Analysis Overview
SHA256
b3a13cdc76dea743146238de8432e0c8e5a8c8b7fb43793077ac92f8a1e1771b
Threat Level: Shows suspicious behavior
The file logoort.bat was found to be: Shows suspicious behavior.
Malicious Activity Summary
Deletes itself
Drops startup file
Reads user/profile data of web browsers
Drops desktop.ini file(s)
Drops autorun.inf file
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Kills process with taskkill
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 20:34
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 20:34
Reported
2024-11-09 20:35
Platform
win7-20240729-en
Max time kernel
22s
Max time network
23s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\logoort.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\logoort.bat | C:\Windows\system32\cmd.exe | N/A |
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Windows\system32\cmd.exe | N/A |
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\BITLOC~1\autorun.inf | C:\Windows\system32\cmd.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\PROGRA~1\WINDOW~2\ACCESS~1\es-ES\wordpad.exe.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\PROGRA~2\WI4223~1\Gadgets\WEATHE~1.GAD\images\docked_black_windy.png | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\PROGRA~2\WI4223~1\Gadgets\WEATHE~1.GAD\it-IT\settings.html | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\PROGRA~1\WI54FB~1\WMPNSSUI.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\PROGRA~1\WI4223~1\Gadgets\MEDIAC~1.GAD\images\button_left_mouseout.png | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\SPEECH~1\MICROS~1\TTS20\en-US\enu-dsk\M1033DSK.WIH | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\System\ado\msado26.tlb | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\PROGRA~1\COMMON~1\MICROS~1\ink\es-ES\tabskb.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\PROGRA~1\DVDMAK~1\Shared\DVDSTY~1\Circle_SelectionSubpictureA.png | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\PROGRA~1\WI0FCF~1\de-DE\MSPVWCTL.DLL.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\PROGRA~2\WI54FB~1\wmlaunch.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\PROGRA~1\COMMON~1\System\OLEDB~1\es-ES\oledb32r.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\PROGRA~1\DVDMAK~1\Shared\DVDSTY~1\Shatter\NavigationUp_ButtonGraphic.png | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\PROGRA~2\REFERE~1\MICROS~1\FRAMEW~1\v3.0\it\System.Speech.resources.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\PROGRA~1\WINDOW~2\TABLET~1\fr-FR\TableTextService.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\PROGRA~2\WI4223~1\Gadgets\CLOCK~1.GAD\fr-FR\css\settings.css | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\PROGRA~2\WI4223~1\Gadgets\PICTUR~1.GAD\en-US\gadget.xml | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\PROGRA~3\MICROS~1\WINDOW~2\MSFax\COMMON~1\fr-FR\urgent.cov | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\PROGRA~1\REFERE~1\MICROS~1\FRAMEW~1\v3.0\de\System.IdentityModel.Selectors.Resources.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\PROGRA~1\REFERE~1\MICROS~1\FRAMEW~1\v3.0\System.Workflow.ComponentModel.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\PROGRA~1\WI0FCF~1\InkSeg.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\PROGRA~1\WI54FB~1\en-US\WMPMediaSharing.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\Adobe\Acrobat\ActiveX\pdfshell.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~4\ja-JP\ImagingDevices.exe.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\PROGRA~2\WI4223~1\Gadgets\CLOCK~1.GAD\en-US\js\settings.js | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\PROGRA~2\WI4223~1\Gadgets\CURREN~1.GAD\images\triangle.png | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\PROGRA~1\COMMON~1\MICROS~1\ink\ipsdan.xml | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\PROGRA~1\REFERE~1\MICROS~1\FRAMEW~1\v3.5\fr\System.Web.Entity.Design.Resources.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\PROGRA~1\WINDOW~1\oeimport.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\PROGRA~1\DVDMAK~1\Shared\DVDSTY~1\SPECIA~1\NavigationRight_SelectionSubpicture.png | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\PROGRA~2\WI4223~1\Gadgets\CLOCK~1.GAD\it-IT\gadget.xml | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\PROGRA~2\WI4223~1\Gadgets\CURREN~1.GAD\images\combo-hover-left.png | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\PROGRA~2\WI4223~1\Gadgets\CURREN~1.GAD\es-ES\js\service.js | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\PROGRA~1\WI54FB~1\it-IT\wmplayer.exe.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\PROGRA~1\WI4223~1\Gadgets\WEATHE~1.GAD\de-DE\js\localizedStrings.js | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\PROGRA~1\WI4223~1\Gadgets\WEATHE~1.GAD\images\docked_gray_thunderstorm.png | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\PROGRA~1\WINDOW~4\ja-JP\PhotoViewer.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\PROGRA~1\WI4223~1\Gadgets\WEATHE~1.GAD\images\16.png | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\PROGRA~2\WI4223~1\Gadgets\WEATHE~1.GAD\images\docked_black_moon-first-quarter.png | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\READER~1.0\Resource\Font\PFM\SY______.PFM | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\PROGRA~2\WI54FB~1\ja-JP\setup_wm.exe.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\PROGRA~2\WI4223~1\Gadgets\CLOCK~1.GAD\images\modern_m.png | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~4\PhotoAcq.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\PROGRA~1\DVDMAK~1\Shared\DVDSTY~1\Pets\Notes_LOOP_BG_PAL.wmv | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\PROGRA~1\REFERE~1\MICROS~1\FRAMEW~1\v3.0\es\WindowsBase.resources.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\PROGRA~1\WI54FB~1\fr-FR\WMPDMCCore.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\PROGRA~2\WI4223~1\Gadgets\CLOCK~1.GAD\images\diner.png | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\PROGRA~1\WI4223~1\Gadgets\CPU~1.GAD\images\back.png | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\PROGRA~1\WI4223~1\Gadgets\SLIDES~1.GAD\fr-FR\settings.html | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\PROGRA~1\WI4223~1\Gadgets\WEATHE~1.GAD\fr-FR\weather.html | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\PROGRA~2\WI4223~1\Gadgets\CALEND~1.GAD\fr-FR\css\calendar.css | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\PROGRA~1\COMMON~1\MICROS~1\ink\el-GR\tipresx.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\PROGRA~1\MSBuild\MICROS~1\WINDOW~1\v3.5\Workflow.Targets | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\PROGRA~1\WI4223~1\Gadgets\CLOCK~1.GAD\fr-FR\js\clock.js | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\PROGRA~1\COMMON~1\MICROS~1\ink\FSDEFI~1\main\base_rtl.xml | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\PROGRA~1\WI4223~1\Gadgets\WEATHE~1.GAD\de-DE\css\localizedSettings.css | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\PROGRA~2\WI4223~1\Gadgets\WEATHE~1.GAD\it-IT\css\weather.css | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\PROGRA~2\WI4223~1\Gadgets\WEATHE~1.GAD\images\docked-loading.png | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\PROGRA~1\DVDMAK~1\Shared\DVDSTY~1\Pets\Notes_INTRO_BG_PAL.wmv | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\PROGRA~1\DVDMAK~1\Shared\DVDSTY~1\Sports\SceneButtonInset_Alpha2.png | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\MICROS~1\ink\ja-JP\micaut.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\PROGRA~1\WI4223~1\Gadgets\WEATHE~1.GAD\ja-JP\js\library.js | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\System\OLEDB~1\msdatt.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\PROGRA~2\WI4223~1\Gadgets\CPU~1.GAD\images\dial_lrg.png | C:\Windows\system32\cmd.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Help\Windows\it-IT\hgroupp.h1s | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\IME\SPTIP.DLL | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\MICROS~1.NET\FRAMEW~1\v3.0\WINDOW~1\it-IT\ServiceModelInstallRC.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Cursors\aero_ew_l.cur | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Help\Windows\fr-FR\presset.h1s | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Media\Garden\Windows Balloon.wav | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Media\Raga\Windows Balloon.wav | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\MICROS~1.NET\FRAMEW~1\v3.0\WINDOW~1\fr\ServiceModelReg.resources.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\MICROS~1.NET\FRAMEW~2\V20~1.507\System.DirectoryServices.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\DIAGNO~1\system\NETWOR~1\en-US\LocalizationData.psd1 | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\ehome\MEDIAR~1\MediaCenter.DigitalMediaRenderer.ConnectionManager.xml | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Help\mui\0410\gpedit.CHM | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\IME\IMESC5\DICTS\PINTLGCF.IMD | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Media\Festival\Windows Battery Low.wav | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\MICROS~1.NET\FRAMEW~1\V20~1.507\JA\System.Design.Resources.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\MICROS~1.NET\FRAMEW~1\V20~1.507\System.Web.tlb | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Boot\EFI\de-DE\bootmgfw.efi.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\ehome\segmcsb.ttf | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\MICROS~1.NET\FRAMEW~1\V20~1.507\1040\vbc7ui.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\MICROS~1.NET\FRAMEW~1\V20~1.507\System.Transactions.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\MICROS~1.NET\FRAMEW~2\V20~1.507\JA\System.Deployment.resources.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\MICROS~1.NET\FRAMEW~2\V20~1.507\Microsoft.Build.Engine.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Fonts\mvboli.ttf | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Help\mui\040C\connmgr.CHM | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\MICROS~1.NET\FRAMEW~1\V20~1.507\ngen.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\DIAGNO~1\system\PCW\en-US\CL_LocalizationData.psd1 | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\ehome\wow\ehexthost32.exe.config | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Help\Windows\de-DE\artui.h1s | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Media\AFTERN~1\Windows Hardware Fail.wav | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Media\CHARAC~1\Windows Battery Critical.wav | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\ehome\ehsched.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Help\mui\0411\comexp.CHM | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Fonts\LaoUI.ttf | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Help\mui\0411\netcfg.CHM | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\MICROS~1.NET\FRAMEW~1\v3.0\WINDOW~1\de-DE\ServiceModelEvents.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\BITLOC~1\th-TH_BitLockerToGo.exe.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Boot\PCAT\de-DE\bootmgr.exe.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\MICROS~1.NET\FRAMEW~1\V20~1.507\GAC\fr\Microsoft.VisualBasic.Compatibility.resources.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Media\CITYSC~1\Windows Notify.wav | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\MICROS~1.NET\FRAMEW~1\V20~1.507\fr\System.Web.Resources.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Help\mui\0407\aclui.CHM | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Media\Delta\Windows Battery Critical.wav | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Media\Raga\Windows Print complete.wav | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\MICROS~1.NET\FRAMEW~1\v3.5\AddInUtil.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Cursors\libeam.cur | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\ehome\en-US\ehcmres.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Help\Windows\ja-JP\diskcln.h1s | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\inf\NETDAT~2\0C0A\_dataperfcounters_shared12_neutral_D.ini | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\MICROS~1.NET\FRAMEW~2\V20~1.507\fr\System.DirectoryServices.Protocols.resources.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\DIAGNO~1\system\Search\RS_RestorePermissions.ps1 | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\ehome\CREATE~1\COMPON~1\tables\alloc_1 | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Help\mui\0410\nfs_.CHM | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Help\Windows\it-IT\auxdisp.h1s | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Help\Windows\it-IT\secstart.h1s | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\MICROS~1.NET\FRAMEW~1\v3.5\AddInUtil.exe.config | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Branding\Basebrd\ja-JP\basebrd.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Cursors\pen_l.cur | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\MICROS~1.NET\FRAMEW~2\V20~1.507\DE\System.EnterpriseServices.Resources.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Help\Windows\en-US\sysman.h1s | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\inf\usbhub\0407\usbperf.ini | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Help\mui\040C\qos.CHM | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Help\Windows\en-US\medctr.h1s | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Help\Windows\en-US\presset.h1s | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Media\CITYSC~1 | C:\Windows\system32\cmd.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8FA35E21-9E2D-11EF-A4F8-F6F033B50202} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8FA820E1-9E2D-11EF-A4F8-F6F033B50202} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\cmd.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\cmd.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\logoort.bat"
C:\Windows\system32\msg.exe
msg * (Muhahaha)
C:\Windows\system32\taskkill.exe
taskkill /IM explorer.exe /f
C:\Windows\system32\rundll32.exe
Rundll32 user32, SwapMouseButton
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.evil-shit.de/
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.akk.li/pics/anne/jpg
C:\Windows\system32\format.com
format D:\ /F
C:\Windows\system32\format.com
format E:\ /F
C:\Windows\system32\format.com
format F:\ /F
C:\Windows\system32\format.com
format G:\ /F
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2844 CREDAT:275457 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2680 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.evil-shit.de | udp |
| US | 8.8.8.8:53 | www.akk.li | udp |
| DE | 62.143.36.236:80 | www.evil-shit.de | tcp |
| US | 199.59.243.227:80 | www.akk.li | tcp |
| US | 199.59.243.227:80 | www.akk.li | tcp |
| DE | 62.143.36.236:80 | www.evil-shit.de | tcp |
| DE | 62.143.36.236:80 | www.evil-shit.de | tcp |
| DE | 62.143.36.236:80 | www.evil-shit.de | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8FA35E21-9E2D-11EF-A4F8-F6F033B50202}.dat
| MD5 | 150372768c9784bb6adf229d6cc97312 |
| SHA1 | 524b44ef15daa44928bca816792a38c9e36256ec |
| SHA256 | 5b17ec268828edc206f8375a2a85b24746a5c3cf995ab93eb6b13fa56c781f8d |
| SHA512 | e447ef06006072d1f56917656b80e7926628bc0ad55655f721522179e9419400c6613fc8bce976964eb1000d352ebb4fc752e78d31311d13b48a7df8b8363604 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8FA820E1-9E2D-11EF-A4F8-F6F033B50202}.dat
| MD5 | 7a43d50ebfc56a5dee489e1f827c2811 |
| SHA1 | db1bcbbe39bc2e3ca00eda82a8710c4e83fb7d9b |
| SHA256 | 5bbb033eb0246e1c0dbeebf124fe99c86f95c8410cfcfa4724b730c473a599ad |
| SHA512 | 94ada9c0795797eff1b50ac207b4dce240e5ba017c59fe7a11870b59829fbb096d92ebd6755591519c8328c832b2899170a2daa5459c094c9f29f3cd0e9837dd |
C:\Users\Admin\AppData\Local\Temp\CabF8E3.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarF953.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 318360d2a79f5c575080a9bf2cb6b730 |
| SHA1 | ee8207543a9f32f69304d8b580f9a06d7388cb09 |
| SHA256 | c4796307ee0a1a7bd5e8c34de4eaf18e55f1833970f61b4e94ef28a388ca6d7a |
| SHA512 | 6511efbe160e7e0fe16ad352207851d2971564847073a96d2d48e5d3707f9977b7560a332027883e48a47c2b46488133fcbabc2906b402b8600aeb118d8f30ec |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 48b1eed8ecde338fd3a7e13fc6b51c50 |
| SHA1 | 325648e935d7ada3abbd8b8cc76538d4e219080c |
| SHA256 | 8a6136dabca57e829254f27ff0adae6744c63cd4a41fa8fbe9d67effb7e0bafa |
| SHA512 | 4471cc90d665f2f9e90a08e2ddda191add7a526efdbc040d3562a140b84f3cd91ea50b1d4cee19e42e165eb6f0be41d6ed29f30bdbcd51eee9f1086f61d40a00 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 95c208e5596aa6bd381eabfb6925a7b1 |
| SHA1 | cd3fcfbb3d7e4c3ac3e199d86017c2b868e36bb9 |
| SHA256 | f8f1dfbc92bccfca76856e3e14c148b9cc263023f983525378fc022b4c6b749e |
| SHA512 | 81e4452b150eff6084b9e9d157f1946b70d1c768df658adec79d5eecb1ef82d8e8dcaac342f358d737980eec38e6d74580fdd588dc1b801d4d6160f1323992a4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 60c7666393c4180f6f000e8854c89e8f |
| SHA1 | 9c97c7c126f3fbfd3eaeb15472fa517d03b81976 |
| SHA256 | af6ab26e5c9fc2cbc578e966a3575c96503e08fb0bd0bddd718725b9b12cd15d |
| SHA512 | 3f108ec291022822c36c938b66edd9c9f4b73b00dd9b541d85fb5e4da54801296d4c0e80ef52534bd13aa5bbbb3b8534c029eff7ec31b1382122a5e0d0a01045 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 85c00a3a90d172a1e4b1994558e4191c |
| SHA1 | e88b741f1d18f92b81cf86f9e9cabe8d1ec1b4cb |
| SHA256 | 4055317d05e3daa7786c898ae45b48f7216647315ab3b035cfe8c1d6ca716b03 |
| SHA512 | 7db907b8e58839ad1a6bd410636dce29ad9592158932039059fb4a03f38b77a708c343b39c4fba24dd76cf862576498b9a99e5919bd681e810e5fcf03027eab9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 56c66a0d06a3305cc26d68e054bc0020 |
| SHA1 | 9643a76a210c36e27dc5d377fd33c61b494e9184 |
| SHA256 | e163e51d9c60ef206c3028808f714655a881d15a20d61fe9cfca3e8bce85a23c |
| SHA512 | 0a49dacc9e965f3396148e014b109d3556298dbb88e12d5c521b279a84f083499b92be4c24b8f4b2b5e7314eb0df3f35514f6cc9611af79e78258e40fae31794 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b21d1466b3e2d975b2101d57ac7fd01f |
| SHA1 | bebbc2c02a3314e3b47a52e3fdcc65ede99fccd4 |
| SHA256 | b3cbb971aec9e9ef0391a3e0bd41950604693b12280405f19b3144407e5433b3 |
| SHA512 | fcb8b15664962d80a5ee783f3b6b4e2de59491539047f9e5e7c328651b60c397252d7d63ce47c35e76a0a60698a56c75397269940b51a15c8e0161a1ffa7dc1d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c6017da86e156c5d35f00942cdb9cc8e |
| SHA1 | e6ebdef2d9d322d9460aeb3c5cdcafa9b004e6cf |
| SHA256 | 9720891f98f7e5ad090bfb4466827a08823dfb4bd0eb3fc1b29782f0424e1065 |
| SHA512 | 04629d365bd69f4efe9582c74b80ccd70738f2601fb3aa816b5b3f9187975028c7252b7837bdb773cbe2b929532c222dee40e4895e33db366f1d2a170fa71bba |
C:\Users\Admin\AppData\Local\MICROS~1\INTERN~1\Recovery\High\Active\RECOVE~2.DAT
| MD5 | 10f5ae23f474f1e7f31a8ac6eda9f5c5 |
| SHA1 | 730a164d9ab9ab3ace5ff6618c473d75e8e7773d |
| SHA256 | d011581106c4207e11b1b024d94db6f083e239932fe393f3d9f5fbbd8ebb5818 |
| SHA512 | 180ebc7ca45070f1aa0954cf24b20f6040e39a9bcd07544f5a1628584f7cc0c473a0eb8cdc9b6e4d835082289f2569f05806c8ca3993d55228d1f00b8daa0d2d |
C:\Users\Admin\AppData\Local\MICROS~1\INTERN~1\Recovery\High\Active\RECOVE~3.DAT
| MD5 | 1d39eba167183d0b1161f2450c414384 |
| SHA1 | 540776821ffea0471325c8c62ea9d31a9cf33d95 |
| SHA256 | c4e9d9fbe77269f960b4253323491de236c03915aad767f53c355474fe5ead1e |
| SHA512 | 43d35d21fa1c0a288f75dc800fbc938c7ec7c70f84d174082899af754752026c900235897f0c703f8f5dfb228c9d6f23973aa392b2914ab9835f5c380f66f7c5 |
C:\Users\Admin\AppData\Local\MICROS~1\INTERN~1\Recovery\High\Active\{8FA35~1.DAT
| MD5 | 3d04ab26c57448ce1e70df4b169cdc78 |
| SHA1 | 38c9d4531db306d192716bf98be608814b2a4b41 |
| SHA256 | 4cbcaa690f44072d9fa1573fa563952d50278509b0e9d00891dc2b5343b835d0 |
| SHA512 | d67c17b261cf048988d28e02850ca29cce1669e181369282074e8554e3048701ae1f0dacae2d6a6041b12a3fadaa674ba36db61a30c4b22b7b25827ef242ae24 |
C:\Users\Admin\AppData\Local\MICROS~1\INTERN~1\Recovery\High\Active\{8FA82~1.DAT
| MD5 | ccd66d21eed634954349f43e8bdf8b3f |
| SHA1 | 8c24aa1e1c233f56a0ef80cfea52094643f618d8 |
| SHA256 | 0454ab2f707d350075933c270c4048401e61b13b4cf79b23be39a4a46e2fc94e |
| SHA512 | bd6d57ca79ac2d434060d164bd8a289eb15a3517f7724e621c5c33f1dbfc7267169a961de30d6cbd985fb1bd4c7e29a9d0e01f2c4f8ef110955d9b7ca91f9523 |
C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\BDDDRHWK\BAPNVR~1.JS
| MD5 | ce07affa04803b8889da4add31fd43dc |
| SHA1 | 0fb5a8fcee96a30571493eab29d0e2a6555a16ff |
| SHA256 | 8c1495c44aec0fa67b5ea6caf921a72de269aff5387ae21fc97e22f94f4f7f3f |
| SHA512 | f79974074d4f5f991d2acb486189d8c8668dc854c40dc586836359fc20d38c66d0f98303962c072e119a4ca0daf1156cb8ff476c9b3cebf785f37ae73b88567f |
C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\BDDDRHWK\JPG_1_~1.HTM
| MD5 | 9dd0519a912b7cbc55ab682a3386012f |
| SHA1 | 806262b5dda69d80f6b0be1b8258afb6e5b67f42 |
| SHA256 | c8b23127d7d6cb8ff6231223f1416b472b8ad451eb75683eb59390126f09ef44 |
| SHA512 | acab8a8828d793d478e1dd7d7e37943d40e1ca974457aeffdda05b8e60c0e8291b1a7f221524a3c10e68e47f01c5ad5d10fb625aadb574457ce874db441b3069 |
C:\Users\Admin\AppData\Local\Temp\~DF0BC~1.TMP
| MD5 | 8443eb75f6aef36fed415f36b8063396 |
| SHA1 | 441ea5897c6cd9d1a0b1cab9fde7d36bdf04149b |
| SHA256 | 2100aec76420a37f0f629ce4360fbc554c32071ff5750c2300f39bdc4de1c280 |
| SHA512 | 1b8d42ff3edfdcf9491329900894c5916b2f277cef64f0825efffd7c14fbe3c7e6d1f9aca02c447cb6d5f725831d5530c5b5ea02ae2729f038f7b6f89c90c5c1 |
C:\Users\Admin\AppData\Local\Temp\~DF135~1.TMP
| MD5 | edd562ac2279114db352b65c28161e14 |
| SHA1 | e63c6d341fbdd86f4845dcae1eb73d0ad260a7fd |
| SHA256 | b6d7e6fcf1dd199889b5bac7bc8076b58e7b24ee1c54c96a5088f64db559dcb3 |
| SHA512 | b291aa327da885f2fbf44441affc6742302e34d8d332924aaab016d5faaf09be7247a319750a4cf6b9af4b25b4cd9b21ece3c100d1f43ac1d89af4d28067e1e3 |
C:\Users\Admin\AppData\Local\Temp\~DFA1D~1.TMP
| MD5 | 3e49f5d4a40a875940cd3aa800abbefd |
| SHA1 | c760e2687675d99e782e53a136de4ecf0a87d48e |
| SHA256 | b801684ba3cac010615531b6a62a62eb17702f3d859b3b84dd4070a489506a1c |
| SHA512 | 5d621dc5845bfd6ad481d5d99d855c406da86206ca6f8e7eab80afe59e1b0c155b254ab62e69933ad3413b7d25f688968429ecfa02e342a417cf62fd382d7008 |
C:\Users\Admin\AppData\Local\Temp\~DFAA2~1.TMP
| MD5 | fe943cab2f20d88487fea2c3541e810b |
| SHA1 | a9301054a06212d03acf642202070270a810551d |
| SHA256 | da4be56fa93e3c9e027d944267107dc16735541c04b931608a0b6677fdc2ae0c |
| SHA512 | bc6803dce70956e3d4dda37ff14e6f9a04bd25a0d2d68f4f38492d7ade2562b19176df00b525528ca44d37a6c759f882ea249964c69749417e276cefcb77f1a4 |
C:\Users\Admin\AppData\LocalLow\MICROS~1\CRYPTN~1\MetaData\943080~1
| MD5 | c941db018d52a173604ff137bd370dd9 |
| SHA1 | a746b2fdcef1c8e63bbf27732f89fb07dd017ea9 |
| SHA256 | 0cd42f38b4c9862815b99b7a5583d3534c486e9994dbb43b3347915747745818 |
| SHA512 | a56f40ecc28ee1c63aed118363d5155c4a8b880127534f9e9fe0d937ffdc0424a5474af1223b2dfd37038e904a5bb02e71b647bb7fc77e3cb2f098667816e8b4 |
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\Cookies\EZQHN2ON.txt
| MD5 | c5cd65032270e1eb91f619f16ae39d87 |
| SHA1 | 1224eb18cf2a50b17d5159932b262ec92220bea0 |
| SHA256 | d4979b41b6f3eccd8d6b8467be1c33b97a195c229b68d8ce2931e30778477112 |
| SHA512 | 0880ee55c333c89a8999ffc275100be6dbcb4949c56fb28a99c6ed0befe31b1a244d285cd0f8f4a912dc7c1e8b406b60d58a072e67b907b175f5a3bb11d92672 |