hxxps://email[.]vbasoftware[.]com/e2t/tc/VW92pk33PCB5W51xzZ06-WW2SW5_BCzp4m176cN8XrLDZ5jmnJV3Zsc37CgH33N21-9w9wdsv6W3kTdwH3QThVqW1FFXFR4vrwCBW3kNYvx8bwkcfW8gH3Kg19VjWgW79q6xW2sj2cBVYkyfd8bCz6ZW8SdWpc11nWhjW93XbxT8BPgJsW34dJcK5lLlCvW1p7nDj293C_nW28cGPM1phf69W3YZR8r54nJdzW8dp9vQ6tcLGKW104-_Y7pgPsvW782lJ8923VjRW6zQPxq4SNpb2VsLdZv78CBXcW8FJC_f6n7Y1qW8jdv8k5Q6dS_W8Rpgzw5MYZTBW6SgtHv1FsZyRW8VNzmZ3J62mnW1VNRfL1Zkj-SW3HpsFr1Qslq4W5D2M4P19fSPQW11NcmK1KJBf4W5g3y9L2sDR3RW1RvBfy8yjwf1W8x3HpD3vdp50N5MGDzg3b-DfN8G6W-qsh7vkW8nknRY5nmf11W3pmvzW3zMSGk3lFz1

Analysis

max time kernel
112s
max time network
132s
platform
windows10_x64
resource
win10v20201028
submitted
22-01-2021 07:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://email.vbasoftware.com/e2t/tc/VW92pk33PCB5W51xzZ06-WW2SW5_BCzp4m176cN8XrLDZ5jmnJV3Zsc37CgH33N21-9w9wdsv6W3kTdwH3QThVqW1FFXFR4vrwCBW3kNYvx8bwkcfW8gH3Kg19VjWgW79q6xW2sj2cBVYkyfd8bCz6ZW8SdWpc11nWhjW93XbxT8BPgJsW34dJcK5lLlCvW1p7nDj293C_nW28cGPM1phf69W3YZR8r54nJdzW8dp9vQ6tcLGKW104-_Y7pgPsvW782lJ8923VjRW6zQPxq4SNpb2VsLdZv78CBXcW8FJC_f6n7Y1qW8jdv8k5Q6dS_W8Rpgzw5MYZTBW6SgtHv1FsZyRW8VNzmZ3J62mnW1VNRfL1Zkj-SW3HpsFr1Qslq4W5D2M4P19fSPQW11NcmK1KJBf4W5g3y9L2sDR3RW1RvBfy8yjwf1W8x3HpD3vdp50N5MGDzg3b-DfN8G6W-qsh7vkW8nknRY5nmf11W3pmvzW3zMSGk3lFz1
Sample

210122-lsvk46q36n

Score

6^/10

ransomware

Malware Config

Signatures

JavaScript code in executable 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UOAPEAJQ\5357795[2].js	js
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8U21I66T\collectedforms[1].js	js
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8U21I66T\5357795[1].js	js

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1908	1508	WerFault.exe	IEXPLORE.EXE
3352	2716	WerFault.exe	IEXPLORE.EXE
2356	3172	WerFault.exe	IEXPLORE.EXE
2072	3828	WerFault.exe	IEXPLORE.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 60 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001cad0ccd232972468e753df42302a60a00000000020000000000106600000001000020000000898909ca11c9112f18c41dfb9c4f33829c9554c47f6c769eadec18cf15561c86000000000e8000000002000020000000c313adcb7f1315f2afba21350b4808f101eb2953c3e7f78525892fada1c37957200000001b3fe0fee8c23d1d6b024411bc6bea27c250894a060dfc5091ef200293e2e2fc400000007575cd9deaafa137b58f0a3132b1a90f5f5ba1394e83cfe57ccc4285e4bc8ba681a0ce5bb99d32e55bf9e2698d44d44a6997c0890e1ceb38d9e163929709854c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "318117309"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001cad0ccd232972468e753df42302a60a000000000200000000001066000000010000200000007aa7e93d53c5b9af7473c3aa6bb0d6f367685d64be27ea286d5b8bb7120c69b5000000000e800000000200002000000042451d1effc75e6b033815443cbc3fe82a7fb799a7f9ca28a79ee7c1f4ca2abf200000003dab80b1eb9acf7af9c7789d64e2748539ea08d5a991277c7e63eac4eb8a819d40000000bc1efb12e0c763e0e249de3c4c96065d2ae50df18210160498098b0336a3e30cf05a0d06544305784b788de3ce732378c9b8b08b8d15bbd388ff29ddda524e66	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001cad0ccd232972468e753df42302a60a00000000020000000000106600000001000020000000c07fb867d7076b12a1f37d6496af4aa74b58d43b5aacee48060d38228ad15788000000000e80000000020000200000003031904ffdf3751f44ad15486f0e4b368804587e72c2c649f12704e641fa36ab4002000012a7545d5a2352a917c8ff2887fbdf92cc87b136eb7d303efee1274695bc4092cd92c05efa36bbcd8e6ee0ed21e41d7fd2d670be63823610cde7db04e6c15af5d63ff0993634d4033b4d838f83a4c46058eec0b52232ecb472599f4ffafaa015ca3924d75e21f277e73b87e0692635cf3d2a027a83f6b00ade967f5abba5c204c710efe9d213733cdb2a4b407557dae68a6ed6ded1134ac57acdf2f03d6089b9a8a4610ce62f6edb142c987a25f983035afe30e60768c6360c12b2b597be60f63af68969f3b12ee1ddcbe35519247a6ad2d9e06102134660e1f00e9af9b1dd41d24283dee0dd1619f3043d3055d20d28c89546196609b65c36cada19cef335790cd8a0cb1ddb99051f46093a6ee7f0eefdf71aa4198fed9604f00e5036fee8a0dbb927933d6a72e80faf01ec89004b55b0c06269ecfcbd6cc380763abd2a3a01cae37e8802e3c8031cb50c8e1267f8365ff551b5665c7a0a22c39dfe5092cffc2942e0b3b838cad48cc4858302a857a899d8fd4dd75c919902973063a1c7e9753e647c05693c3a06f897573b2ca35ed31959fec82e21e5bb5fbf06c06c928a73ebd19f49b7ce68753e24c9d5087eb50fdcefde9b8b072790f89131c68fcd779c92bbd7d097111a54d4c26f2e41fcc7f3d8a04f2d1968689eb81311cb6d4f4fec13ca896aaf09fb29aa96a70f660a643cab939af6a083c06568c71435ce37277c4ea3930989a403cd999691b409db16e0f7d9580edc39153ac0652b539ca7df26b22516d9600d6e88f45a08323916a2c7924e776c58c020b889e4d8350bd932e24000000036c4622314a1672923ce54a3ded6a6f89baada34fe6c581836ef8e64d24f6468a04b256af7dfa3958a1f07654d0e774ca6df2b6ce75283b30fafb4bef39db44a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "318085317"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "318068723"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a08b08cf97f0d601	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3392203523"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30863511"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DOMStorage\vbasoftware.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f091e9ce97f0d601	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30863511"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001cad0ccd232972468e753df42302a60a000000000200000000001066000000010000200000007d5cc70678b0b436b19a6bb4ddf56f34df4a35e4ea0517f983e367c5264cff5a000000000e8000000002000020000000a9c06eee058cfb858798089d997a70aee6730eae5e29dc43b0b4ef91fabd97c9200000006bbaf38ca214da7dec92d98aa203c2c0d280d3bf4c56ed438292cd3e39e23ddd40000000c49344be382fd9623dd72a2e0810ea5da3d9a1e089c6073e0045075bddd36d61d268f96a33ba8f6467b7d75f5158a4838a7520d305260efe41edd449cc8280a6	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F500F411-5C8A-11EB-B59A-D20AA236B192} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DOMStorage\vbasoftware.com	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001cad0ccd232972468e753df42302a60a00000000020000000000106600000001000020000000c436cef00c49504ce576476e6027b214196d0788f81dbc7d1352da060d487d8a000000000e80000000020000200000006b8d155f4afd67e827a7f32511fb40209716cfaba12a5e798b4beb1b0d14146840020000590914794434e750784feadadeb04814205bba57c672571aaa69892523c075513e15037660b84ebf45a314a66f3125afa0819966932e839c7cdf66ade6e3b3a0d6223d21f2b639efc82dad8ab8891267d8fbecf6057351e9ce4211fb5d9213139930b6de58c45484b68fbd6a21d7e1e1df790d90506f8ed6243b53c3398b71fdd73a1fd73d68728e740ef352e59933b94e06bc2f95b77b5193fce0fd8fafc9f827d13b4cd78508c3b32735d2045ba51e7f18255b001f6747edb18b4ff9bed03f2d027ac47ccd856cd967a2e7963d128c7f008f2c9944f30284dfbdb0b6392cc90153faf822afd78e10002bbbd591bfd6d9dc7172e277525de8dd7c841043c55316e187f08afad9bb73d4f16f4ef59a7d62093bc441258da6afce7baef97c3b20c0d07805fc667f3753b738c0402e80691024ff10f9f59efa0c7d5434de558e36e553b1ad5f1c27423c9399ff50026ef575c77d7db1df2498a5ba2247574407c59cd989e1fbc0d4cb6a35126bc96ee1077e9af19196393ff9b4d38430bebf044cd772b2e438670eafb268e96a58ee98c7a64876fe990d7de098a2adae7dfd0ff1df25997045617cd913ff0196c3eea53f007ab0ec3e82575707f7a0761a4d8072077adec49e5111095a45152d116b6ac70aaf0925bfe0c9b4007e2229df0ae906d52c6cd1190f5da9c0202d0d8db8f08396f2ef6ee2f06a553c593b984ee601f593dcba6ffd8fb84803f79bae22c74681b3e495564b7601dd8214c2110a1787357c3c61f43d6deb41ae7d5b96b5e4551d4cc6cdf6b7faf805b218811fee1dda47400000002524ebfe36e39e2f8db6dca05dd7d62615ed8f04e30992ea2c4dea0c9c52e281cabdb127955d075167b2c7def94b6b5519b63b95b20e3e4b187eaacb422e4aa1	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3392203523"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 607266d497f0d601	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe

Suspicious behavior: EnumeratesProcesses 65 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	process
1908	WerFault.exe
1908	WerFault.exe
1908	WerFault.exe
1908	WerFault.exe
1908	WerFault.exe
1908	WerFault.exe
1908	WerFault.exe
1908	WerFault.exe
1908	WerFault.exe
1908	WerFault.exe
1908	WerFault.exe
1908	WerFault.exe
1908	WerFault.exe
1908	WerFault.exe
1908	WerFault.exe
1908	WerFault.exe
1908	WerFault.exe
3352	WerFault.exe
3352	WerFault.exe
3352	WerFault.exe
3352	WerFault.exe
3352	WerFault.exe
3352	WerFault.exe
3352	WerFault.exe
3352	WerFault.exe
3352	WerFault.exe
3352	WerFault.exe
3352	WerFault.exe
3352	WerFault.exe
3352	WerFault.exe
3352	WerFault.exe
3352	WerFault.exe
3352	WerFault.exe
2356	WerFault.exe
2356	WerFault.exe
2356	WerFault.exe
2356	WerFault.exe
2356	WerFault.exe
2356	WerFault.exe
2356	WerFault.exe
2356	WerFault.exe
2356	WerFault.exe
2356	WerFault.exe
2356	WerFault.exe
2356	WerFault.exe
2356	WerFault.exe
2356	WerFault.exe
2356	WerFault.exe
2356	WerFault.exe
2072	WerFault.exe
2072	WerFault.exe
2072	WerFault.exe
2072	WerFault.exe
2072	WerFault.exe
2072	WerFault.exe
2072	WerFault.exe
2072	WerFault.exe
2072	WerFault.exe
2072	WerFault.exe
2072	WerFault.exe
2072	WerFault.exe
2072	WerFault.exe
2072	WerFault.exe
2072	WerFault.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process
Token: SeRestorePrivilege	1908	WerFault.exe
Token: SeBackupPrivilege	1908	WerFault.exe
Token: SeDebugPrivilege	1908	WerFault.exe
Token: SeDebugPrivilege	3352	WerFault.exe
Token: SeDebugPrivilege	2356	WerFault.exe
Token: SeDebugPrivilege	2072	WerFault.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

3132 iexplore.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
3132	iexplore.exe
3132	iexplore.exe
1508	IEXPLORE.EXE
1508	IEXPLORE.EXE
2716	IEXPLORE.EXE
2716	IEXPLORE.EXE
3172	IEXPLORE.EXE
3172	IEXPLORE.EXE
3172	IEXPLORE.EXE
3172	IEXPLORE.EXE
3828	IEXPLORE.EXE
3828	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 3132 wrote to memory of 1508	3132	iexplore.exe	IEXPLORE.EXE
PID 3132 wrote to memory of 1508	3132	iexplore.exe	IEXPLORE.EXE
PID 3132 wrote to memory of 1508	3132	iexplore.exe	IEXPLORE.EXE
PID 3132 wrote to memory of 2716	3132	iexplore.exe	IEXPLORE.EXE
PID 3132 wrote to memory of 2716	3132	iexplore.exe	IEXPLORE.EXE
PID 3132 wrote to memory of 2716	3132	iexplore.exe	IEXPLORE.EXE
PID 3132 wrote to memory of 3172	3132	iexplore.exe	IEXPLORE.EXE
PID 3132 wrote to memory of 3172	3132	iexplore.exe	IEXPLORE.EXE
PID 3132 wrote to memory of 3172	3132	iexplore.exe	IEXPLORE.EXE
PID 3132 wrote to memory of 3828	3132	iexplore.exe	IEXPLORE.EXE
PID 3132 wrote to memory of 3828	3132	iexplore.exe	IEXPLORE.EXE
PID 3132 wrote to memory of 3828	3132	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://email.vbasoftware.com/e2t/tc/VW92pk33PCB5W51xzZ06-WW2SW5_BCzp4m176cN8XrLDZ5jmnJV3Zsc37CgH33N21-9w9wdsv6W3kTdwH3QThVqW1FFXFR4vrwCBW3kNYvx8bwkcfW8gH3Kg19VjWgW79q6xW2sj2cBVYkyfd8bCz6ZW8SdWpc11nWhjW93XbxT8BPgJsW34dJcK5lLlCvW1p7nDj293C_nW28cGPM1phf69W3YZR8r54nJdzW8dp9vQ6tcLGKW104-_Y7pgPsvW782lJ8923VjRW6zQPxq4SNpb2VsLdZv78CBXcW8FJC_f6n7Y1qW8jdv8k5Q6dS_W8Rpgzw5MYZTBW6SgtHv1FsZyRW8VNzmZ3J62mnW1VNRfL1Zkj-SW3HpsFr1Qslq4W5D2M4P19fSPQW11NcmK1KJBf4W5g3y9L2sDR3RW1RvBfy8yjwf1W8x3HpD3vdp50N5MGDzg3b-DfN8G6W-qsh7vkW8nknRY5nmf11W3pmvzW3zMSGk3lFz1
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3132

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3132 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 3144
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1908

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3132 CREDAT:148485 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 2768
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3352

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3132 CREDAT:214018 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 3092
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2356

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3132 CREDAT:279559 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3828 -s 2700
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2072

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
MD5
990b7481318eb5b266dc0b99f3e8a4ff

SHA1
d74ddd400028d46e8c320989cac6edc5c21a786f

SHA256
109e36635812e20a344ca82386b276677a87db479133c74fac58def106006579

SHA512
25427e599a0ace39350cf2a6200379d60159083ed59f4fa1b2a9efa55ebfb56141c8e0234cfc8f921e5db10788cb594e61dd8164c96b8471fcb113417e217ace

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9FF67FB3141440EED32363089565AE60_09E82582644A63245E042D16BA5D91FC
MD5
a8bf1b8251db128cbe9c8786c5bd67a1

SHA1
464a914549d54e4b42751030e73d0e9ddead0ac4

SHA256
5a43664ff5303b545d43d05f1b80a28f0be36bc5d094120d65f1427dc54e18a7

SHA512
6f7024bc0d563cf70e11831dba653d1069cd38a7cc5dc2251aee2c769a0a5935741b6d8231c5baea0699e713c88fa34844dcfa930bf7ad1272b090df700bce9c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9FF67FB3141440EED32363089565AE60_234A49D1BE5F42EB99B47BA44C97527F
MD5
5f564f4579419d78508b72e0037dfaf7

SHA1
89a917eef7677985da21582e154e9f86f918be3e

SHA256
cd2af180dd5e6cdcc2c1a0583bdb1a0d384ceac74d6c49b9466fc00c37956319

SHA512
d17fd3669ba61f6b17cc1159a8d240b3da50bc4e73f47cce6eb3a333336cc76fc057e6d8b78cf9043bba8544bc3cb75083693b2ea14cdb57362d6cef82aa1788

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9FF67FB3141440EED32363089565AE60_8594CAB830D8CA2E437A9C765FCEC9A6
MD5
a11f33884bb3e39e4df7e7d7471c13b9

SHA1
62c08185e8752f7a74f5b5e2ea12cf542212ab3c

SHA256
f41838b533d8d76f4ad34e865e55945c8da11d722342868901c1d76d57aecfb7

SHA512
93f7b30bcf97f2adc62d099e65dd4586230bf5d10c084cfa07b426a02528c3b0b12c26777af6ed31381a5ae04cd0a711be26bd9bdede4fe115482e01ac95ec05

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9FF67FB3141440EED32363089565AE60_E4973A80E91145578333CB78C293A3CA
MD5
9f63d4544280a1abdf7342cc91dbe93d

SHA1
22b80c6085e3ac6a14e5f56afc73d1320656f034

SHA256
0ce44603000b1f483d29d5a75c3f0d16962f279942fd25db248f3308da4ba74a

SHA512
9533190a02000001cfc0b2791d780269822e770dfc9fe0e5badd907a40392fba489dc1f55dd6231b46ee27200f6e092457645d113e99f040ad343d928efae71c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
MD5
af67b51a1ebfbf6d0f208a2f4fb2b6c8

SHA1
dfd2d2b871d082260d55119e18c12ddb33ef45d3

SHA256
8f7f97a2547ff73c2f0b54908576b434ef09476547be6b90dcb596a0f103e150

SHA512
c9cf095c8cfc4852ff6d3504e76533c63bbc485580aa6cd492e1be00d26830077c476e917fb7b59aa4f6661df0f67609f30e1f6c9813d0675f40c21feacb470d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9FF67FB3141440EED32363089565AE60_09E82582644A63245E042D16BA5D91FC
MD5
e7a1703b4e5ddfd5dca0487805e3886c

SHA1
95ccca85295ef2e20a8785a3838e29a2c12a4c26

SHA256
cdb2d17873bbd6037c85de046478a6c783944a287f59091c51a9c83e8268b343

SHA512
c4a9de284fdfe63069bf3073d1bdb0e689776cd1c0625ff88a364b48b9eb90787c4ca5ef65ba8488c613553f7fc12718c90a68d23ca75dffa11f1256a4c9dc50

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9FF67FB3141440EED32363089565AE60_234A49D1BE5F42EB99B47BA44C97527F
MD5
44084226c897fca9914c384bd56adb67

SHA1
92eb385934047a6c99b75a7b3f18444924310b6f

SHA256
6aed6e8cdca28abcb3f64b347506fea58758b7b3970679864f3c9a771131833d

SHA512
06dcbc9867e1cc77b2015332a805e0e248f99ec167f3c3af785b2e9be27fe34215d6cbbe089deb57c43818eb67f4b5bb50a21d988ab9273dbcfd3710f5ccfe34

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9FF67FB3141440EED32363089565AE60_8594CAB830D8CA2E437A9C765FCEC9A6
MD5
cccaffca4f393a7d47562d9fc92dac7e

SHA1
18ac6424bbe47b59cd2b11c63f1dab4adef9a46a

SHA256
3a20c7d16571f237b1f2025eb5f81088da9cf879fb038908fdb10c499dcf9196

SHA512
0126112590c44b4a728e39ce984669d98eb0b226cf774dc7ac46d77b4d818e5f6eb55612d5a244b55ad63574138a35f1ff00c8d50934b2f685d2db22e26410ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9FF67FB3141440EED32363089565AE60_E4973A80E91145578333CB78C293A3CA
MD5
8c983c478e5c1b9978a99b2c988c8cef

SHA1
da366e421fc97bec80f5a943ddc0467e6c58836e

SHA256
21d824074cb5e31184ca3856a4c4e1ae2aed1980621a260e6bf22ff2ec6ac851

SHA512
90308715fc52074d0b77b40645a2ea551c990ab45487767f8f0375c594e66a16d2a4e3ca42ed9aa44e1ef2438e7ede972e57f6c02e27f1795642c4660115db72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\B92BH64W\clients.vbasoftware[1].xml
MD5
c1ddea3ef6bbef3e7060a1a9ad89e4c5

SHA1
35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

SHA256
b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

SHA512
6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8U21I66T\5357795[1].js
MD5
0b052450de0b8212ac263be17a8d622f

SHA1
6f1a0ae13ce21738520630c5bd5316109a1fec49

SHA256
c59e19b593ee402f3ed65e1455f773b48b25fd1dfaf339465acba7764a961a2c

SHA512
521b6cc673ffd150686e1987c83d7f5d9f4ae27d597b9434046a385f242c652af1c3ee163b3c2dc79b04a5c3449f7016d38a71dfc53e651b50d5a5476abf6946

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8U21I66T\5357795[2].js
MD5
bf0b3bc56568b2d99f132a6d90a3e653

SHA1
9ddb8a0533c8314fe040bc31280f351bf7f11735

SHA256
02c6d6f5c308d19480ca84d8e86b54f909fa898f17d6af7f85709107202c2583

SHA512
85d510db472e4957f171c71273a863cbd4fa3fd8d58a42767d1dc755c67414257f2e4738b0d5448030619555a0324cb3dd68785d5b94fbcf86806aa565e312f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8U21I66T\collectedforms[1].js
MD5
23d90b523792ecc8a2cdb61f5c56c822

SHA1
39544f0c49c212ac58f597c99d21abda61053038

SHA256
c77f18983978fdbdc4e736eb42c0935e8ae171411eb8e7456613b866909847fe

SHA512
53d41a9d4be99fcfda76f50b91057287dbf8faa24d006414cfe831ec03633e5061a712a8649698e77047104db5cde3390e659d73029c63bd52244029d9892cd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RW8YYLAG\5357795[1].js
MD5
bf0b3bc56568b2d99f132a6d90a3e653

SHA1
9ddb8a0533c8314fe040bc31280f351bf7f11735

SHA256
02c6d6f5c308d19480ca84d8e86b54f909fa898f17d6af7f85709107202c2583

SHA512
85d510db472e4957f171c71273a863cbd4fa3fd8d58a42767d1dc755c67414257f2e4738b0d5448030619555a0324cb3dd68785d5b94fbcf86806aa565e312f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RW8YYLAG\VBA_Logo_KO[1].png
MD5
80da6ef3f2dcb2a94676cae06d245c6f

SHA1
b0d3f3614448f91f7161ba990e3f658061bc0249

SHA256
f8c9dd7c84d3e2d3265bd4bf0ed458c44eb9b4cee92b39bf73cc97fdc91afbe4

SHA512
8895a8e16917d33b5fab643fa05e28d0c564fce9960384ebbaeb96d1892200a683960c30a66bf6fe2450638c16e3fcb49f06000adf499c7d750eb6dc72e5061f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RW8YYLAG\fb[1].js
MD5
632aa3165be38ae826d4cdf20b0c1be4

SHA1
882e05346cfd6dec013795d843db77a7032210ed

SHA256
ac1496eb4cdbd0d93463435e73938df03ada398b8c602fb257d78dfe3d6015dd

SHA512
d3bd8a45706fd98ff106b9e7177c8c74cb9996871e10801fb549b3e1598a37a1016c452e768e80743d6219eb1ba2385835bc1e6e5ac1c18c5bb7f16618a3689e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UOAPEAJQ\5357795[1].js
MD5
9eb8cbf742bca735165531af75bb7b72

SHA1
73a3d3464f075d172e9335d95a4e44bc3924efd7

SHA256
29cf4d166615b6cfafa93cab72bfde45c4c9e0a4e6d237a35ead32f505f07ca3

SHA512
5a58bad2108a0bcb81378f569d5778c249b0040eb67d65d10e87dc749cced7e389f2621f0bcdb2db8dd7fb02238c2430fb39ae6c54fc0822a07d199ee73fc02d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UOAPEAJQ\5357795[2].js
MD5
e79ca089f6fcaa35556c44e4fcb675aa

SHA1
1ddaf98d643f7255b181ec2813d92a6884a2b348

SHA256
f5a19c013083bf803748f99a1f952f7d533e99f3a127611293f958b148bc5420

SHA512
60462e19085bcb617eaa5d603ab1cc867882565ecfa27b4fbf0810b63389c42f0c635fcab962691217a561f677687e62a8cfe3d049c9d03dc2b9836ca25e2bf2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UOAPEAJQ\json[1].json
MD5
980692f3bd15a410c41c118f21a28879

SHA1
d7551cb577a6c0c24c2597f1b997cec9e1d5f0f3

SHA256
1cd5c1c8661d1a70f4698b610f03a319da1d5fd610764c3c82cc915f314de0ed

SHA512
36f151f6a379984090f56359ceec3b3b3764bc6d2265c89e4cfa8f11f604bdd8916d4c5ba41af3c3beee25cd2a27b9a18722c218570f12162ed5694056a49109

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XMX44WX9\form_validation_asset[1].css
MD5
e1794e0ac31cb1e9d18a27c35f82484e

SHA1
389f5e8bb1904a8617960f0dff8effbd58540f28

SHA256
b826d0b1f2465da005a7ecf26cf1a686a3e2cc585c8b8073e37e5267c0e04e19

SHA512
d77525371012a751872e9c54d49cbc82d14870f99431277e02b23aed80df623c8b9df2d1b42a4ad89818e8347a4934402811684b5d48ba266fed03c18253a92d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XMX44WX9\index[1].js
MD5
e669ca94e2fffafc96a88184dda30834

SHA1
11bd86e1512247684d725eccf3fc25b178b5e1ab

SHA256
dd3eb59038a5df086653388d9394fed2f2f1d72d9c01cfdc4920247a9d371e83

SHA512
f359080a1a9361c855c7f648ef4f51b5bf7922eea069032f3ea4ac699180bcef70126135ae877b6d8eafe2dd4c3ec4fa41b05f8a79b3b9e153e91b2783cf3caf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XMX44WX9\public_common[1].css
MD5
26baf8a457dce1dc1bd0d6b945f4c44a

SHA1
f0ea8780f288d4a644ab4554a4d6385dbefa869f

SHA256
fafc1a4c4fdcf86a1f539d79735d868f37e53a490e680a44dac209716e9e5a7e

SHA512
7c7b280adc23ec5a18434566be202a1ada1279cbc92d6531b2543285fd3db40689e7850ffaabd568be4022da39d9f633066b8ea28ed0e443bce00e810dd61f7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XMX44WX9\register_asset[1].js
MD5
0672cd162fcd3a7333d8825efc79837c

SHA1
0f16c2cc98e1dc0fc6e5f0b47be8776a290478d6

SHA256
04b69346b5830cab0f0128606e1eb4cd41045e12c8fab2a758377dd132ea17b9

SHA512
e9c54f34fa1b758e4c075a06e81a22957d0014fab61fdcb2be29da12913a3c0f94c958f7602c5150b12c7db0b5b4402d88c20b75192e3b40152328ec511c8696

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\0SN78EHT.cookie
MD5
a994525cf5cce86ffff6a106ec53f92e

SHA1
41d93b01f6c863760944f166c652e2f05b2d2b3a

SHA256
8c0761da88c5a508aeba9d51733a4b2bd519b963253b01ce007c2d59a0e64bcd

SHA512
ef5ff5b00197d4560de990c28d3165ffea540b144c2afd731d409e2116238102b7a33cefe5e3c86955c72bde3b5598a537b48411202d7dac5f86e94e7ec3929d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\6BK6CPZA.cookie
MD5
0d64464800078b9d77fd40e38b3d232d

SHA1
cfb8cd1471c2af5b3ac41b4ffc7d77cbcc4fc3e0

SHA256
40bf9e5b11f96d9cbd48541b8617e94a39079c9bd7fab1413a21f854241b42ca

SHA512
5574e65b843e1e21dec867995ae02dfc5b535abddf5b4f02493b60f074931bced7fb6647010998f5698f77a4e5bcc270cc77a0a0c62d672bb276f215134584cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\7594DS4E.cookie
MD5
8551c094627e5e6a4e2542cbda5a5078

SHA1
e003f9771d2b7aa0095820969a6a7c22d8682674

SHA256
da1861725f017789244b58cbd3c14e08e2d1e6d5e28a1a99a6bfe4385c5eee41

SHA512
ff7d5168698982a0a0e06b365f398a0e1f2b56c514826cf7ce66f2c1ba144e57dd77d0b688053f8eff2d8c128ece4a083398e7dedcecf384d1d54068268f9b0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\BZZ3CLBC.cookie
MD5
73a5822d1f1b48ff65f27c80a013885b

SHA1
6d30c451aa574ca28e44d7d3550e1d888a64c949

SHA256
f2bc6e9d0bceb1810ec6a0495fd3df8d36b3f90b5782dcb95b83155e1b6b3f8f

SHA512
08dd53499359296624ef2af56072a4ffc7c64ead2f084cd789bfa6359b69b72324d8c456345e074acca4079386ff850ba68774fdc5fea449efe1221683fd4871

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\CIZOT5NK.cookie
MD5
a38a1bb04c04dbcfc2cd907b68f16b6c

SHA1
98bb89a31f04d8adf93ae95d7cfa50d8f96e5c94

SHA256
0fbaa95e01affe2de36e7c55e4a23fda5c7c4b13073ce7c1bbd1a0937682924e

SHA512
7611b587a0433b3d30648ee76f9b242fddcb081d88915da6d699c52aeaf9dc8fb0cb388668854b4e7f981d9aea8720039a24dfab1324d47ea3cc95dd1c459e75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\ESC9YRQB.cookie
MD5
0773b3ec57cb31a8f4f93643a554a6fa

SHA1
d112f5edec4a0e5a9dad01bfc0835fdd9d62e1e5

SHA256
e90fa9d4bd46903bd35296e6378e8d4811673653399b8e3a5098f2340b4f73df

SHA512
0a56ceec286a1d31108755cdfa73034d31342bbf2b387f1f953af98da522ac10cefcd881858d571e5c1fffdf9277a1af4b5de277de6d9d3e2ce284fe157974af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\RONB2E27.cookie
MD5
0a7d72251dbad6f768278f5e39e7ba9b

SHA1
dca87b295ec1f6895aa4d8e9d2a513bcfb3478a0

SHA256
07fa23c7089eedb1d925389881a28f6eb32e435f2fe4817820ae3fc3c44fd812

SHA512
d938a1175cfb3c1de1642b897c617ea327bbb58efc325bd11530128f3b8db61096991168284a6128a4aa982d2b9625978d31fc885ceef5015bf7cd74ce9abc91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\SGDF6QDJ.cookie
MD5
b6f07dd361c254c3ec1e21dde0341e0b

SHA1
13ba313f40b6013f3f8d666d4bce8cc39781c42a

SHA256
4ae9592dee9d3aeba1429eb8c7f3c55f87b1d389b29bb8c4c8a6931ec086e59b

SHA512
18091e82e42c5053b563de7f3b0aac558d793c0741687016b0283d5baa7a2e80df29cf7b310399142ea83a0c70f7e6a97823b4bb4d4ca05effd5901e9a79ce70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\SVZT9MQS.cookie
MD5
19c4ab1e6ca677f255b8b44c4fafa495

SHA1
5fe1c682a40515ad62250f5cc600578cf3ca80fa

SHA256
2a0f5a1a259e220307b857a1b34105a873f50c7b99fa0cb50801094b7cc61212

SHA512
7253020691d516cfd9cfe8a12364358696d66be16c29ed39f90b41f48fb1f17e668ca57eb7a350e567123fa0afaad69a7e0da346de7c5b66f1f0f3260dc576bd

Download Submit
memory/1508-2-0x0000000000000000-mapping.dmp

Download
memory/1908-6-0x00000000044B0000-0x00000000044B1000-memory.dmp

Filesize
4KB

Download
memory/2072-43-0x00000000046C0000-0x00000000046C1000-memory.dmp

Filesize
4KB

Download
memory/2356-39-0x0000000004A40000-0x0000000004A41000-memory.dmp

Filesize
4KB

Download
memory/2716-7-0x0000000000000000-mapping.dmp

Download
memory/3172-8-0x0000000000000000-mapping.dmp

Download
memory/3352-35-0x00000000044B0000-0x00000000044B1000-memory.dmp

Filesize
4KB

Download
memory/3352-34-0x00000000044B0000-0x00000000044B1000-memory.dmp

Filesize
4KB

Download
memory/3828-40-0x0000000000000000-mapping.dmp

Download