d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4

Analysis

max time kernel
146s
max time network
174s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 19:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe
Size

1.8MB
MD5

f819f00375b7314af393b8c8545374f2
SHA1

55835a13e59d24d17d6ea2273070e698f01a12c3
SHA256

d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4
SHA512

15552dfd99e37c3ed94f36c28a5be41b1db2d21daf6b0dfcc2f5b202fb5315fb7f00bda4f1a7a1d7daf6e386675703fd6716002b916135af8f26c68b3039bdf8
SSDEEP

49152:lnwJte53FoqI+qOGYdU3YNTMXQkwk67sFnpD5yv2nwu:lnwJ5+qOtdUoFMUh7antUv2nwu

Score

8^/10

adware discovery persistence spyware stealer

Malware Config

Signatures

Blocklisted process makes network request 6 IoCs

Processes:

rundll32.exerundll32.exe

flow pid process

21 548 rundll32.exe
30 548 rundll32.exe
58 2256 rundll32.exe
60 548 rundll32.exe
62 2256 rundll32.exe
63 548 rundll32.exe
Executes dropped EXE 3 IoCs

Processes:

firefox-installer.exeie-installer.exeCouponMarvel.exe

pid process

820 firefox-installer.exe
892 ie-installer.exe
1620 CouponMarvel.exe
Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

flow	pid	process
21	548	rundll32.exe
30	548	rundll32.exe
58	2256	rundll32.exe
60	548	rundll32.exe
62	2256	rundll32.exe
63	548	rundll32.exe

pid	process
820	firefox-installer.exe
892	ie-installer.exe
1620	CouponMarvel.exe

Loads dropped DLL 38 IoCs

Processes:

d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exefirefox-installer.exeie-installer.exetaskeng.exeCouponMarvel.exerundll32.exechrome.exechrome.exerundll32.exechrome.exechrome.exechrome.exechrome.exechrome.exerundll32.exe

pid	process
1968	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe
1968	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe
1968	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe
1968	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe
1968	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe
820	firefox-installer.exe
820	firefox-installer.exe
820	firefox-installer.exe
820	firefox-installer.exe
1968	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe
892	ie-installer.exe
892	ie-installer.exe
892	ie-installer.exe
892	ie-installer.exe
892	ie-installer.exe
676	taskeng.exe
676	taskeng.exe
1620	CouponMarvel.exe
1932	rundll32.exe
1708	chrome.exe
2044	chrome.exe
548	rundll32.exe
548	rundll32.exe
548	rundll32.exe
548	rundll32.exe
1084	chrome.exe
1204	chrome.exe
1892	chrome.exe
1924
2116	chrome.exe
2212	chrome.exe
2256	rundll32.exe
2256	rundll32.exe
2256	rundll32.exe
2256	rundll32.exe
2044	chrome.exe
1084	chrome.exe
2116	chrome.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

ie-installer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b3e3f753-ef08-4a62-9fb9-43a83cb0818b}	ie-installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{b3e3f753-ef08-4a62-9fb9-43a83cb0818b}\ = "Coupon Marvel"	ie-installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{b3e3f753-ef08-4a62-9fb9-43a83cb0818b}\NoExplorer = "1"	ie-installer.exe

Drops file in System32 directory 3 IoCs

Processes:

rundll32.exerundll32.exeCouponMarvel.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	rundll32.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	rundll32.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	CouponMarvel.exe

Drops file in Program Files directory 15 IoCs

Processes:

d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exefirefox-installer.exeie-installer.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Coupon Marvel\bin\CouponMarvel32.dll.old.20221123222120.155	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe
File created	C:\Program Files (x86)\Coupon Marvel\bin\CouponMarvel.exe	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe
File opened for modification	C:\Program Files (x86)\Coupon Marvel\bin\ie-installer.exe.old.20221123222120.248	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe
File created	C:\Program Files (x86)\Coupon Marvel\Uninstall.exe	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe
File opened for modification	C:\Program Files (x86)\Coupon Marvel\bin\CouponMarvel.exe.old.20221123222120.170	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe
File opened for modification	C:\Program Files (x86)\Coupon Marvel\bin\firefox-installer.exe.old.20221123222120.233	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe
File opened for modification	C:\Program Files (x86)\Coupon Marvel\bin\ie-installer.exe	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe
File created	C:\Program Files (x86)\Coupon Marvel\bin\CouponMarvel32.dll	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe
File created	C:\Program Files (x86)\Coupon Marvel\bin\CouponMarvel64.dll	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe
File created	C:\Program Files (x86)\Mozilla Firefox\defaults\pref\cm_prefs.js	firefox-installer.exe
File opened for modification	C:\Program Files (x86)\Coupon Marvel\bin\firefox-installer.exe	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe
File opened for modification	C:\Program Files (x86)\Coupon Marvel\bin\CouponMarvel64.dll.old.20221123222120.186	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe
File created	C:\Program Files (x86)\Coupon Marvel\bin\firefox-installer.exe	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe
File created	C:\Program Files (x86)\Coupon Marvel\bin\ie-installer.exe	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe
File created	C:\Program Files (x86)\Coupon Marvel\coupon-marvel.dll	ie-installer.exe

Drops file in Windows directory 2 IoCs

Processes:

d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe

description	ioc	process
File created	C:\Windows\Tasks\Coupon Marvel.job	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe
File opened for modification	C:\Windows\Tasks\Coupon Marvel.job	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 12 IoCs

installer

Processes:

resource	yara_rule
\Program Files (x86)\Coupon Marvel\bin\firefox-installer.exe	nsis_installer_2
C:\Program Files (x86)\Coupon Marvel\bin\firefox-installer.exe	nsis_installer_2
C:\Program Files (x86)\Coupon Marvel\bin\firefox-installer.exe	nsis_installer_2
\Program Files (x86)\Coupon Marvel\bin\firefox-installer.exe	nsis_installer_2
\Program Files (x86)\Coupon Marvel\bin\firefox-installer.exe	nsis_installer_2
\Program Files (x86)\Coupon Marvel\bin\firefox-installer.exe	nsis_installer_2
\Program Files (x86)\Coupon Marvel\bin\ie-installer.exe	nsis_installer_2
C:\Program Files (x86)\Coupon Marvel\bin\ie-installer.exe	nsis_installer_2
C:\Program Files (x86)\Coupon Marvel\bin\ie-installer.exe	nsis_installer_2
\Program Files (x86)\Coupon Marvel\bin\ie-installer.exe	nsis_installer_2
\Program Files (x86)\Coupon Marvel\bin\ie-installer.exe	nsis_installer_2
\Program Files (x86)\Coupon Marvel\bin\ie-installer.exe	nsis_installer_2

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

CouponMarvel.exerundll32.exerundll32.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{32173189-9B1B-497B-B864-B1A4CF51DF2C}\WpadDecision = "0"	CouponMarvel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f2-0c-50-c0-d1-76	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f2-0c-50-c0-d1-76\WpadDecision = "0"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	CouponMarvel.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{32173189-9B1B-497B-B864-B1A4CF51DF2C}	CouponMarvel.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f2-0c-50-c0-d1-76\WpadDecisionTime = e05eb71d8affd801	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{32173189-9B1B-497B-B864-B1A4CF51DF2C}\WpadDecisionReason = "1"	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f2-0c-50-c0-d1-76\WpadDecisionTime = 6061dbef89ffd801	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000005000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f008c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{32173189-9B1B-497B-B864-B1A4CF51DF2C}\f2-0c-50-c0-d1-76	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f008c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	CouponMarvel.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f2-0c-50-c0-d1-76\WpadDetectedUrl	CouponMarvel.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f2-0c-50-c0-d1-76\WpadDecision = "0"	CouponMarvel.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{32173189-9B1B-497B-B864-B1A4CF51DF2C}\WpadDecisionReason = "1"	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	CouponMarvel.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{32173189-9B1B-497B-B864-B1A4CF51DF2C}\WpadDecisionTime = 6061dbef89ffd801	CouponMarvel.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f008c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	CouponMarvel.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	CouponMarvel.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f2-0c-50-c0-d1-76\WpadDetectedUrl	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f2-0c-50-c0-d1-76\WpadDecisionTime = 6061dbef89ffd801	CouponMarvel.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{32173189-9B1B-497B-B864-B1A4CF51DF2C}\WpadNetworkName = "Network 3"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{32173189-9B1B-497B-B864-B1A4CF51DF2C}	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	CouponMarvel.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f2-0c-50-c0-d1-76\WpadDecisionReason = "1"	CouponMarvel.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f2-0c-50-c0-d1-76\WpadDetectedUrl	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	CouponMarvel.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	CouponMarvel.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	CouponMarvel.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f2-0c-50-c0-d1-76	CouponMarvel.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{32173189-9B1B-497B-B864-B1A4CF51DF2C}\WpadDecisionTime = 40addd1b8affd801	CouponMarvel.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f2-0c-50-c0-d1-76\WpadDecisionReason = "1"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	CouponMarvel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	CouponMarvel.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f008c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f2-0c-50-c0-d1-76	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{32173189-9B1B-497B-B864-B1A4CF51DF2C}\WpadDecision = "0"	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f2-0c-50-c0-d1-76\WpadDecisionTime = 80a5c82a8affd801	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	CouponMarvel.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{32173189-9B1B-497B-B864-B1A4CF51DF2C}\f2-0c-50-c0-d1-76	CouponMarvel.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f2-0c-50-c0-d1-76\WpadDecisionTime = e05eb71d8affd801	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{32173189-9B1B-497B-B864-B1A4CF51DF2C}\f2-0c-50-c0-d1-76	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{32173189-9B1B-497B-B864-B1A4CF51DF2C}\WpadDecisionTime = 80a5c82a8affd801	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{32173189-9B1B-497B-B864-B1A4CF51DF2C}\WpadDecisionReason = "1"	CouponMarvel.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{32173189-9B1B-497B-B864-B1A4CF51DF2C}\WpadNetworkName = "Network 3"	CouponMarvel.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{32173189-9B1B-497B-B864-B1A4CF51DF2C}\WpadDecisionTime = 608cd42a8affd801	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f2-0c-50-c0-d1-76\WpadDecisionTime = 608cd42a8affd801	rundll32.exe

Modifies registry class 5 IoCs

Processes:

ie-installer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{b3e3f753-ef08-4a62-9fb9-43a83cb0818b}\InProcServer32\ = "C:\\Program Files (x86)\\Coupon Marvel\\coupon-marvel.dll"	ie-installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{b3e3f753-ef08-4a62-9fb9-43a83cb0818b}\InProcServer32\ThreadingModel = "Apartment"	ie-installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{b3e3f753-ef08-4a62-9fb9-43a83cb0818b}	ie-installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{b3e3f753-ef08-4a62-9fb9-43a83cb0818b}\ = "Coupon Marvel"	ie-installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{b3e3f753-ef08-4a62-9fb9-43a83cb0818b}\InProcServer32	ie-installer.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exeCouponMarvel.exechrome.exechrome.exerundll32.exechrome.exechrome.exechrome.exechrome.exechrome.exerundll32.exe

pid	process
1968	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe
1968	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe
1968	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe
1968	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe
1968	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe
1968	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe
1968	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe
1968	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe
1968	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe
1968	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe
1968	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe
1968	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe
1620	CouponMarvel.exe
1620	CouponMarvel.exe
1620	CouponMarvel.exe
1620	CouponMarvel.exe
1620	CouponMarvel.exe
1620	CouponMarvel.exe
1620	CouponMarvel.exe
1620	CouponMarvel.exe
1620	CouponMarvel.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
2044	chrome.exe
548	rundll32.exe
548	rundll32.exe
548	rundll32.exe
548	rundll32.exe
548	rundll32.exe
548	rundll32.exe
1084	chrome.exe
1204	chrome.exe
1084	chrome.exe
1892	chrome.exe
1708	chrome.exe
1708	chrome.exe
2116	chrome.exe
2212	chrome.exe
2256	rundll32.exe
2256	rundll32.exe
2256	rundll32.exe
2256	rundll32.exe
2044	chrome.exe
1084	chrome.exe
2116	chrome.exe
2256	rundll32.exe
2256	rundll32.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exeCouponMarvel.exerundll32.exerundll32.exe

description	pid	process
Token: SeDebugPrivilege	1968	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe
Token: SeTcbPrivilege	1968	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe
Token: SeDebugPrivilege	1968	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe
Token: SeTcbPrivilege	1620	CouponMarvel.exe
Token: SeTcbPrivilege	1620	CouponMarvel.exe
Token: SeTcbPrivilege	1620	CouponMarvel.exe
Token: SeIncreaseQuotaPrivilege	1620	CouponMarvel.exe
Token: SeAssignPrimaryTokenPrivilege	1620	CouponMarvel.exe
Token: SeTcbPrivilege	1620	CouponMarvel.exe
Token: SeIncreaseQuotaPrivilege	1620	CouponMarvel.exe
Token: SeAssignPrimaryTokenPrivilege	1620	CouponMarvel.exe
Token: SeDebugPrivilege	548	rundll32.exe
Token: SeIncreaseQuotaPrivilege	1620	CouponMarvel.exe
Token: SeAssignPrimaryTokenPrivilege	1620	CouponMarvel.exe
Token: SeDebugPrivilege	2256	rundll32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exetaskeng.exeCouponMarvel.exerundll32.exechrome.exe

description	pid	process	target process
PID 1968 wrote to memory of 820	1968	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe	firefox-installer.exe
PID 1968 wrote to memory of 820	1968	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe	firefox-installer.exe
PID 1968 wrote to memory of 820	1968	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe	firefox-installer.exe
PID 1968 wrote to memory of 820	1968	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe	firefox-installer.exe
PID 1968 wrote to memory of 820	1968	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe	firefox-installer.exe
PID 1968 wrote to memory of 820	1968	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe	firefox-installer.exe
PID 1968 wrote to memory of 820	1968	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe	firefox-installer.exe
PID 1968 wrote to memory of 892	1968	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe	ie-installer.exe
PID 1968 wrote to memory of 892	1968	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe	ie-installer.exe
PID 1968 wrote to memory of 892	1968	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe	ie-installer.exe
PID 1968 wrote to memory of 892	1968	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe	ie-installer.exe
PID 1968 wrote to memory of 892	1968	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe	ie-installer.exe
PID 1968 wrote to memory of 892	1968	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe	ie-installer.exe
PID 1968 wrote to memory of 892	1968	d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe	ie-installer.exe
PID 676 wrote to memory of 1620	676	taskeng.exe	CouponMarvel.exe
PID 676 wrote to memory of 1620	676	taskeng.exe	CouponMarvel.exe
PID 676 wrote to memory of 1620	676	taskeng.exe	CouponMarvel.exe
PID 1620 wrote to memory of 1708	1620	CouponMarvel.exe	chrome.exe
PID 1620 wrote to memory of 1708	1620	CouponMarvel.exe	chrome.exe
PID 1620 wrote to memory of 1708	1620	CouponMarvel.exe	chrome.exe
PID 1620 wrote to memory of 1932	1620	CouponMarvel.exe	rundll32.exe
PID 1620 wrote to memory of 1932	1620	CouponMarvel.exe	rundll32.exe
PID 1620 wrote to memory of 1932	1620	CouponMarvel.exe	rundll32.exe
PID 1932 wrote to memory of 548	1932	rundll32.exe	rundll32.exe
PID 1932 wrote to memory of 548	1932	rundll32.exe	rundll32.exe
PID 1932 wrote to memory of 548	1932	rundll32.exe	rundll32.exe
PID 1932 wrote to memory of 548	1932	rundll32.exe	rundll32.exe
PID 1932 wrote to memory of 548	1932	rundll32.exe	rundll32.exe
PID 1932 wrote to memory of 548	1932	rundll32.exe	rundll32.exe
PID 1932 wrote to memory of 548	1932	rundll32.exe	rundll32.exe
PID 1708 wrote to memory of 2044	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 2044	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 2044	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 1204	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 1204	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 1204	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 1204	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 1204	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 1204	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 1204	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 1204	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 1204	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 1204	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 1204	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 1204	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 1204	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 1204	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 1204	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 1204	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 1204	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 1204	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 1204	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 1204	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 1204	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 1204	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 1204	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 1204	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 1204	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 1204	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 1204	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 1204	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 1204	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 1204	1708	chrome.exe	chrome.exe
PID 1708 wrote to memory of 1204	1708	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe
"C:\Users\Admin\AppData\Local\Temp\d17c510c87e9f4eab14a145404df2d7953acd1fc19ec08cdf946279ff5d733e4.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1968

C:\Program Files (x86)\Coupon Marvel\bin\firefox-installer.exe
"C:\Program Files (x86)\Coupon Marvel\bin\firefox-installer.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:820

C:\Program Files (x86)\Coupon Marvel\bin\ie-installer.exe
"C:\Program Files (x86)\Coupon Marvel\bin\ie-installer.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Modifies registry class
PID:892

C:\Windows\system32\taskeng.exe
taskeng.exe {799CF0A6-168C-41B6-85BA-6C17C8DE717C} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:676

C:\PROGRA~2\COUPON~1\bin\CouponMarvel.exe
C:\PROGRA~2\COUPON~1\bin\CouponMarvel.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --silent-launch
3⤵
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x104,0x108,0x10c,0xd8,0x110,0x7fefb594f50,0x7fefb594f60,0x7fefb594f70
4⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1508,15852508444868005049,3106061502832970702,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1720 /prefetch:8
4⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1508,15852508444868005049,3106061502832970702,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1528 /prefetch:2
4⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1508,15852508444868005049,3106061502832970702,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2072 /prefetch:8
4⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1508,15852508444868005049,3106061502832970702,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2708 /prefetch:2
4⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1508,15852508444868005049,3106061502832970702,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3112 /prefetch:8
4⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2212

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe "C:\PROGRA~2\COUPON~1\bin\CouponMarvel32.dll",Extra
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1932

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe "C:\PROGRA~2\COUPON~1\bin\CouponMarvel32.dll",Extra
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:548

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe "C:\PROGRA~2\COUPON~1\bin\CouponMarvel64.dll",Extra
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2256

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\COUPON~1\bin\CouponMarvel.exe

Filesize
431KB

MD5
ffdb2f56f32f977883b8ef43ab3f22ac

SHA1
13f9e58c1bab75b3b95a2178ae7cd19bc6605a3b

SHA256
0e5183f73fd21ca4426ddeea428f4eff5d6d82c6c1ce8d5b2b85dc4f31caa83d

SHA512
617825be77106104e9eca095cbca978f9e93c11e70aeedc4fefbc730e3e4f97b4cd4839b053fa5c51124a14da3da0463825b69ce3a2c006d1db1a98595572a78

Download Submit
C:\PROGRA~2\COUPON~1\bin\CouponMarvel32.dll

Filesize
1.2MB

MD5
fdad3414437c22baab613a5dc9390102

SHA1
1dcf85bb8e4051a51c6affbc868a129f5d2ebdde

SHA256
5a993cab63367545234ec2b0342274ed1214574481c5045579928248d9211ef4

SHA512
44e1bea82ad5bfb00ea666b0cd4c4acc69476f93d8d8239c134f9e9c45393a0294f7c9731fdfeaa397a892f28f3525a3ffe51937608efb17dbcb76efa2b4f11e

Download Submit
C:\PROGRA~2\COUPON~1\bin\CouponMarvel64.dll

Filesize
1.6MB

MD5
44d2eaabc46e96cfe3aca350e63e7513

SHA1
f2187c9df56ad5ea084fb711c90a5115bed911f6

SHA256
d1467103cd91966956a35462a666aaf69592752d41d802b83e2110252b029341

SHA512
29a945c81271332ab225148c5099517c6599a66f891acc211865e932872b88f658a05ca4f7e40c7b931436b0e588e62e1b2b37bbe2679e7505f1a54bdeb0b33c

Download Submit
C:\Program Files (x86)\Coupon Marvel\bin\firefox-installer.exe

Filesize
108KB

MD5
6ebbb81d978d8e8d284f371a51170ac8

SHA1
5e3f615dfcbe3dd0177204b474b9cc77baa29a46

SHA256
466cdb1757a78f63d73bab89b49f5405a192d7f346c17f5fb6e2ee340e089c09

SHA512
af9e9f7d89aa6ed4d4b102f89d752f1f5275e072e4e9db4dd8d9824aa5bb783aa1cc3ddd6ee7fac7c692e10a15b21d743ca415e70c1a6e8112057033d13adfe5

Download Submit
C:\Program Files (x86)\Coupon Marvel\bin\firefox-installer.exe

Filesize
108KB

MD5
6ebbb81d978d8e8d284f371a51170ac8

SHA1
5e3f615dfcbe3dd0177204b474b9cc77baa29a46

SHA256
466cdb1757a78f63d73bab89b49f5405a192d7f346c17f5fb6e2ee340e089c09

SHA512
af9e9f7d89aa6ed4d4b102f89d752f1f5275e072e4e9db4dd8d9824aa5bb783aa1cc3ddd6ee7fac7c692e10a15b21d743ca415e70c1a6e8112057033d13adfe5

Download Submit
C:\Program Files (x86)\Coupon Marvel\bin\ie-installer.exe

Filesize
313KB

MD5
b875f57879f9843920da1adac820c6d0

SHA1
19ca8f427bc3fea7b018251f8a76670a180cb4dc

SHA256
45dd10893acb2f62360f65a6d0916940fc062259b913afe4822f3525341b6b18

SHA512
3b2a7ed36e51314e59e35223760e816c037ac654d02969c96e2927825b3718a9b03776d9b3dea18633a231922494f6ec64019987142048e328a28fb03523b35e

Download Submit
C:\Program Files (x86)\Coupon Marvel\bin\ie-installer.exe

Filesize
313KB

MD5
b875f57879f9843920da1adac820c6d0

SHA1
19ca8f427bc3fea7b018251f8a76670a180cb4dc

SHA256
45dd10893acb2f62360f65a6d0916940fc062259b913afe4822f3525341b6b18

SHA512
3b2a7ed36e51314e59e35223760e816c037ac654d02969c96e2927825b3718a9b03776d9b3dea18633a231922494f6ec64019987142048e328a28fb03523b35e

Download Submit
\??\pipe\crashpad_1708_SIBZFRMKDRCCVADT

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\PROGRA~2\COUPON~1\bin\CouponMarvel.exe

Filesize
431KB

MD5
ffdb2f56f32f977883b8ef43ab3f22ac

SHA1
13f9e58c1bab75b3b95a2178ae7cd19bc6605a3b

SHA256
0e5183f73fd21ca4426ddeea428f4eff5d6d82c6c1ce8d5b2b85dc4f31caa83d

SHA512
617825be77106104e9eca095cbca978f9e93c11e70aeedc4fefbc730e3e4f97b4cd4839b053fa5c51124a14da3da0463825b69ce3a2c006d1db1a98595572a78

Download Submit
\PROGRA~2\COUPON~1\bin\CouponMarvel32.dll

Filesize
1.2MB

MD5
fdad3414437c22baab613a5dc9390102

SHA1
1dcf85bb8e4051a51c6affbc868a129f5d2ebdde

SHA256
5a993cab63367545234ec2b0342274ed1214574481c5045579928248d9211ef4

SHA512
44e1bea82ad5bfb00ea666b0cd4c4acc69476f93d8d8239c134f9e9c45393a0294f7c9731fdfeaa397a892f28f3525a3ffe51937608efb17dbcb76efa2b4f11e

Download Submit
\PROGRA~2\COUPON~1\bin\CouponMarvel32.dll

Filesize
1.2MB

MD5
fdad3414437c22baab613a5dc9390102

SHA1
1dcf85bb8e4051a51c6affbc868a129f5d2ebdde

SHA256
5a993cab63367545234ec2b0342274ed1214574481c5045579928248d9211ef4

SHA512
44e1bea82ad5bfb00ea666b0cd4c4acc69476f93d8d8239c134f9e9c45393a0294f7c9731fdfeaa397a892f28f3525a3ffe51937608efb17dbcb76efa2b4f11e

Download Submit
\PROGRA~2\COUPON~1\bin\CouponMarvel32.dll

Filesize
1.2MB

MD5
fdad3414437c22baab613a5dc9390102

SHA1
1dcf85bb8e4051a51c6affbc868a129f5d2ebdde

SHA256
5a993cab63367545234ec2b0342274ed1214574481c5045579928248d9211ef4

SHA512
44e1bea82ad5bfb00ea666b0cd4c4acc69476f93d8d8239c134f9e9c45393a0294f7c9731fdfeaa397a892f28f3525a3ffe51937608efb17dbcb76efa2b4f11e

Download Submit
\PROGRA~2\COUPON~1\bin\CouponMarvel32.dll

Filesize
1.2MB

MD5
fdad3414437c22baab613a5dc9390102

SHA1
1dcf85bb8e4051a51c6affbc868a129f5d2ebdde

SHA256
5a993cab63367545234ec2b0342274ed1214574481c5045579928248d9211ef4

SHA512
44e1bea82ad5bfb00ea666b0cd4c4acc69476f93d8d8239c134f9e9c45393a0294f7c9731fdfeaa397a892f28f3525a3ffe51937608efb17dbcb76efa2b4f11e

Download Submit
\PROGRA~2\COUPON~1\bin\CouponMarvel32.dll

Filesize
1.2MB

MD5
fdad3414437c22baab613a5dc9390102

SHA1
1dcf85bb8e4051a51c6affbc868a129f5d2ebdde

SHA256
5a993cab63367545234ec2b0342274ed1214574481c5045579928248d9211ef4

SHA512
44e1bea82ad5bfb00ea666b0cd4c4acc69476f93d8d8239c134f9e9c45393a0294f7c9731fdfeaa397a892f28f3525a3ffe51937608efb17dbcb76efa2b4f11e

Download Submit
\PROGRA~2\COUPON~1\bin\CouponMarvel32.dll

Filesize
1.2MB

MD5
fdad3414437c22baab613a5dc9390102

SHA1
1dcf85bb8e4051a51c6affbc868a129f5d2ebdde

SHA256
5a993cab63367545234ec2b0342274ed1214574481c5045579928248d9211ef4

SHA512
44e1bea82ad5bfb00ea666b0cd4c4acc69476f93d8d8239c134f9e9c45393a0294f7c9731fdfeaa397a892f28f3525a3ffe51937608efb17dbcb76efa2b4f11e

Download Submit
\PROGRA~2\COUPON~1\bin\CouponMarvel64.dll

Filesize
1.6MB

MD5
44d2eaabc46e96cfe3aca350e63e7513

SHA1
f2187c9df56ad5ea084fb711c90a5115bed911f6

SHA256
d1467103cd91966956a35462a666aaf69592752d41d802b83e2110252b029341

SHA512
29a945c81271332ab225148c5099517c6599a66f891acc211865e932872b88f658a05ca4f7e40c7b931436b0e588e62e1b2b37bbe2679e7505f1a54bdeb0b33c

Download Submit
\PROGRA~2\COUPON~1\bin\CouponMarvel64.dll

Filesize
1.6MB

MD5
44d2eaabc46e96cfe3aca350e63e7513

SHA1
f2187c9df56ad5ea084fb711c90a5115bed911f6

SHA256
d1467103cd91966956a35462a666aaf69592752d41d802b83e2110252b029341

SHA512
29a945c81271332ab225148c5099517c6599a66f891acc211865e932872b88f658a05ca4f7e40c7b931436b0e588e62e1b2b37bbe2679e7505f1a54bdeb0b33c

Download Submit
\PROGRA~2\COUPON~1\bin\CouponMarvel64.dll

Filesize
1.6MB

MD5
44d2eaabc46e96cfe3aca350e63e7513

SHA1
f2187c9df56ad5ea084fb711c90a5115bed911f6

SHA256
d1467103cd91966956a35462a666aaf69592752d41d802b83e2110252b029341

SHA512
29a945c81271332ab225148c5099517c6599a66f891acc211865e932872b88f658a05ca4f7e40c7b931436b0e588e62e1b2b37bbe2679e7505f1a54bdeb0b33c

Download Submit
\PROGRA~2\COUPON~1\bin\CouponMarvel64.dll

Filesize
1.6MB

MD5
44d2eaabc46e96cfe3aca350e63e7513

SHA1
f2187c9df56ad5ea084fb711c90a5115bed911f6

SHA256
d1467103cd91966956a35462a666aaf69592752d41d802b83e2110252b029341

SHA512
29a945c81271332ab225148c5099517c6599a66f891acc211865e932872b88f658a05ca4f7e40c7b931436b0e588e62e1b2b37bbe2679e7505f1a54bdeb0b33c

Download Submit
\PROGRA~2\COUPON~1\bin\CouponMarvel64.dll

Filesize
1.6MB

MD5
44d2eaabc46e96cfe3aca350e63e7513

SHA1
f2187c9df56ad5ea084fb711c90a5115bed911f6

SHA256
d1467103cd91966956a35462a666aaf69592752d41d802b83e2110252b029341

SHA512
29a945c81271332ab225148c5099517c6599a66f891acc211865e932872b88f658a05ca4f7e40c7b931436b0e588e62e1b2b37bbe2679e7505f1a54bdeb0b33c

Download Submit
\PROGRA~2\COUPON~1\bin\CouponMarvel64.dll

Filesize
1.6MB

MD5
44d2eaabc46e96cfe3aca350e63e7513

SHA1
f2187c9df56ad5ea084fb711c90a5115bed911f6

SHA256
d1467103cd91966956a35462a666aaf69592752d41d802b83e2110252b029341

SHA512
29a945c81271332ab225148c5099517c6599a66f891acc211865e932872b88f658a05ca4f7e40c7b931436b0e588e62e1b2b37bbe2679e7505f1a54bdeb0b33c

Download Submit
\PROGRA~2\COUPON~1\bin\CouponMarvel64.dll

Filesize
1.6MB

MD5
44d2eaabc46e96cfe3aca350e63e7513

SHA1
f2187c9df56ad5ea084fb711c90a5115bed911f6

SHA256
d1467103cd91966956a35462a666aaf69592752d41d802b83e2110252b029341

SHA512
29a945c81271332ab225148c5099517c6599a66f891acc211865e932872b88f658a05ca4f7e40c7b931436b0e588e62e1b2b37bbe2679e7505f1a54bdeb0b33c

Download Submit
\PROGRA~2\COUPON~1\bin\CouponMarvel64.dll

Filesize
1.6MB

MD5
44d2eaabc46e96cfe3aca350e63e7513

SHA1
f2187c9df56ad5ea084fb711c90a5115bed911f6

SHA256
d1467103cd91966956a35462a666aaf69592752d41d802b83e2110252b029341

SHA512
29a945c81271332ab225148c5099517c6599a66f891acc211865e932872b88f658a05ca4f7e40c7b931436b0e588e62e1b2b37bbe2679e7505f1a54bdeb0b33c

Download Submit
\PROGRA~2\COUPON~1\bin\CouponMarvel64.dll

Filesize
1.6MB

MD5
44d2eaabc46e96cfe3aca350e63e7513

SHA1
f2187c9df56ad5ea084fb711c90a5115bed911f6

SHA256
d1467103cd91966956a35462a666aaf69592752d41d802b83e2110252b029341

SHA512
29a945c81271332ab225148c5099517c6599a66f891acc211865e932872b88f658a05ca4f7e40c7b931436b0e588e62e1b2b37bbe2679e7505f1a54bdeb0b33c

Download Submit
\PROGRA~2\COUPON~1\bin\CouponMarvel64.dll

Filesize
1.6MB

MD5
44d2eaabc46e96cfe3aca350e63e7513

SHA1
f2187c9df56ad5ea084fb711c90a5115bed911f6

SHA256
d1467103cd91966956a35462a666aaf69592752d41d802b83e2110252b029341

SHA512
29a945c81271332ab225148c5099517c6599a66f891acc211865e932872b88f658a05ca4f7e40c7b931436b0e588e62e1b2b37bbe2679e7505f1a54bdeb0b33c

Download Submit
\PROGRA~2\COUPON~1\bin\CouponMarvel64.dll

Filesize
1.6MB

MD5
44d2eaabc46e96cfe3aca350e63e7513

SHA1
f2187c9df56ad5ea084fb711c90a5115bed911f6

SHA256
d1467103cd91966956a35462a666aaf69592752d41d802b83e2110252b029341

SHA512
29a945c81271332ab225148c5099517c6599a66f891acc211865e932872b88f658a05ca4f7e40c7b931436b0e588e62e1b2b37bbe2679e7505f1a54bdeb0b33c

Download Submit
\PROGRA~2\COUPON~1\bin\CouponMarvel64.dll

Filesize
1.6MB

MD5
44d2eaabc46e96cfe3aca350e63e7513

SHA1
f2187c9df56ad5ea084fb711c90a5115bed911f6

SHA256
d1467103cd91966956a35462a666aaf69592752d41d802b83e2110252b029341

SHA512
29a945c81271332ab225148c5099517c6599a66f891acc211865e932872b88f658a05ca4f7e40c7b931436b0e588e62e1b2b37bbe2679e7505f1a54bdeb0b33c

Download Submit
\PROGRA~2\COUPON~1\bin\CouponMarvel64.dll

Filesize
1.6MB

MD5
44d2eaabc46e96cfe3aca350e63e7513

SHA1
f2187c9df56ad5ea084fb711c90a5115bed911f6

SHA256
d1467103cd91966956a35462a666aaf69592752d41d802b83e2110252b029341

SHA512
29a945c81271332ab225148c5099517c6599a66f891acc211865e932872b88f658a05ca4f7e40c7b931436b0e588e62e1b2b37bbe2679e7505f1a54bdeb0b33c

Download Submit
\PROGRA~2\COUPON~1\bin\CouponMarvel64.dll

Filesize
1.6MB

MD5
44d2eaabc46e96cfe3aca350e63e7513

SHA1
f2187c9df56ad5ea084fb711c90a5115bed911f6

SHA256
d1467103cd91966956a35462a666aaf69592752d41d802b83e2110252b029341

SHA512
29a945c81271332ab225148c5099517c6599a66f891acc211865e932872b88f658a05ca4f7e40c7b931436b0e588e62e1b2b37bbe2679e7505f1a54bdeb0b33c

Download Submit
\PROGRA~2\COUPON~1\bin\CouponMarvel64.dll

Filesize
1.6MB

MD5
44d2eaabc46e96cfe3aca350e63e7513

SHA1
f2187c9df56ad5ea084fb711c90a5115bed911f6

SHA256
d1467103cd91966956a35462a666aaf69592752d41d802b83e2110252b029341

SHA512
29a945c81271332ab225148c5099517c6599a66f891acc211865e932872b88f658a05ca4f7e40c7b931436b0e588e62e1b2b37bbe2679e7505f1a54bdeb0b33c

Download Submit
\PROGRA~2\COUPON~1\bin\CouponMarvel64.dll

Filesize
1.6MB

MD5
44d2eaabc46e96cfe3aca350e63e7513

SHA1
f2187c9df56ad5ea084fb711c90a5115bed911f6

SHA256
d1467103cd91966956a35462a666aaf69592752d41d802b83e2110252b029341

SHA512
29a945c81271332ab225148c5099517c6599a66f891acc211865e932872b88f658a05ca4f7e40c7b931436b0e588e62e1b2b37bbe2679e7505f1a54bdeb0b33c

Download Submit
\PROGRA~2\COUPON~1\bin\CouponMarvel64.dll

Filesize
1.6MB

MD5
44d2eaabc46e96cfe3aca350e63e7513

SHA1
f2187c9df56ad5ea084fb711c90a5115bed911f6

SHA256
d1467103cd91966956a35462a666aaf69592752d41d802b83e2110252b029341

SHA512
29a945c81271332ab225148c5099517c6599a66f891acc211865e932872b88f658a05ca4f7e40c7b931436b0e588e62e1b2b37bbe2679e7505f1a54bdeb0b33c

Download Submit
\PROGRA~2\COUPON~1\bin\CouponMarvel64.dll

Filesize
1.6MB

MD5
44d2eaabc46e96cfe3aca350e63e7513

SHA1
f2187c9df56ad5ea084fb711c90a5115bed911f6

SHA256
d1467103cd91966956a35462a666aaf69592752d41d802b83e2110252b029341

SHA512
29a945c81271332ab225148c5099517c6599a66f891acc211865e932872b88f658a05ca4f7e40c7b931436b0e588e62e1b2b37bbe2679e7505f1a54bdeb0b33c

Download Submit
\Program Files (x86)\Coupon Marvel\bin\firefox-installer.exe

Filesize
108KB

MD5
6ebbb81d978d8e8d284f371a51170ac8

SHA1
5e3f615dfcbe3dd0177204b474b9cc77baa29a46

SHA256
466cdb1757a78f63d73bab89b49f5405a192d7f346c17f5fb6e2ee340e089c09

SHA512
af9e9f7d89aa6ed4d4b102f89d752f1f5275e072e4e9db4dd8d9824aa5bb783aa1cc3ddd6ee7fac7c692e10a15b21d743ca415e70c1a6e8112057033d13adfe5

Download Submit
\Program Files (x86)\Coupon Marvel\bin\firefox-installer.exe

Filesize
108KB

MD5
6ebbb81d978d8e8d284f371a51170ac8

SHA1
5e3f615dfcbe3dd0177204b474b9cc77baa29a46

SHA256
466cdb1757a78f63d73bab89b49f5405a192d7f346c17f5fb6e2ee340e089c09

SHA512
af9e9f7d89aa6ed4d4b102f89d752f1f5275e072e4e9db4dd8d9824aa5bb783aa1cc3ddd6ee7fac7c692e10a15b21d743ca415e70c1a6e8112057033d13adfe5

Download Submit
\Program Files (x86)\Coupon Marvel\bin\firefox-installer.exe

Filesize
108KB

MD5
6ebbb81d978d8e8d284f371a51170ac8

SHA1
5e3f615dfcbe3dd0177204b474b9cc77baa29a46

SHA256
466cdb1757a78f63d73bab89b49f5405a192d7f346c17f5fb6e2ee340e089c09

SHA512
af9e9f7d89aa6ed4d4b102f89d752f1f5275e072e4e9db4dd8d9824aa5bb783aa1cc3ddd6ee7fac7c692e10a15b21d743ca415e70c1a6e8112057033d13adfe5

Download Submit
\Program Files (x86)\Coupon Marvel\bin\firefox-installer.exe

Filesize
108KB

MD5
6ebbb81d978d8e8d284f371a51170ac8

SHA1
5e3f615dfcbe3dd0177204b474b9cc77baa29a46

SHA256
466cdb1757a78f63d73bab89b49f5405a192d7f346c17f5fb6e2ee340e089c09

SHA512
af9e9f7d89aa6ed4d4b102f89d752f1f5275e072e4e9db4dd8d9824aa5bb783aa1cc3ddd6ee7fac7c692e10a15b21d743ca415e70c1a6e8112057033d13adfe5

Download Submit
\Program Files (x86)\Coupon Marvel\bin\ie-installer.exe

Filesize
313KB

MD5
b875f57879f9843920da1adac820c6d0

SHA1
19ca8f427bc3fea7b018251f8a76670a180cb4dc

SHA256
45dd10893acb2f62360f65a6d0916940fc062259b913afe4822f3525341b6b18

SHA512
3b2a7ed36e51314e59e35223760e816c037ac654d02969c96e2927825b3718a9b03776d9b3dea18633a231922494f6ec64019987142048e328a28fb03523b35e

Download Submit
\Program Files (x86)\Coupon Marvel\bin\ie-installer.exe

Filesize
313KB

MD5
b875f57879f9843920da1adac820c6d0

SHA1
19ca8f427bc3fea7b018251f8a76670a180cb4dc

SHA256
45dd10893acb2f62360f65a6d0916940fc062259b913afe4822f3525341b6b18

SHA512
3b2a7ed36e51314e59e35223760e816c037ac654d02969c96e2927825b3718a9b03776d9b3dea18633a231922494f6ec64019987142048e328a28fb03523b35e

Download Submit
\Program Files (x86)\Coupon Marvel\bin\ie-installer.exe

Filesize
313KB

MD5
b875f57879f9843920da1adac820c6d0

SHA1
19ca8f427bc3fea7b018251f8a76670a180cb4dc

SHA256
45dd10893acb2f62360f65a6d0916940fc062259b913afe4822f3525341b6b18

SHA512
3b2a7ed36e51314e59e35223760e816c037ac654d02969c96e2927825b3718a9b03776d9b3dea18633a231922494f6ec64019987142048e328a28fb03523b35e

Download Submit
\Program Files (x86)\Coupon Marvel\bin\ie-installer.exe

Filesize
313KB

MD5
b875f57879f9843920da1adac820c6d0

SHA1
19ca8f427bc3fea7b018251f8a76670a180cb4dc

SHA256
45dd10893acb2f62360f65a6d0916940fc062259b913afe4822f3525341b6b18

SHA512
3b2a7ed36e51314e59e35223760e816c037ac654d02969c96e2927825b3718a9b03776d9b3dea18633a231922494f6ec64019987142048e328a28fb03523b35e

Download Submit
\Program Files (x86)\Coupon Marvel\coupon-marvel.dll

Filesize
218KB

MD5
b708a2266a96bc6b8437a2ebeab01060

SHA1
7481fadbf5a8785d1fb3169b5d55188c87140a09

SHA256
70af5551101ac56fb89b5cac653b87b1a9fbd6024c2b520fdd6e1b9a4d171472

SHA512
2f5d9d98a7a110d262f5a51bcc020bded07c366f3eab7b13ab63f265c1c61ea6fbacc8c7483907f1ca19dfbf251ef53506ad42fd8d7eb2e591849cd206bb4471

Download Submit
\Users\Admin\AppData\Local\Temp\nso2A5D.tmp\NSISHelper.dll

Filesize
268KB

MD5
04a992b8f4e102ffeed95d53609a12e3

SHA1
e5490eb13a3f02c78e4042b90e8b179b7a6f7c81

SHA256
5bd646e3b575448b9e7d1f11f7a17ef41b112bdd9cd877e047453069ac39098b

SHA512
6112990aa60da60aac2ebf902526cbf7e4963c8e5f044644faf06e2e18b16ec6d9b5b3709df5cd3b701c5157711ae77f8131d71b5bb34f841fc0a7bb1c9d1f5c

Download Submit
\Users\Admin\AppData\Local\Temp\nso2A5D.tmp\System.dll

Filesize
11KB

MD5
883eff06ac96966270731e4e22817e11

SHA1
523c87c98236cbc04430e87ec19b977595092ac8

SHA256
44e5dfd551b38e886214bd6b9c8ee913c4c4d1f085a6575d97c3e892b925da82

SHA512
60333253342476911c84bbc1d9bf8a29f811207787fdd6107dce8d2b6e031669303f28133ffc811971ed7792087fe90fb1faabc0af4e91c298ba51e28109a390

Download Submit
\Users\Admin\AppData\Local\Temp\nso2A5D.tmp\System.dll

Filesize
11KB

MD5
883eff06ac96966270731e4e22817e11

SHA1
523c87c98236cbc04430e87ec19b977595092ac8

SHA256
44e5dfd551b38e886214bd6b9c8ee913c4c4d1f085a6575d97c3e892b925da82

SHA512
60333253342476911c84bbc1d9bf8a29f811207787fdd6107dce8d2b6e031669303f28133ffc811971ed7792087fe90fb1faabc0af4e91c298ba51e28109a390

Download Submit
\Users\Admin\AppData\Local\Temp\nso2A5D.tmp\UserInfo.dll

Filesize
4KB

MD5
d9a3fc12d56726dde60c1ead1df366f7

SHA1
f531768159c14f07ac896437445652b33750a237

SHA256
401f1a02000ff7cf9853d964dcba77e6f0fa8e57256b11ed3c01171d7a97388a

SHA512
6b06e3446df419151dd20cdb1d9c595fe9fb0972e7dfc50dadeea9f868d8ef0cd4cefcb18c7ebfc0d2a3e9171f8aa1f9fe762f54c374667f6060e8ce7e845f51

Download Submit
memory/548-88-0x0000000000000000-mapping.dmp

Download
memory/820-60-0x0000000000000000-mapping.dmp

Download
memory/892-70-0x0000000000000000-mapping.dmp

Download
memory/1620-85-0x000007FEFC2C1000-0x000007FEFC2C3000-memory.dmp

Filesize
8KB

Download
memory/1620-82-0x0000000000000000-mapping.dmp

Download
memory/1932-86-0x0000000000000000-mapping.dmp

Download
memory/1968-54-0x00000000756B1000-0x00000000756B3000-memory.dmp

Filesize
8KB

Download
memory/2256-103-0x0000000000000000-mapping.dmp

Download