29a20515e8e82ebfaa714e22cb4f77bb09db3c78bee3e3f5d4243cd735df85c1

Analysis

max time kernel
154s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2022, 06:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29a20515e8e82ebfaa714e22cb4f77bb09db3c78bee3e3f5d4243cd735df85c1.exe
Size

310KB
MD5

793327e861ff1bc78d510117eaa27670
SHA1

5528ca6d10b08c1f0b65b653e6b67aa024e71ece
SHA256

29a20515e8e82ebfaa714e22cb4f77bb09db3c78bee3e3f5d4243cd735df85c1
SHA512

7466d94b003a99d9e8b1731cd9b61ebabe68475509d5d13d457763c70de02fc2ee027edf431a8fb3a97544ed189379ff50f53cdac25a12b76e7079934cbcec37
SSDEEP

6144:QFxJ85QlW5suGZ4HIy72pXHfDRH0G3B5jAPjsBpb0rAy+YJ1:W62W5suOMIX/DVXB587sBpb0rNz

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	29a20515e8e82ebfaa714e22cb4f77bb09db3c78bee3e3f5d4243cd735df85c1.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\safe.ico	29a20515e8e82ebfaa714e22cb4f77bb09db3c78bee3e3f5d4243cd735df85c1.exe

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	C:\progra~1\ico\04887940b7db45d4894235d3e6fdd46c$dpx$.tmp\a098300fa9ca5546a1fdc1c71ff18695.tmp	expand.exe
File opened for modification	C:\progra~1\ico\Video.ico	expand.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220919094813.pma	setup.exe
File opened for modification	C:\progra~1\ico\04887940b7db45d4894235d3e6fdd46c$dpx$.tmp\job.xml	expand.exe
File created	C:\progra~1\ico\04887940b7db45d4894235d3e6fdd46c$dpx$.tmp\f8c859d66c78014ca7d115905be5c50f.tmp	expand.exe
File opened for modification	C:\progra~1\ico\Chat.ico	expand.exe
File created	C:\progra~1\ico\04887940b7db45d4894235d3e6fdd46c$dpx$.tmp\ed6bd59f0a64194bba4ed18e0bc320fd.tmp	expand.exe
File opened for modification	C:\progra~1\ico\Taobao.ico	expand.exe
File opened for modification	C:\progra~1\ico\Beauty.ico	expand.exe
File created	C:\progra~1\ico\04887940b7db45d4894235d3e6fdd46c$dpx$.tmp\596b067ad20eac488e63fa407f2d6c6d.tmp	expand.exe
File opened for modification	C:\progra~1\ico\meiv.ico	expand.exe
File created	C:\progra~1\ico\04887940b7db45d4894235d3e6fdd46c$dpx$.tmp\e483a132ff7b8345a68dca22492f2585.tmp	expand.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\58224087-2ee1-48bb-b415-3a713242fd59.tmp	setup.exe
File opened for modification	C:\progra~1\ico\{EC419C6F-9A2B-4949-B321-266CE9D6B7E8}	expand.exe
File opened for modification	C:\progra~1\ico\04887940b7db45d4894235d3e6fdd46c$dpx$.tmp	expand.exe
File opened for modification	C:\progra~1\ico\Film.ico	expand.exe
File created	C:\progra~1\ico\04887940b7db45d4894235d3e6fdd46c$dpx$.tmp\ff0f98a62360634181883ab501037447.tmp	expand.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DOMStorage\618889.shop.ename.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "370345830"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30985228"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30985228"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3925412253"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30985228"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30985228"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043e2eb2e51ccf149ab640c8bdb0d79060000000002000000000010660000000100002000000005a1ca95dc1b99f9b7adf628cd7e771f3016ed28679983e458d549501e108394000000000e8000000002000020000000637a0c1132703c52d7cf6ed46fb99dc3bbcf3be3564285de49a9bd583592b0dc20000000223a548b35074ae42e8dc9bf8d88a975e7bcefc461ee5a58baaa734e9b21672b40000000afbe8d09b32613be7795b5309459bd3a8d8a71592d9d2ca64fa8bfc870e79898b692153af3d60a2a1e334fd336d81f7a17e4f96c0ccd33200084f531645484d1	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043e2eb2e51ccf149ab640c8bdb0d7906000000000200000000001066000000010000200000001f359d1c782fd7b22a86029ccd728e1199055840049ef91d5240a87626cdde5a000000000e8000000002000020000000fc8ec8bcb6448e1af5439343f19ba7100af5e4bf34dc248d4e30e8bb6d0618ec20000000eb71c0b070719155caba461ab51f1c0a80218cebf2fa9ff1cc3522736d6d3132400000002a27f14f0c809c9bdca370b5aff64acf226c17b7173fe6ce7730680cb4ff0e5b387b4f2694a3a4269c1385cbd7eca7cfacdc66543e75ca4362fc4afd124b29d4	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3925432658"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3926399164"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{1530E429-3800-11ED-A0EE-62142853BA25} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\ename.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30985228"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3927181407"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30985228"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\ename.com\Total = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 900a0df00cccd801	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{152E80CE-3800-11ED-A0EE-62142853BA25} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3926399164"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30985228"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3928948436"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3927181407"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2136	29a20515e8e82ebfaa714e22cb4f77bb09db3c78bee3e3f5d4243cd735df85c1.exe
2136	29a20515e8e82ebfaa714e22cb4f77bb09db3c78bee3e3f5d4243cd735df85c1.exe
2136	29a20515e8e82ebfaa714e22cb4f77bb09db3c78bee3e3f5d4243cd735df85c1.exe
2136	29a20515e8e82ebfaa714e22cb4f77bb09db3c78bee3e3f5d4243cd735df85c1.exe
2556	msedge.exe
2556	msedge.exe
4740	msedge.exe
4740	msedge.exe
4892	identity_helper.exe
4892	identity_helper.exe
5880	msedge.exe
5880	msedge.exe
5880	msedge.exe
5880	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2136	29a20515e8e82ebfaa714e22cb4f77bb09db3c78bee3e3f5d4243cd735df85c1.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
908	iexplore.exe
2296	iexplore.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2136	29a20515e8e82ebfaa714e22cb4f77bb09db3c78bee3e3f5d4243cd735df85c1.exe
2136	29a20515e8e82ebfaa714e22cb4f77bb09db3c78bee3e3f5d4243cd735df85c1.exe
2296	iexplore.exe
2296	iexplore.exe
908	iexplore.exe
908	iexplore.exe
5048	IEXPLORE.EXE
5048	IEXPLORE.EXE
932	IEXPLORE.EXE
932	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 1264	2136	29a20515e8e82ebfaa714e22cb4f77bb09db3c78bee3e3f5d4243cd735df85c1.exe	86
PID 2136 wrote to memory of 1264	2136	29a20515e8e82ebfaa714e22cb4f77bb09db3c78bee3e3f5d4243cd735df85c1.exe	86
PID 2136 wrote to memory of 1264	2136	29a20515e8e82ebfaa714e22cb4f77bb09db3c78bee3e3f5d4243cd735df85c1.exe	86
PID 2136 wrote to memory of 2228	2136	29a20515e8e82ebfaa714e22cb4f77bb09db3c78bee3e3f5d4243cd735df85c1.exe	87
PID 2136 wrote to memory of 2228	2136	29a20515e8e82ebfaa714e22cb4f77bb09db3c78bee3e3f5d4243cd735df85c1.exe	87
PID 2136 wrote to memory of 2228	2136	29a20515e8e82ebfaa714e22cb4f77bb09db3c78bee3e3f5d4243cd735df85c1.exe	87
PID 1264 wrote to memory of 3572	1264	cmd.exe	89
PID 1264 wrote to memory of 3572	1264	cmd.exe	89
PID 1264 wrote to memory of 3572	1264	cmd.exe	89
PID 400 wrote to memory of 4740	400	explorer.exe	91
PID 400 wrote to memory of 4740	400	explorer.exe	91
PID 2136 wrote to memory of 2296	2136	29a20515e8e82ebfaa714e22cb4f77bb09db3c78bee3e3f5d4243cd735df85c1.exe	92
PID 2136 wrote to memory of 2296	2136	29a20515e8e82ebfaa714e22cb4f77bb09db3c78bee3e3f5d4243cd735df85c1.exe	92
PID 2136 wrote to memory of 908	2136	29a20515e8e82ebfaa714e22cb4f77bb09db3c78bee3e3f5d4243cd735df85c1.exe	94
PID 2136 wrote to memory of 908	2136	29a20515e8e82ebfaa714e22cb4f77bb09db3c78bee3e3f5d4243cd735df85c1.exe	94
PID 2136 wrote to memory of 2984	2136	29a20515e8e82ebfaa714e22cb4f77bb09db3c78bee3e3f5d4243cd735df85c1.exe	95
PID 2136 wrote to memory of 2984	2136	29a20515e8e82ebfaa714e22cb4f77bb09db3c78bee3e3f5d4243cd735df85c1.exe	95
PID 4740 wrote to memory of 3136	4740	msedge.exe	96
PID 4740 wrote to memory of 3136	4740	msedge.exe	96
PID 2296 wrote to memory of 5048	2296	iexplore.exe	97
PID 2296 wrote to memory of 5048	2296	iexplore.exe	97
PID 2296 wrote to memory of 5048	2296	iexplore.exe	97
PID 908 wrote to memory of 932	908	iexplore.exe	98
PID 908 wrote to memory of 932	908	iexplore.exe	98
PID 908 wrote to memory of 932	908	iexplore.exe	98
PID 4740 wrote to memory of 1144	4740	msedge.exe	100
PID 4740 wrote to memory of 1144	4740	msedge.exe	100
PID 4740 wrote to memory of 1144	4740	msedge.exe	100
PID 4740 wrote to memory of 1144	4740	msedge.exe	100
PID 4740 wrote to memory of 1144	4740	msedge.exe	100
PID 4740 wrote to memory of 1144	4740	msedge.exe	100
PID 4740 wrote to memory of 1144	4740	msedge.exe	100
PID 4740 wrote to memory of 1144	4740	msedge.exe	100
PID 4740 wrote to memory of 1144	4740	msedge.exe	100
PID 4740 wrote to memory of 1144	4740	msedge.exe	100
PID 4740 wrote to memory of 1144	4740	msedge.exe	100
PID 4740 wrote to memory of 1144	4740	msedge.exe	100
PID 4740 wrote to memory of 1144	4740	msedge.exe	100
PID 4740 wrote to memory of 1144	4740	msedge.exe	100
PID 4740 wrote to memory of 1144	4740	msedge.exe	100
PID 4740 wrote to memory of 1144	4740	msedge.exe	100
PID 4740 wrote to memory of 1144	4740	msedge.exe	100
PID 4740 wrote to memory of 1144	4740	msedge.exe	100
PID 4740 wrote to memory of 1144	4740	msedge.exe	100
PID 4740 wrote to memory of 1144	4740	msedge.exe	100
PID 4740 wrote to memory of 1144	4740	msedge.exe	100
PID 4740 wrote to memory of 1144	4740	msedge.exe	100
PID 4740 wrote to memory of 1144	4740	msedge.exe	100
PID 4740 wrote to memory of 1144	4740	msedge.exe	100
PID 4740 wrote to memory of 1144	4740	msedge.exe	100
PID 4740 wrote to memory of 1144	4740	msedge.exe	100
PID 4740 wrote to memory of 1144	4740	msedge.exe	100
PID 4740 wrote to memory of 1144	4740	msedge.exe	100
PID 4740 wrote to memory of 1144	4740	msedge.exe	100
PID 4740 wrote to memory of 1144	4740	msedge.exe	100
PID 4740 wrote to memory of 1144	4740	msedge.exe	100
PID 4740 wrote to memory of 1144	4740	msedge.exe	100
PID 4740 wrote to memory of 1144	4740	msedge.exe	100
PID 4740 wrote to memory of 1144	4740	msedge.exe	100
PID 4740 wrote to memory of 1144	4740	msedge.exe	100
PID 4740 wrote to memory of 1144	4740	msedge.exe	100
PID 4740 wrote to memory of 1144	4740	msedge.exe	100
PID 4740 wrote to memory of 1144	4740	msedge.exe	100
PID 4740 wrote to memory of 1144	4740	msedge.exe	100

C:\Users\Admin\AppData\Local\Temp\29a20515e8e82ebfaa714e22cb4f77bb09db3c78bee3e3f5d4243cd735df85c1.exe
"C:\Users\Admin\AppData\Local\Temp\29a20515e8e82ebfaa714e22cb4f77bb09db3c78bee3e3f5d4243cd735df85c1.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\z5aPt.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1264
- - C:\Windows\SysWOW64\expand.exe
    expand.exe "C:\Users\Admin\AppData\Local\Temp\ico.cab" -F:*.* "C:\progra~1\ico"
    3⤵
    - Drops file in Program Files directory
    - Drops file in Windows directory
    PID:3572
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe http://www.v258.net/list/list16.html?mmm
  2⤵
  PID:2228
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.q22.cc/?ukt
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2296 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:5048
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.v921.com/?uk
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:908
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:908 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:932
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.779dh.com/?kj
  2⤵
  PID:2984

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.v258.net/list/list16.html?mmm
  2⤵
  - Adds Run key to start application
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4740
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe942246f8,0x7ffe94224708,0x7ffe94224718
    3⤵
    PID:3136
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,11807550602804555726,11178166820653696893,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2320 /prefetch:2
    3⤵
    PID:1144
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,11807550602804555726,11178166820653696893,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2704 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2556
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,11807550602804555726,11178166820653696893,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3208 /prefetch:8
    3⤵
    PID:4204
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11807550602804555726,11178166820653696893,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3744 /prefetch:1
    3⤵
    PID:4884
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11807550602804555726,11178166820653696893,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3732 /prefetch:1
    3⤵
    PID:4172
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2148,11807550602804555726,11178166820653696893,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5312 /prefetch:8
    3⤵
    PID:3844
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11807550602804555726,11178166820653696893,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5828 /prefetch:1
    3⤵
    PID:1300
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11807550602804555726,11178166820653696893,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:1
    3⤵
    PID:856
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2148,11807550602804555726,11178166820653696893,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4996 /prefetch:8
    3⤵
    PID:3844
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11807550602804555726,11178166820653696893,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3912 /prefetch:1
    3⤵
    PID:3144
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11807550602804555726,11178166820653696893,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6276 /prefetch:1
    3⤵
    PID:3356
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11807550602804555726,11178166820653696893,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3944 /prefetch:1
    3⤵
    PID:5504
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,11807550602804555726,11178166820653696893,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6824 /prefetch:8
    3⤵
    PID:6052
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
    3⤵
    - Drops file in Program Files directory
    PID:2696
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x228,0x22c,0x230,0x204,0x234,0x7ff7d7b55460,0x7ff7d7b55470,0x7ff7d7b55480
      4⤵
      PID:3844
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,11807550602804555726,11178166820653696893,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6824 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4892
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11807550602804555726,11178166820653696893,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6344 /prefetch:1
    3⤵
    PID:5304
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2148,11807550602804555726,11178166820653696893,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2372 /prefetch:8
    3⤵
    PID:5200
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2148,11807550602804555726,11178166820653696893,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3924 /prefetch:8
    3⤵
    PID:5784
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2148,11807550602804555726,11178166820653696893,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5216 /prefetch:8
    3⤵
    PID:5208
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11807550602804555726,11178166820653696893,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4492 /prefetch:1
    3⤵
    PID:5952
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2148,11807550602804555726,11178166820653696893,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6288 /prefetch:8
    3⤵
    PID:4632
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,11807550602804555726,11178166820653696893,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3744 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5880
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2148,11807550602804555726,11178166820653696893,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3096 /prefetch:8
    3⤵
    PID:5128

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3080

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B

Filesize
1KB

MD5
99a42bcd09b2d7ba5f764d591d6dbdb5

SHA1
84edb5b210004c7d4b12a4cb488c53e32b58bd3a

SHA256
9facfb6e313a906c8bf35bbaf7023b888ed1544b890294336730e5b3e77fe047

SHA512
5a4fd5adcc708b1881f4c75c6c84d0b693999649b3857d58dbc6b372ee593356c661a9ae5df7f1ebed9118b7a2ca8cd0e33dbf0565b7dcea144922c4ffe7db7f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B

Filesize
508B

MD5
8062bbc0b0a20ca51251b5189b124531

SHA1
eea4e23cd3492d8104e644ca2edd72fffd8ab9b8

SHA256
0635d15869cc38c0b140bee9eab42dfa184b58e9692e0f2e86943c038e2f5eed

SHA512
b32432f5f56332d3ea1c86f6b9b6689a3349125d2dddc7a3170a4dec414598ea02a0aaf769be9050c761de193f94946e6479e50cee87d0aa948ed6c686b03387

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{152E80CE-3800-11ED-A0EE-62142853BA25}.dat

Filesize
5KB

MD5
d9eb5e410c5c6e76a66a9a1eba6fa1b0

SHA1
0a89314a00078ae8d2dcb01b0e8d66fb488464c0

SHA256
fcd0b8d33b4a75f498ba2c929a84e3f08459d99faf613861db448ddaa09c0c98

SHA512
f721e6eb8ee9e5cc7e853bbfe793bbd74e2938c2e57857fde581ccbc1551f0013669de04836cfb2d22549fbe213d7862b753f4abc4f78d2ff0dd2190b265d927

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{1530E429-3800-11ED-A0EE-62142853BA25}.dat

Filesize
5KB

MD5
d9ec3416fde502c0e62c57892f9cdd1c

SHA1
561e71764f1c37d8de172fee2043a07340ba75b8

SHA256
af12f62423e141baf088fa060e4a9a090c647e46eb0b992459a735d3512e4b4d

SHA512
1be2047c6e8d124fb23edced12c5e432f0e38eeac32978e58eab7e49f911a496407031718dd2306f82de206ed955c122891a7045e52fd7c05d049ed85abe5e42

Download Submit
C:\Users\Admin\AppData\Local\Temp\z5aPt.bat

Filesize
98B

MD5
ada787702460241a372c495dc53dbdcf

SHA1
da7d65ec9541fe9ed13b3531f38202f83b0ac96d

SHA256
0d0f600f95192d2d602dbda346c4e08745295f331f5a0349deae21705367b850

SHA512
c86091735b855691c89c7946145591dec6a6a6a36a2438d392587a9cc1f2d85c1ebe44fcff1cc9d94271a24ebbc2ca38639577a6f5c592e9e10517da26572708

Download Submit
\??\c:\users\admin\appdata\local\temp\ico.cab

Filesize
20KB

MD5
1319e9998cedc513c68fa6d590b6ad63

SHA1
ae95b333e88a13886994f320f5dfb4856168a710

SHA256
9a5b18efe243fbe9b9b0be3674a24080e9210436986988f3f85a4007905083bb

SHA512
d4052a899c6c310296e2f5fdf6c2031c22d2644be620cb34ddcc6b59789d82a6462daaeb34466c568be48ee975c4a5ab43143eab0792312a6cd0d49f9fbd8d3f

Download Submit
memory/2136-154-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/2136-133-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/2136-135-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/2136-132-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download