288c776
SHA256 c5cb7240dbe2a377afb1d9d5e88d58b594bdcd0ac2cb89712fed95dcd9c641c6
SHA512 9a741f4b632b34eedbb52751ad410977bccba95406976b2a77ef00b060ba95a13bc0e8459da8b3548635de859038d2081d8364059945d1bba445c21fc31ad6c2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 71cbd58cc8e9d1002eca5235fb070fd9
SHA1 808720c3a715a23cd26a89a48d51aeec47307d4a
SHA256 0e048b8beb66be436e5032123b95f37e81ce2fcdadc392c0f74a09e0f21c9820
SHA512 1b6c5e170a7af9cc5b13fa33fce596fbffc9d87bb7225e3f6b67a689aa7c05650dd22d363985cc3e04969f40dad618f40282deb5c266b9d13aa543a6407f5c91

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 832b7e20e07f2b9832090e526eecc90f
SHA1 1af7eb0642c9b07529f4b5f0b0789be4eba9ebbc
SHA256 8795e0d85150902b7055b94cf5b67b3596c3f6cde10cd05545aa52d87e6b7d5d
SHA512 73b96a4c9df3b6e30a3316ac77772c0ba85630b4a187cc1d00ac6c938d662b97a9e76e22adfc375c5ae6ccaf60f345c855714bca917e06756b17bbe60cb846bb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0cd3b0763f964b98b2497e0422e2098c
SHA1 dd157199208cd9657c6f7c2e9a30b3646e714638
SHA256 133f5b0a7d8464c45975ba4a8d0f378be98d4f0bf8dbf97408f43560da638213
SHA512 20316d49a413e2c255392e77a5d847286c4580a55e0e930022ad50ec86c910e8c94de5ba2c5d0a63f56c73452e9b18ff7f8eebc12757c909da89cb70a7cdf2b4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 87373f7ed4ba32ef6e4dde7f9d122880
SHA1 4abb8b664d97bb0d7310126fda2d758a9c940791
SHA256 3b51b5a1dbe39a6536eb622ce8789fd9c24d5627e033e879549e956bee3f2d8a
SHA512 98e6824451b9ce21e60f9b974eb090f732b6e8e3a00d4efbf925169aeb3654471df3f7a09f4954306ad196d5b6522363298de83acd66234fe9f1e02f4afde0a7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b401f490c28cb31c97fbbbee47f4daa0
SHA1 c6d1e6ecedd8021c6b6646baea83ef604af52d8c
SHA256 0fbf8ec1fbe905dcfb15c09a1ae88b7de487a7bf8176880af584da41e64167fb
SHA512 3ccebc2c706fde3f7573b40a6663e3cc1447034c9db50e2ad6222b3551ef16a7840b99217ffbf64eff0e30cb2a0892ec65446e4ef585740b6425cbaf79678d5d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 daca3b200fb9e054e1203978934e2096
SHA1 b3c52867c8c47a38708999db109046f277789dc3
SHA256 5e87395aed60c0b425ba188fa71c371ca214c8b2c798e15facc997415c3d2365
SHA512 ade659df4530729d44889c8679fe18621e735cf90ce10df969d4900245bbcb2cb6dd5ce255b7332b57dceb9a424e905479e71a7b7b61f0003e6a1097ca012904

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a5384947e84fb5e9779beb0858cecc99
SHA1 41e132c5679c6cc57d17572f99a9447dcc75c447
SHA256 ed901a6a5cfe312b01ab672378513e0cc5f4a07b2c8dc3444bccda716a09d624
SHA512 b2085a392e1042ddb8e6999dc815a9e656c7bc4c0f83fbee70bc6be1815d8e918646817d72c31781fd5c49e3f018cc73f306f2c2e41af081ba9f9ae2226f62dd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4a4ee15e8ea8d67b9b88d43f6b998e15
SHA1 f8f038d4fe3244d84edfe2bac4f71e2a86c034bd
SHA256 009a311996fce2d03b8dafbc2ff09fd8061b5d5f5195e3b70e6ae81670c5ef62
SHA512 2c6e89585cfd7902b86a273ebed780ec861b4580538acbbc0f101099adde149345d9f0f6c55bd8e5ba179075d81fa9dbac27281267ad4240d593be08ee8964c6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 be50d1614636774e1fe6f6e6dc1661f6
SHA1 3635ba97d4a7986d3ce3537e12ccc26c27c35940
SHA256 0920d7e9d5dcb41ab4a5467010176eb0a985f50d3104db63586cfa7b8be3be88
SHA512 6e8ef133fd7ae0fc7cfa37bba5646d1a27ff8001c38a28939e58e685078a196d2c14fbf006febd210199d8be8824a2a21b72cacb0d659e9cc4b5fba5892c2e85

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d43998bafcee733aaba0aea1d85fadea
SHA1 b65db0cbe38e46d97a8ddc122b3894a44775a39a
SHA256 8bba496dd54b57dfb3ffd633ec92801b6234e3510afe3096ef443ec0b1b5baac
SHA512 bdffc3c9ab1abd08e2ed0827d25ac83cb4d77f7b6c562fcb92d02c47ec53604ca1b57f4248ca82b2b326dd87eff75866299e739088289ded9bc93a2fa5ccc849

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4642b68932f95c17f61e1af3e83a9401
SHA1 9507859ae4876445aac5095a29e70fab42d0b7a8
SHA256 467f6ac9a3544196a82bcbc4a565f672de6ff822009a80b16b426640355c3500
SHA512 9f2d00a76a8e8578c9957b646447411bdfb3e098530e924e8bd16f00f2c61d1da18035d1e2f2d810d977ee8e90f5a5c859d8f8fe8289ff05bb6811a086dad00e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4756d01e488de19926d168ac3c7011f2
SHA1 512e2ef33f6fcea39671ed37d3f990c43f0e4aa4
SHA256 2454ea1a25793a6f8630588bfdf2d379fa66d23fba1a9b98debd3810818671dc
SHA512 e7a01ed0dbc90079b6445be0c97c53484f37e60d5a8bdc704f9553c3c430d65a031f1b7e6cf9615f9aa1541c9680ba8c2a77022292c4c029931ec7d68b8d875a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 491f111e9269990cbe57a1f60d5fee9e
SHA1 191f6b2b66bef106dbe63e6e8c3c5398961745a4
SHA256 7be437fcc314e0c4ab4b503e329f81829bc5a0f17354f985abdfcb4a276fe06b
SHA512 fe4e58aeb81928e7ef383571f82bcfb15780d88b094dce06a82abfc01f5ec95f757b0e72b097847dcd35b18bd454d968ed72f3c0f51d01d08b2b017e81840e7e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 152f0a6b25fb8536bc1c79bd3c9c5b66
SHA1 a575d1d60202199cee9b047fe8b5108e8b560178
SHA256 d13e05632a3a330424ac70f54ac04bdf3843c6cc1d6b9bf2f652d914d0711e1b
SHA512 5730905b04973d1ad8e67f2f7c8dac749cedc0556cc12423d06d60fbc36874188ab965b5b159b01651d07442e8ec1ded839b00ef4347e6cfbe6119d83f3313b5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ec044fdc685ed3fd6c5ad0b16b0061b5
SHA1 1fb0d2244f6385b2ffca5a9588f0dc35362ea324
SHA256 57aa89de2a50e97057f2dcbd18de471a14b94768ae071cb227543437c9137296
SHA512 35d42ff09d0a4c80355043f3eae1a14ebb5e5cc7eaa369e1d597579b030bb0774e5cd21b00d0646b8d80c7c97e6a187628692438f177c175c9d375a54d9f7f14

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-31 10:16

Reported

2024-10-31 10:19

Platform

win10v2004-20241007-en

Max time kernel

141s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8a9130e9050d81e009d9c04885d25bac59a32662058b32e43afed381e8b33a04.exe"

Signatures

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\8a9130e9050d81e009d9c04885d25bac59a32662058b32e43afed381e8b33a04.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8a9130e9050d81e009d9c04885d25bac59a32662058b32e43afed381e8b33a04.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\8a9130e9050d81e009d9c04885d25bac59a32662058b32e43afed381e8b33a04.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\8a9130e9050d81e009d9c04885d25bac59a32662058b32e43afed381e8b33a04.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\8a9130e9050d81e009d9c04885d25bac59a32662058b32e43afed381e8b33a04.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\8a9130e9050d81e009d9c04885d25bac59a32662058b32e43afed381e8b33a04.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Users\Admin\AppData\Local\Temp\8a9130e9050d81e009d9c04885d25bac59a32662058b32e43afed381e8b33a04.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\8a9130e9050d81e009d9c04885d25bac59a32662058b32e43afed381e8b33a04.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8a9130e9050d81e009d9c04885d25bac59a32662058b32e43afed381e8b33a04.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8a9130e9050d81e009d9c04885d25bac59a32662058b32e43afed381e8b33a04.exe

"C:\Users\Admin\AppData\Local\Temp\8a9130e9050d81e009d9c04885d25bac59a32662058b32e43afed381e8b33a04.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 stats.norton.com udp
US 52.188.144.172:443 stats.norton.com tcp
US 8.8.8.8:53 172.144.188.52.in-addr.arpa udp
US 52.188.144.172:443 stats.norton.com tcp
US 8.8.8.8:53 105.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 faults.norton.com udp
US 13.93.204.83:443 faults.norton.com tcp
US 8.8.8.8:53 83.204.93.13.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

C:\ProgramData\Norton\{086A63F0-6B13-4F29-9695-134E7A01E963}\LC.INI

MD5 c804f38518e5b198860ea2a554aff081
SHA1 b59640116df2b1982b79761d140aedcf33e817a3
SHA256 ac9bd90c235e2e793b3d2320facd82b8318ab6498cac9a416d356135ad5b0426
SHA512 f5c2107ced2e5a05746a6b22398b4a214bd81db4b0ff508787dabcc3bdfca33d6c7e2837d529dbc2d9a08b86e2ddccd6d1daed6b3888660f7f3e02d7b54a9a26

C:\ProgramData\Norton\FSDErMgt\ErrMgmt\SQCLIENT.dat

MD5 091a9f03bea883520ce2b2731127c4d0
SHA1 ab13bb472f02644cb6e4ff33c1583300b82e5694
SHA256 df8ac8b9fdedfaa6b4fc63314e755b7c58441d8283950c537fe81365a74ff83a
SHA512 5356a31b2d799af6c8ddd9b51869b05691fa0f8f9eb1ade23c681221c3588672cfbd0b4bfbe74eaf4def815d43ba0e7305ef2c288ed23c701cebed57a84eca55

C:\ProgramData\Norton\FSDErMgt\ErrMgmt\SQCLIENT.dat

MD5 a0ed7abd13d129897ee8c9b933029ce9
SHA1 f7a8bec43eae858ca0907ee82a2ef1e5ac460492
SHA256 e4672c21996f00a1608627dcfc1b3eafb6eda63c5c92a9c7e0d1d7417263253d
SHA512 c767a630585210f69932165409596e62f7f1d14739fa1be1810f4ebab93392fb57f15a7fa79a3e795ca43f44123a6fa17ac44f3c244b349f41034b44a2fd7ae0

C:\ProgramData\Norton\FSDErMgt\ErrMgmt\SQCLIENT.dat

MD5 9d649f428e0d4976a739dc594ed9918d
SHA1 fe80fb58827849a52bb563891f2be118f683f900
SHA256 a3685967fc39982d609974c7b9250f0586ccc9eb4eb95515e8e9b5048eacaf4e
SHA512 6e54159605044f9301397783d00ee03e744785ca7432bddf3979d815baf9ccc0638dc3e2f02a13f66551b89234a1b6a3f06352d3a35d90fb34311924e777a890