Malware Analysis Report

2025-05-06 00:48

Sample ID 241109-zcx7ka1hrf
Target logoort.bat
SHA256 b3a13cdc76dea743146238de8432e0c8e5a8c8b7fb43793077ac92f8a1e1771b
Tags
discovery spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

b3a13cdc76dea743146238de8432e0c8e5a8c8b7fb43793077ac92f8a1e1771b

Threat Level: Shows suspicious behavior

The file logoort.bat was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery spyware stealer

Deletes itself

Drops startup file

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Drops autorun.inf file

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Kills process with taskkill

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 20:34

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 20:34

Reported

2024-11-09 20:35

Platform

win7-20240729-en

Max time kernel

22s

Max time network

23s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\logoort.bat"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\logoort.bat C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\logoort.bat C:\Windows\system32\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Windows\assembly\Desktop.ini C:\Windows\system32\cmd.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\Windows\BITLOC~1\autorun.inf C:\Windows\system32\cmd.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~1\WINDOW~2\ACCESS~1\es-ES\wordpad.exe.mui C:\Windows\system32\cmd.exe N/A
File opened for modification C:\PROGRA~2\WI4223~1\Gadgets\WEATHE~1.GAD\images\docked_black_windy.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\PROGRA~2\WI4223~1\Gadgets\WEATHE~1.GAD\it-IT\settings.html C:\Windows\system32\cmd.exe N/A
File opened for modification C:\PROGRA~1\WI54FB~1\WMPNSSUI.dll C:\Windows\system32\cmd.exe N/A
File opened for modification C:\PROGRA~1\WI4223~1\Gadgets\MEDIAC~1.GAD\images\button_left_mouseout.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\SPEECH~1\MICROS~1\TTS20\en-US\enu-dsk\M1033DSK.WIH C:\Windows\system32\cmd.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\System\ado\msado26.tlb C:\Windows\system32\cmd.exe N/A
File opened for modification C:\PROGRA~1\COMMON~1\MICROS~1\ink\es-ES\tabskb.dll.mui C:\Windows\system32\cmd.exe N/A
File opened for modification C:\PROGRA~1\DVDMAK~1\Shared\DVDSTY~1\Circle_SelectionSubpictureA.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\PROGRA~1\WI0FCF~1\de-DE\MSPVWCTL.DLL.mui C:\Windows\system32\cmd.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe C:\Windows\system32\cmd.exe N/A
File opened for modification C:\PROGRA~1\COMMON~1\System\OLEDB~1\es-ES\oledb32r.dll.mui C:\Windows\system32\cmd.exe N/A
File opened for modification C:\PROGRA~1\DVDMAK~1\Shared\DVDSTY~1\Shatter\NavigationUp_ButtonGraphic.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\PROGRA~2\REFERE~1\MICROS~1\FRAMEW~1\v3.0\it\System.Speech.resources.dll C:\Windows\system32\cmd.exe N/A
File opened for modification C:\PROGRA~1\WINDOW~2\TABLET~1\fr-FR\TableTextService.dll.mui C:\Windows\system32\cmd.exe N/A
File opened for modification C:\PROGRA~2\WI4223~1\Gadgets\CLOCK~1.GAD\fr-FR\css\settings.css C:\Windows\system32\cmd.exe N/A
File opened for modification C:\PROGRA~2\WI4223~1\Gadgets\PICTUR~1.GAD\en-US\gadget.xml C:\Windows\system32\cmd.exe N/A
File opened for modification C:\PROGRA~3\MICROS~1\WINDOW~2\MSFax\COMMON~1\fr-FR\urgent.cov C:\Windows\system32\cmd.exe N/A
File opened for modification C:\PROGRA~1\REFERE~1\MICROS~1\FRAMEW~1\v3.0\de\System.IdentityModel.Selectors.Resources.dll C:\Windows\system32\cmd.exe N/A
File opened for modification C:\PROGRA~1\REFERE~1\MICROS~1\FRAMEW~1\v3.0\System.Workflow.ComponentModel.dll C:\Windows\system32\cmd.exe N/A
File opened for modification C:\PROGRA~1\WI0FCF~1\InkSeg.dll C:\Windows\system32\cmd.exe N/A
File opened for modification C:\PROGRA~1\WI54FB~1\en-US\WMPMediaSharing.dll.mui C:\Windows\system32\cmd.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Acrobat\ActiveX\pdfshell.dll C:\Windows\system32\cmd.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\ja-JP\ImagingDevices.exe.mui C:\Windows\system32\cmd.exe N/A
File opened for modification C:\PROGRA~2\WI4223~1\Gadgets\CLOCK~1.GAD\en-US\js\settings.js C:\Windows\system32\cmd.exe N/A
File opened for modification C:\PROGRA~2\WI4223~1\Gadgets\CURREN~1.GAD\images\triangle.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\PROGRA~1\COMMON~1\MICROS~1\ink\ipsdan.xml C:\Windows\system32\cmd.exe N/A
File opened for modification C:\PROGRA~1\REFERE~1\MICROS~1\FRAMEW~1\v3.5\fr\System.Web.Entity.Design.Resources.dll C:\Windows\system32\cmd.exe N/A
File opened for modification C:\PROGRA~1\WINDOW~1\oeimport.dll C:\Windows\system32\cmd.exe N/A
File opened for modification C:\PROGRA~1\DVDMAK~1\Shared\DVDSTY~1\SPECIA~1\NavigationRight_SelectionSubpicture.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\PROGRA~2\WI4223~1\Gadgets\CLOCK~1.GAD\it-IT\gadget.xml C:\Windows\system32\cmd.exe N/A
File opened for modification C:\PROGRA~2\WI4223~1\Gadgets\CURREN~1.GAD\images\combo-hover-left.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\PROGRA~2\WI4223~1\Gadgets\CURREN~1.GAD\es-ES\js\service.js C:\Windows\system32\cmd.exe N/A
File opened for modification C:\PROGRA~1\WI54FB~1\it-IT\wmplayer.exe.mui C:\Windows\system32\cmd.exe N/A
File opened for modification C:\PROGRA~1\WI4223~1\Gadgets\WEATHE~1.GAD\de-DE\js\localizedStrings.js C:\Windows\system32\cmd.exe N/A
File opened for modification C:\PROGRA~1\WI4223~1\Gadgets\WEATHE~1.GAD\images\docked_gray_thunderstorm.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\PROGRA~1\WINDOW~4\ja-JP\PhotoViewer.dll.mui C:\Windows\system32\cmd.exe N/A
File opened for modification C:\PROGRA~1\WI4223~1\Gadgets\WEATHE~1.GAD\images\16.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\PROGRA~2\WI4223~1\Gadgets\WEATHE~1.GAD\images\docked_black_moon-first-quarter.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Font\PFM\SY______.PFM C:\Windows\system32\cmd.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\ja-JP\setup_wm.exe.mui C:\Windows\system32\cmd.exe N/A
File opened for modification C:\PROGRA~2\WI4223~1\Gadgets\CLOCK~1.GAD\images\modern_m.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\PhotoAcq.dll C:\Windows\system32\cmd.exe N/A
File opened for modification C:\PROGRA~1\DVDMAK~1\Shared\DVDSTY~1\Pets\Notes_LOOP_BG_PAL.wmv C:\Windows\system32\cmd.exe N/A
File opened for modification C:\PROGRA~1\REFERE~1\MICROS~1\FRAMEW~1\v3.0\es\WindowsBase.resources.dll C:\Windows\system32\cmd.exe N/A
File opened for modification C:\PROGRA~1\WI54FB~1\fr-FR\WMPDMCCore.dll.mui C:\Windows\system32\cmd.exe N/A
File opened for modification C:\PROGRA~2\WI4223~1\Gadgets\CLOCK~1.GAD\images\diner.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\PROGRA~1\WI4223~1\Gadgets\CPU~1.GAD\images\back.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\PROGRA~1\WI4223~1\Gadgets\SLIDES~1.GAD\fr-FR\settings.html C:\Windows\system32\cmd.exe N/A
File opened for modification C:\PROGRA~1\WI4223~1\Gadgets\WEATHE~1.GAD\fr-FR\weather.html C:\Windows\system32\cmd.exe N/A
File opened for modification C:\PROGRA~2\WI4223~1\Gadgets\CALEND~1.GAD\fr-FR\css\calendar.css C:\Windows\system32\cmd.exe N/A
File opened for modification C:\PROGRA~1\COMMON~1\MICROS~1\ink\el-GR\tipresx.dll.mui C:\Windows\system32\cmd.exe N/A
File opened for modification C:\PROGRA~1\MSBuild\MICROS~1\WINDOW~1\v3.5\Workflow.Targets C:\Windows\system32\cmd.exe N/A
File opened for modification C:\PROGRA~1\WI4223~1\Gadgets\CLOCK~1.GAD\fr-FR\js\clock.js C:\Windows\system32\cmd.exe N/A
File opened for modification C:\PROGRA~1\COMMON~1\MICROS~1\ink\FSDEFI~1\main\base_rtl.xml C:\Windows\system32\cmd.exe N/A
File opened for modification C:\PROGRA~1\WI4223~1\Gadgets\WEATHE~1.GAD\de-DE\css\localizedSettings.css C:\Windows\system32\cmd.exe N/A
File opened for modification C:\PROGRA~2\WI4223~1\Gadgets\WEATHE~1.GAD\it-IT\css\weather.css C:\Windows\system32\cmd.exe N/A
File opened for modification C:\PROGRA~2\WI4223~1\Gadgets\WEATHE~1.GAD\images\docked-loading.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\PROGRA~1\DVDMAK~1\Shared\DVDSTY~1\Pets\Notes_INTRO_BG_PAL.wmv C:\Windows\system32\cmd.exe N/A
File opened for modification C:\PROGRA~1\DVDMAK~1\Shared\DVDSTY~1\Sports\SceneButtonInset_Alpha2.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\ja-JP\micaut.dll.mui C:\Windows\system32\cmd.exe N/A
File opened for modification C:\PROGRA~1\WI4223~1\Gadgets\WEATHE~1.GAD\ja-JP\js\library.js C:\Windows\system32\cmd.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\System\OLEDB~1\msdatt.dll C:\Windows\system32\cmd.exe N/A
File opened for modification C:\PROGRA~2\WI4223~1\Gadgets\CPU~1.GAD\images\dial_lrg.png C:\Windows\system32\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Help\Windows\it-IT\hgroupp.h1s C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\IME\SPTIP.DLL C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\MICROS~1.NET\FRAMEW~1\v3.0\WINDOW~1\it-IT\ServiceModelInstallRC.dll.mui C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Cursors\aero_ew_l.cur C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Help\Windows\fr-FR\presset.h1s C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Media\Garden\Windows Balloon.wav C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Media\Raga\Windows Balloon.wav C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\MICROS~1.NET\FRAMEW~1\v3.0\WINDOW~1\fr\ServiceModelReg.resources.dll C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\MICROS~1.NET\FRAMEW~2\V20~1.507\System.DirectoryServices.dll C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\DIAGNO~1\system\NETWOR~1\en-US\LocalizationData.psd1 C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\ehome\MEDIAR~1\MediaCenter.DigitalMediaRenderer.ConnectionManager.xml C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Help\mui\0410\gpedit.CHM C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\IME\IMESC5\DICTS\PINTLGCF.IMD C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Media\Festival\Windows Battery Low.wav C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\MICROS~1.NET\FRAMEW~1\V20~1.507\JA\System.Design.Resources.dll C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\MICROS~1.NET\FRAMEW~1\V20~1.507\System.Web.tlb C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Boot\EFI\de-DE\bootmgfw.efi.mui C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\ehome\segmcsb.ttf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\MICROS~1.NET\FRAMEW~1\V20~1.507\1040\vbc7ui.dll C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\MICROS~1.NET\FRAMEW~1\V20~1.507\System.Transactions.dll C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\MICROS~1.NET\FRAMEW~2\V20~1.507\JA\System.Deployment.resources.dll C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\MICROS~1.NET\FRAMEW~2\V20~1.507\Microsoft.Build.Engine.dll C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Fonts\mvboli.ttf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Help\mui\040C\connmgr.CHM C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\MICROS~1.NET\FRAMEW~1\V20~1.507\ngen.exe C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\DIAGNO~1\system\PCW\en-US\CL_LocalizationData.psd1 C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\ehome\wow\ehexthost32.exe.config C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Help\Windows\de-DE\artui.h1s C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Media\AFTERN~1\Windows Hardware Fail.wav C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Media\CHARAC~1\Windows Battery Critical.wav C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\ehome\ehsched.exe C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Help\mui\0411\comexp.CHM C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Fonts\LaoUI.ttf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Help\mui\0411\netcfg.CHM C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\MICROS~1.NET\FRAMEW~1\v3.0\WINDOW~1\de-DE\ServiceModelEvents.dll.mui C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\BITLOC~1\th-TH_BitLockerToGo.exe.mui C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Boot\PCAT\de-DE\bootmgr.exe.mui C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\MICROS~1.NET\FRAMEW~1\V20~1.507\GAC\fr\Microsoft.VisualBasic.Compatibility.resources.dll C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Media\CITYSC~1\Windows Notify.wav C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\MICROS~1.NET\FRAMEW~1\V20~1.507\fr\System.Web.Resources.dll C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Help\mui\0407\aclui.CHM C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Media\Delta\Windows Battery Critical.wav C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Media\Raga\Windows Print complete.wav C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\MICROS~1.NET\FRAMEW~1\v3.5\AddInUtil.exe C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Cursors\libeam.cur C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\ehome\en-US\ehcmres.dll.mui C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Help\Windows\ja-JP\diskcln.h1s C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\inf\NETDAT~2\0C0A\_dataperfcounters_shared12_neutral_D.ini C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\MICROS~1.NET\FRAMEW~2\V20~1.507\fr\System.DirectoryServices.Protocols.resources.dll C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\DIAGNO~1\system\Search\RS_RestorePermissions.ps1 C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\ehome\CREATE~1\COMPON~1\tables\alloc_1 C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Help\mui\0410\nfs_.CHM C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Help\Windows\it-IT\auxdisp.h1s C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Help\Windows\it-IT\secstart.h1s C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\MICROS~1.NET\FRAMEW~1\v3.5\AddInUtil.exe.config C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Branding\Basebrd\ja-JP\basebrd.dll.mui C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Cursors\pen_l.cur C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\MICROS~1.NET\FRAMEW~2\V20~1.507\DE\System.EnterpriseServices.Resources.dll C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Help\Windows\en-US\sysman.h1s C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\inf\usbhub\0407\usbperf.ini C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Help\mui\040C\qos.CHM C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Help\Windows\en-US\medctr.h1s C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Help\Windows\en-US\presset.h1s C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Media\CITYSC~1 C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8FA35E21-9E2D-11EF-A4F8-F6F033B50202} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8FA820E1-9E2D-11EF-A4F8-F6F033B50202} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSystemtimePrivilege N/A C:\Windows\system32\cmd.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2544 wrote to memory of 1644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\msg.exe
PID 2544 wrote to memory of 1644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\msg.exe
PID 2544 wrote to memory of 1644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\msg.exe
PID 2544 wrote to memory of 2696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2544 wrote to memory of 2696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2544 wrote to memory of 2696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2544 wrote to memory of 2848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2544 wrote to memory of 2848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2544 wrote to memory of 2848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2544 wrote to memory of 2844 N/A C:\Windows\system32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2544 wrote to memory of 2844 N/A C:\Windows\system32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2544 wrote to memory of 2844 N/A C:\Windows\system32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2544 wrote to memory of 2680 N/A C:\Windows\system32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2544 wrote to memory of 2680 N/A C:\Windows\system32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2544 wrote to memory of 2680 N/A C:\Windows\system32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2544 wrote to memory of 1092 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\format.com
PID 2544 wrote to memory of 1092 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\format.com
PID 2544 wrote to memory of 1092 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\format.com
PID 2544 wrote to memory of 2292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\format.com
PID 2544 wrote to memory of 2292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\format.com
PID 2544 wrote to memory of 2292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\format.com
PID 2544 wrote to memory of 2012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\format.com
PID 2544 wrote to memory of 2012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\format.com
PID 2544 wrote to memory of 2012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\format.com
PID 2544 wrote to memory of 2576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\format.com
PID 2544 wrote to memory of 2576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\format.com
PID 2544 wrote to memory of 2576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\format.com
PID 2844 wrote to memory of 2272 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2844 wrote to memory of 2272 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2844 wrote to memory of 2272 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2844 wrote to memory of 2272 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2680 wrote to memory of 2448 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2680 wrote to memory of 2448 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2680 wrote to memory of 2448 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2680 wrote to memory of 2448 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\logoort.bat"

C:\Windows\system32\msg.exe

msg * (Muhahaha)

C:\Windows\system32\taskkill.exe

taskkill /IM explorer.exe /f

C:\Windows\system32\rundll32.exe

Rundll32 user32, SwapMouseButton

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://www.evil-shit.de/

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://www.akk.li/pics/anne/jpg

C:\Windows\system32\format.com

format D:\ /F

C:\Windows\system32\format.com

format E:\ /F

C:\Windows\system32\format.com

format F:\ /F

C:\Windows\system32\format.com

format G:\ /F

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2844 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2680 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.evil-shit.de udp
US 8.8.8.8:53 www.akk.li udp
DE 62.143.36.236:80 www.evil-shit.de tcp
US 199.59.243.227:80 www.akk.li tcp
US 199.59.243.227:80 www.akk.li tcp
DE 62.143.36.236:80 www.evil-shit.de tcp
DE 62.143.36.236:80 www.evil-shit.de tcp
DE 62.143.36.236:80 www.evil-shit.de tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8FA35E21-9E2D-11EF-A4F8-F6F033B50202}.dat

MD5 150372768c9784bb6adf229d6cc97312
SHA1 524b44ef15daa44928bca816792a38c9e36256ec
SHA256 5b17ec268828edc206f8375a2a85b24746a5c3cf995ab93eb6b13fa56c781f8d
SHA512 e447ef06006072d1f56917656b80e7926628bc0ad55655f721522179e9419400c6613fc8bce976964eb1000d352ebb4fc752e78d31311d13b48a7df8b8363604

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8FA820E1-9E2D-11EF-A4F8-F6F033B50202}.dat

MD5 7a43d50ebfc56a5dee489e1f827c2811
SHA1 db1bcbbe39bc2e3ca00eda82a8710c4e83fb7d9b
SHA256 5bbb033eb0246e1c0dbeebf124fe99c86f95c8410cfcfa4724b730c473a599ad
SHA512 94ada9c0795797eff1b50ac207b4dce240e5ba017c59fe7a11870b59829fbb096d92ebd6755591519c8328c832b2899170a2daa5459c094c9f29f3cd0e9837dd

C:\Users\Admin\AppData\Local\Temp\CabF8E3.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarF953.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 318360d2a79f5c575080a9bf2cb6b730
SHA1 ee8207543a9f32f69304d8b580f9a06d7388cb09
SHA256 c4796307ee0a1a7bd5e8c34de4eaf18e55f1833970f61b4e94ef28a388ca6d7a
SHA512 6511efbe160e7e0fe16ad352207851d2971564847073a96d2d48e5d3707f9977b7560a332027883e48a47c2b46488133fcbabc2906b402b8600aeb118d8f30ec

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 48b1eed8ecde338fd3a7e13fc6b51c50
SHA1 325648e935d7ada3abbd8b8cc76538d4e219080c
SHA256 8a6136dabca57e829254f27ff0adae6744c63cd4a41fa8fbe9d67effb7e0bafa
SHA512 4471cc90d665f2f9e90a08e2ddda191add7a526efdbc040d3562a140b84f3cd91ea50b1d4cee19e42e165eb6f0be41d6ed29f30bdbcd51eee9f1086f61d40a00

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 95c208e5596aa6bd381eabfb6925a7b1
SHA1 cd3fcfbb3d7e4c3ac3e199d86017c2b868e36bb9
SHA256 f8f1dfbc92bccfca76856e3e14c148b9cc263023f983525378fc022b4c6b749e
SHA512 81e4452b150eff6084b9e9d157f1946b70d1c768df658adec79d5eecb1ef82d8e8dcaac342f358d737980eec38e6d74580fdd588dc1b801d4d6160f1323992a4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 60c7666393c4180f6f000e8854c89e8f
SHA1 9c97c7c126f3fbfd3eaeb15472fa517d03b81976
SHA256 af6ab26e5c9fc2cbc578e966a3575c96503e08fb0bd0bddd718725b9b12cd15d
SHA512 3f108ec291022822c36c938b66edd9c9f4b73b00dd9b541d85fb5e4da54801296d4c0e80ef52534bd13aa5bbbb3b8534c029eff7ec31b1382122a5e0d0a01045

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 85c00a3a90d172a1e4b1994558e4191c
SHA1 e88b741f1d18f92b81cf86f9e9cabe8d1ec1b4cb
SHA256 4055317d05e3daa7786c898ae45b48f7216647315ab3b035cfe8c1d6ca716b03
SHA512 7db907b8e58839ad1a6bd410636dce29ad9592158932039059fb4a03f38b77a708c343b39c4fba24dd76cf862576498b9a99e5919bd681e810e5fcf03027eab9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 56c66a0d06a3305cc26d68e054bc0020
SHA1 9643a76a210c36e27dc5d377fd33c61b494e9184
SHA256 e163e51d9c60ef206c3028808f714655a881d15a20d61fe9cfca3e8bce85a23c
SHA512 0a49dacc9e965f3396148e014b109d3556298dbb88e12d5c521b279a84f083499b92be4c24b8f4b2b5e7314eb0df3f35514f6cc9611af79e78258e40fae31794

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b21d1466b3e2d975b2101d57ac7fd01f
SHA1 bebbc2c02a3314e3b47a52e3fdcc65ede99fccd4
SHA256 b3cbb971aec9e9ef0391a3e0bd41950604693b12280405f19b3144407e5433b3
SHA512 fcb8b15664962d80a5ee783f3b6b4e2de59491539047f9e5e7c328651b60c397252d7d63ce47c35e76a0a60698a56c75397269940b51a15c8e0161a1ffa7dc1d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c6017da86e156c5d35f00942cdb9cc8e
SHA1 e6ebdef2d9d322d9460aeb3c5cdcafa9b004e6cf
SHA256 9720891f98f7e5ad090bfb4466827a08823dfb4bd0eb3fc1b29782f0424e1065
SHA512 04629d365bd69f4efe9582c74b80ccd70738f2601fb3aa816b5b3f9187975028c7252b7837bdb773cbe2b929532c222dee40e4895e33db366f1d2a170fa71bba

C:\Users\Admin\AppData\Local\MICROS~1\INTERN~1\Recovery\High\Active\RECOVE~2.DAT

MD5 10f5ae23f474f1e7f31a8ac6eda9f5c5
SHA1 730a164d9ab9ab3ace5ff6618c473d75e8e7773d
SHA256 d011581106c4207e11b1b024d94db6f083e239932fe393f3d9f5fbbd8ebb5818
SHA512 180ebc7ca45070f1aa0954cf24b20f6040e39a9bcd07544f5a1628584f7cc0c473a0eb8cdc9b6e4d835082289f2569f05806c8ca3993d55228d1f00b8daa0d2d

C:\Users\Admin\AppData\Local\MICROS~1\INTERN~1\Recovery\High\Active\RECOVE~3.DAT

MD5 1d39eba167183d0b1161f2450c414384
SHA1 540776821ffea0471325c8c62ea9d31a9cf33d95
SHA256 c4e9d9fbe77269f960b4253323491de236c03915aad767f53c355474fe5ead1e
SHA512 43d35d21fa1c0a288f75dc800fbc938c7ec7c70f84d174082899af754752026c900235897f0c703f8f5dfb228c9d6f23973aa392b2914ab9835f5c380f66f7c5

C:\Users\Admin\AppData\Local\MICROS~1\INTERN~1\Recovery\High\Active\{8FA35~1.DAT

MD5 3d04ab26c57448ce1e70df4b169cdc78
SHA1 38c9d4531db306d192716bf98be608814b2a4b41
SHA256 4cbcaa690f44072d9fa1573fa563952d50278509b0e9d00891dc2b5343b835d0
SHA512 d67c17b261cf048988d28e02850ca29cce1669e181369282074e8554e3048701ae1f0dacae2d6a6041b12a3fadaa674ba36db61a30c4b22b7b25827ef242ae24

C:\Users\Admin\AppData\Local\MICROS~1\INTERN~1\Recovery\High\Active\{8FA82~1.DAT

MD5 ccd66d21eed634954349f43e8bdf8b3f
SHA1 8c24aa1e1c233f56a0ef80cfea52094643f618d8
SHA256 0454ab2f707d350075933c270c4048401e61b13b4cf79b23be39a4a46e2fc94e
SHA512 bd6d57ca79ac2d434060d164bd8a289eb15a3517f7724e621c5c33f1dbfc7267169a961de30d6cbd985fb1bd4c7e29a9d0e01f2c4f8ef110955d9b7ca91f9523

C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\BDDDRHWK\BAPNVR~1.JS

MD5 ce07affa04803b8889da4add31fd43dc
SHA1 0fb5a8fcee96a30571493eab29d0e2a6555a16ff
SHA256 8c1495c44aec0fa67b5ea6caf921a72de269aff5387ae21fc97e22f94f4f7f3f
SHA512 f79974074d4f5f991d2acb486189d8c8668dc854c40dc586836359fc20d38c66d0f98303962c072e119a4ca0daf1156cb8ff476c9b3cebf785f37ae73b88567f

C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\BDDDRHWK\JPG_1_~1.HTM

MD5 9dd0519a912b7cbc55ab682a3386012f
SHA1 806262b5dda69d80f6b0be1b8258afb6e5b67f42
SHA256 c8b23127d7d6cb8ff6231223f1416b472b8ad451eb75683eb59390126f09ef44
SHA512 acab8a8828d793d478e1dd7d7e37943d40e1ca974457aeffdda05b8e60c0e8291b1a7f221524a3c10e68e47f01c5ad5d10fb625aadb574457ce874db441b3069

C:\Users\Admin\AppData\Local\Temp\~DF0BC~1.TMP

MD5 8443eb75f6aef36fed415f36b8063396
SHA1 441ea5897c6cd9d1a0b1cab9fde7d36bdf04149b
SHA256 2100aec76420a37f0f629ce4360fbc554c32071ff5750c2300f39bdc4de1c280
SHA512 1b8d42ff3edfdcf9491329900894c5916b2f277cef64f0825efffd7c14fbe3c7e6d1f9aca02c447cb6d5f725831d5530c5b5ea02ae2729f038f7b6f89c90c5c1

C:\Users\Admin\AppData\Local\Temp\~DF135~1.TMP

MD5 edd562ac2279114db352b65c28161e14
SHA1 e63c6d341fbdd86f4845dcae1eb73d0ad260a7fd
SHA256 b6d7e6fcf1dd199889b5bac7bc8076b58e7b24ee1c54c96a5088f64db559dcb3
SHA512 b291aa327da885f2fbf44441affc6742302e34d8d332924aaab016d5faaf09be7247a319750a4cf6b9af4b25b4cd9b21ece3c100d1f43ac1d89af4d28067e1e3

C:\Users\Admin\AppData\Local\Temp\~DFA1D~1.TMP

MD5 3e49f5d4a40a875940cd3aa800abbefd
SHA1 c760e2687675d99e782e53a136de4ecf0a87d48e
SHA256 b801684ba3cac010615531b6a62a62eb17702f3d859b3b84dd4070a489506a1c
SHA512 5d621dc5845bfd6ad481d5d99d855c406da86206ca6f8e7eab80afe59e1b0c155b254ab62e69933ad3413b7d25f688968429ecfa02e342a417cf62fd382d7008

C:\Users\Admin\AppData\Local\Temp\~DFAA2~1.TMP

MD5 fe943cab2f20d88487fea2c3541e810b
SHA1 a9301054a06212d03acf642202070270a810551d
SHA256 da4be56fa93e3c9e027d944267107dc16735541c04b931608a0b6677fdc2ae0c
SHA512 bc6803dce70956e3d4dda37ff14e6f9a04bd25a0d2d68f4f38492d7ade2562b19176df00b525528ca44d37a6c759f882ea249964c69749417e276cefcb77f1a4

C:\Users\Admin\AppData\LocalLow\MICROS~1\CRYPTN~1\MetaData\943080~1

MD5 c941db018d52a173604ff137bd370dd9
SHA1 a746b2fdcef1c8e63bbf27732f89fb07dd017ea9
SHA256 0cd42f38b4c9862815b99b7a5583d3534c486e9994dbb43b3347915747745818
SHA512 a56f40ecc28ee1c63aed118363d5155c4a8b880127534f9e9fe0d937ffdc0424a5474af1223b2dfd37038e904a5bb02e71b647bb7fc77e3cb2f098667816e8b4

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\Cookies\EZQHN2ON.txt

MD5 c5cd65032270e1eb91f619f16ae39d87
SHA1 1224eb18cf2a50b17d5159932b262ec92220bea0
SHA256 d4979b41b6f3eccd8d6b8467be1c33b97a195c229b68d8ce2931e30778477112
SHA512 0880ee55c333c89a8999ffc275100be6dbcb4949c56fb28a99c6ed0befe31b1a244d285cd0f8f4a912dc7c1e8b406b60d58a072e67b907b175f5a3bb11d92672