a95f207ca6b9ff09a248614ae30b3ddfbe1aaad61ccca7438451fdaa879b0c8b

Analysis

max time kernel
175s
max time network
139s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29-11-2022 08:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a95f207ca6b9ff09a248614ae30b3ddfbe1aaad61ccca7438451fdaa879b0c8b.exe
Size

6.9MB
MD5

76827e19ac4b6c300c8bc37754b321a9
SHA1

60f1144731e4e8e98d22a59df821256307c26364
SHA256

a95f207ca6b9ff09a248614ae30b3ddfbe1aaad61ccca7438451fdaa879b0c8b
SHA512

beb2072de102d2d4d5925bd63925faa00828ad5e14f152d01544902e58293fb012991b6c614c3ff87c0928f4782b02f0302faff0f9fc0c672f4a9a1793bbc81b
SSDEEP

196608:CZXBJmubSsk25nnATnJpk789JENi1OudYjinaOB:ePD2sbngnXk77rudzn5B

Score

8^/10

adware discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Executes dropped EXE 7 IoCs

pid	Process
1668	93cbede35b76f947099432c29ae922d2.exe
608	60e2547a445aaea49990c73f6dce90f51.exe
1960	60e2547a445aaea49990c73f6dce90f52.exe
1588	SputnikHelper.exe
920	GuardMailRu.exe
588	GuardMailRu.exe
1968	GuardMailRu.exe

Modifies Windows Firewall 1 TTPs 4 IoCs

evasion

Modify Existing Service

T1031

pid	Process
364	netsh.exe
1476	netsh.exe
2016	netsh.exe
1136	netsh.exe

Loads dropped DLL 19 IoCs

pid	Process
1480	a95f207ca6b9ff09a248614ae30b3ddfbe1aaad61ccca7438451fdaa879b0c8b.exe
1668	93cbede35b76f947099432c29ae922d2.exe
1668	93cbede35b76f947099432c29ae922d2.exe
1668	93cbede35b76f947099432c29ae922d2.exe
1668	93cbede35b76f947099432c29ae922d2.exe
1668	93cbede35b76f947099432c29ae922d2.exe
1668	93cbede35b76f947099432c29ae922d2.exe
1668	93cbede35b76f947099432c29ae922d2.exe
1668	93cbede35b76f947099432c29ae922d2.exe
1960	60e2547a445aaea49990c73f6dce90f52.exe
1960	60e2547a445aaea49990c73f6dce90f52.exe
1960	60e2547a445aaea49990c73f6dce90f52.exe
1960	60e2547a445aaea49990c73f6dce90f52.exe
1960	60e2547a445aaea49990c73f6dce90f52.exe
1960	60e2547a445aaea49990c73f6dce90f52.exe
1960	60e2547a445aaea49990c73f6dce90f52.exe
1960	60e2547a445aaea49990c73f6dce90f52.exe
1960	60e2547a445aaea49990c73f6dce90f52.exe
1968	GuardMailRu.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Guard.Mail.ru.gui = "\"C:\\Program Files (x86)\\Mail.Ru\\Guard\\GuardMailRu.exe\" /gui"	GuardMailRu.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	60e2547a445aaea49990c73f6dce90f52.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	GuardMailRu.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8984B388-A5BB-4DF7-B274-77B879E179DB}	60e2547a445aaea49990c73f6dce90f52.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{8984B388-A5BB-4DF7-B274-77B879E179DB}\ = "Спутник@Mail.Ru"	60e2547a445aaea49990c73f6dce90f52.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\{dcd48218-e972-4d0c-9e5f-43462bc13e3b}\{9bed5ee2-0547-4706-8600-d3897629ade0}	GuardMailRu.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\{dcd48218-e972-4d0c-9e5f-43462bc13e3b}\{9bed5ee2-0547-4706-8600-d3897629ade0}	GuardMailRu.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Mail.Ru\Sputnik\MailRuSputnik.dll	60e2547a445aaea49990c73f6dce90f52.exe
File created	C:\Program Files (x86)\Mail.Ru\Sputnik\SputnikHelper.exe	60e2547a445aaea49990c73f6dce90f52.exe
File created	C:\Program Files (x86)\Mail.Ru\Sputnik\SputnikFlashPlayer.exe	60e2547a445aaea49990c73f6dce90f52.exe
File created	C:\Program Files (x86)\Mail.Ru\Sputnik\60e2547a445aaea49990c73f6dce90f52.exe	60e2547a445aaea49990c73f6dce90f52.exe
File opened for modification	C:\Program Files (x86)\Mail.Ru\Sputnik\60e2547a445aaea49990c73f6dce90f52.exe	60e2547a445aaea49990c73f6dce90f52.exe
File created	C:\Program Files (x86)\Mail.Ru\Guard\GuardMailRu.exe	GuardMailRu.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FC88B53C-9B2A-1A25-5867-C8612E79DBF6}	60e2547a445aaea49990c73f6dce90f51.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{97AACB1D-5E5F-4002-B18B-3346787A7F75}\AppName = "SputnikHelper.exe"	60e2547a445aaea49990c73f6dce90f52.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1753B788-C64C-4D57-B6BC-95C48992C4A7}	60e2547a445aaea49990c73f6dce90f51.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5FBAF6E6-C64B-49DB-AB1B-F93C607EBC71}	60e2547a445aaea49990c73f6dce90f51.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\SearchScopes\{E88E0043-C9D4-4e33-8555-FEE4F5B63060}	60e2547a445aaea49990c73f6dce90f52.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{26fe7361-bd5a-4dcb-b309-c6f42dde661c}	60e2547a445aaea49990c73f6dce90f51.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{49E561B1-1091-4E65-98A0-AFCA4996CD1D}	60e2547a445aaea49990c73f6dce90f51.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6bf52a52-394a-11d3-b153-00c04f79faa6}-32	60e2547a445aaea49990c73f6dce90f51.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{78c7b664-c9bf-4ce9-8b3a-b05d442e451e}	60e2547a445aaea49990c73f6dce90f51.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{a1ad1bbb-3b33-4260-a74c-5fd8bc1479fc}	60e2547a445aaea49990c73f6dce90f51.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8CADEA73-0B92-405C-84CD-4D5F902B8BC1}\Policy = "3"	60e2547a445aaea49990c73f6dce90f52.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Low Rights	60e2547a445aaea49990c73f6dce90f51.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\SearchScopes\{E88E0043-C9D4-4e33-8555-FEE4F5B63060}\URL = "http://go.mail.ru/search?q={searchTerms}&utf8in=1&fr=ietb"	60e2547a445aaea49990c73f6dce90f52.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{358E6F10-DE8A-4602-8424-179CA217F8EE}	60e2547a445aaea49990c73f6dce90f51.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7eb01fb2-f185-445a-94e4-ec4e1ba2202c}	60e2547a445aaea49990c73f6dce90f51.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8cec58ae-07a1-11d9-b15e-000d56bfe6ee}	60e2547a445aaea49990c73f6dce90f51.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C6A861C-B233-4994-AFB1-C158EE4FC578}	60e2547a445aaea49990c73f6dce90f51.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{aff735eb-cdf9-4894-aa69-3e3131128618}	60e2547a445aaea49990c73f6dce90f51.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{dc6bf185-7ae4-444e-8c35-e447b0d2bd1e}	60e2547a445aaea49990c73f6dce90f51.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{97AACB1D-5E5F-4002-B18B-3346787A7F75}\AppPath = "C:\\Program Files (x86)\\Mail.Ru\\Sputnik"	60e2547a445aaea49990c73f6dce90f52.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{4becf16c-74f0-429b-8d3e-4fba507ac661}	60e2547a445aaea49990c73f6dce90f51.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	60e2547a445aaea49990c73f6dce90f52.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{130c40f0-1bcb-4852-8b63-291cf90a600b}	60e2547a445aaea49990c73f6dce90f51.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{e5f90a07-7db7-4dcb-bd6d-d3fecd376ca3}	60e2547a445aaea49990c73f6dce90f51.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F6A6CA96-B08E-4429-BA30-39232494F292}	60e2547a445aaea49990c73f6dce90f51.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2391d819-9d17-44ec-9ac1-f6aa07549469}	60e2547a445aaea49990c73f6dce90f51.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5054EC7-B9CB-4ad5-9F95-D8171A6D6BFA}	60e2547a445aaea49990c73f6dce90f51.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	60e2547a445aaea49990c73f6dce90f52.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Layout = 1300000000000000000000002000000010000b000000000001000000810600004b000000060000008100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000e80d9009ca1d3f44924326ff581438af0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	60e2547a445aaea49990c73f6dce90f52.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{97AACB1D-5E5F-4002-B18B-3346787A7F75}	60e2547a445aaea49990c73f6dce90f52.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\SearchScopes\{E88E0043-C9D4-4e33-8555-FEE4F5B63060}	GuardMailRu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8E1F80F4-953F-41E7-8460-E64AE5BE4ED3}	60e2547a445aaea49990c73f6dce90f51.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{fb9e068b-c612-4fa8-bdb9-d728a716a420}	60e2547a445aaea49990c73f6dce90f51.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8CADEA73-0B92-405C-84CD-4D5F902B8BC1}	60e2547a445aaea49990c73f6dce90f52.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	GuardMailRu.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\SearchScopes	60e2547a445aaea49990c73f6dce90f52.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar	60e2547a445aaea49990c73f6dce90f52.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	60e2547a445aaea49990c73f6dce90f51.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{000209FF-0000-0000-C000-000000000046}	60e2547a445aaea49990c73f6dce90f51.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1F1E561D-AF17-4510-B996-351BBA0862A7}	60e2547a445aaea49990c73f6dce90f51.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2BBE903C-2776-4574-9855-EC1597ABE3D6}	60e2547a445aaea49990c73f6dce90f51.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DD993BDC-06E0-4131-B889-DD3B9AEBE253}	60e2547a445aaea49990c73f6dce90f51.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\SearchScopes\{E88E0043-C9D4-4e33-8555-FEE4F5B63060}\DisplayName = "mail.ru: Поиск в Интернете"	60e2547a445aaea49990c73f6dce90f52.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{97AACB1D-5E5F-4002-B18B-3346787A7F75}\Policy = "3"	60e2547a445aaea49990c73f6dce90f52.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\SearchScopes\{E88E0043-C9D4-4e33-8555-FEE4F5B63060}\SuggestionsURL = "http://suggests.go.mail.ru/ie8?q={searchTerms}"	60e2547a445aaea49990c73f6dce90f52.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{E88E0043-C9D4-4e33-8555-FEE4F5B63060}"	60e2547a445aaea49990c73f6dce90f52.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6bf52a52-394a-11d3-b153-00c04f79faa6}	60e2547a445aaea49990c73f6dce90f51.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{85fc331e-bb64-4c53-ba25-3d8a956c02fd}	60e2547a445aaea49990c73f6dce90f51.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{a5a2d52a-4944-47c4-a3e0-8bd92e14d953}	60e2547a445aaea49990c73f6dce90f51.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F7629763-7562-4d3a-8468-6CA5563852B2}	60e2547a445aaea49990c73f6dce90f51.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	60e2547a445aaea49990c73f6dce90f51.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\SearchScopes\{E88E0043-C9D4-4e33-8555-FEE4F5B63060}\FaviconURLFallback = "http://go.mail.ru/favicon.ico"	60e2547a445aaea49990c73f6dce90f52.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{041a5213-ea64-4c45-99af-70d7d8e902ec}	60e2547a445aaea49990c73f6dce90f51.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{054aae20-4bea-4347-8a35-64a533254a9d}	60e2547a445aaea49990c73f6dce90f51.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{08f24d68-9087-4b24-81ad-7b34af3e3ed5}	60e2547a445aaea49990c73f6dce90f51.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{95a4104c-1c49-4c2a-9830-1be0f47e926c}	60e2547a445aaea49990c73f6dce90f51.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{BD18A03F-31CC-4CC0-B52D-9E199122923D}	60e2547a445aaea49990c73f6dce90f51.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1138506a-b949-46a7-b6c0-ee26499fdeaf}	60e2547a445aaea49990c73f6dce90f51.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{357FBE87-6C8E-490D-A059-4746C864AE6F}	60e2547a445aaea49990c73f6dce90f51.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7aaae723-5fb5-4b2d-9327-75519f336825}	60e2547a445aaea49990c73f6dce90f51.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{877467C0-F9E4-4561-84F0-65AA7539833C}	60e2547a445aaea49990c73f6dce90f51.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{eee261cc-4b3e-46e7-affb-61f297155bf2}	60e2547a445aaea49990c73f6dce90f51.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{03288CB3-3893-46D1-8D58-B2F8BB6FF5BF}	60e2547a445aaea49990c73f6dce90f51.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9da1d2cb-796d-4bec-bbaa-0aa9ccd80e15}	60e2547a445aaea49990c73f6dce90f51.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.mail.ru/cnt/9516"	60e2547a445aaea49990c73f6dce90f52.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	60e2547a445aaea49990c73f6dce90f52.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8984B388-A5BB-4DF7-B274-77B879E179DB}	60e2547a445aaea49990c73f6dce90f52.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MailRu.MailRuSputnikObj\CLSID\ = "{09900DE8-1DCA-443F-9243-26FF581438AF}"	60e2547a445aaea49990c73f6dce90f52.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{09900DE8-1DCA-443F-9243-26FF581438AF}\TypeLib\ = "{D9396DCA-81B4-4C62-8C48-619573A3C4E6}"	60e2547a445aaea49990c73f6dce90f52.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A6024453-8AD2-4424-8C4E-AB8BDE5506B9}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Mail.Ru\\Sputnik"	SputnikHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D1384D8-DA46-44FF-8E24-2049552FF9D7}	SputnikHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8984B388-A5BB-4DF7-B274-77B879E179DB}\VersionIndependentProgID	60e2547a445aaea49990c73f6dce90f52.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MailRu.MailRuSputnikObj\CLSID	60e2547a445aaea49990c73f6dce90f52.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D1384D8-DA46-44FF-8E24-2049552FF9D7}\TypeLib\Version = "1.0"	SputnikHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A6024453-8AD2-4424-8C4E-AB8BDE5506B9}\1.0\FLAGS\ = "0"	SputnikHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MailRuSputnik.MailRuBHO\CurVer	60e2547a445aaea49990c73f6dce90f52.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MailRuSputnik.MailRuBHO.1\ = "MailRuBHO Class"	60e2547a445aaea49990c73f6dce90f52.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MailRu.MailRuSputnikObj\CurVer	60e2547a445aaea49990c73f6dce90f52.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SputnikHelper.SputnikHelperObj\CLSID	SputnikHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D2D4C0D4-2E88-40D0-A0DB-B8F9AC388529}\ProgID\ = "SputnikHelper.SputnikHelperObj.1"	SputnikHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D2D4C0D4-2E88-40D0-A0DB-B8F9AC388529}\VersionIndependentProgID	SputnikHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D2D4C0D4-2E88-40D0-A0DB-B8F9AC388529}\TypeLib	SputnikHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\SputnikHelper.EXE\AppID = "{BFD1C493-BE73-4660-9924-7C23CF34C11D}"	SputnikHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D2D4C0D4-2E88-40D0-A0DB-B8F9AC388529}\LocalServer32	SputnikHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D2D4C0D4-2E88-40D0-A0DB-B8F9AC388529}\LocalServer32\ = "\"C:\\Program Files (x86)\\Mail.Ru\\Sputnik\\SputnikHelper.exe\""	SputnikHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A6024453-8AD2-4424-8C4E-AB8BDE5506B9}\1.0	SputnikHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D1384D8-DA46-44FF-8E24-2049552FF9D7}\TypeLib	SputnikHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{09900DE8-1DCA-443F-9243-26FF581438AF}\InprocServer32	60e2547a445aaea49990c73f6dce90f52.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\	60e2547a445aaea49990c73f6dce90f52.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MailRu.MailRuSputnikObj\ = "Спутник@Mail.Ru"	60e2547a445aaea49990c73f6dce90f52.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{09900DE8-1DCA-443F-9243-26FF581438AF}\InprocServer32\ = "C:\\Program Files (x86)\\Mail.Ru\\Sputnik\\MailRuSputnik.dll"	60e2547a445aaea49990c73f6dce90f52.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{09900DE8-1DCA-443F-9243-26FF581438AF}\VersionIndependentProgID\ = "MailRu.MailRuSputnikObj"	60e2547a445aaea49990c73f6dce90f52.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SputnikHelper.SputnikHelperObj.1\ = "SputnikHelperObj Class"	SputnikHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MailRu.MailRuSputnikObj.1\ = "Спутник@Mail.Ru"	60e2547a445aaea49990c73f6dce90f52.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{09900DE8-1DCA-443F-9243-26FF581438AF}\ProgID\ = "MailRu.MailRuSputnikObj.1"	60e2547a445aaea49990c73f6dce90f52.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D2D4C0D4-2E88-40D0-A0DB-B8F9AC388529}\Programmable	SputnikHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A6024453-8AD2-4424-8C4E-AB8BDE5506B9}	SputnikHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D1384D8-DA46-44FF-8E24-2049552FF9D7}	SputnikHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MailRuSputnik.MailRuBHO\CurVer\ = "MailRuSputnik.MailRuBHO.1"	60e2547a445aaea49990c73f6dce90f52.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8984B388-A5BB-4DF7-B274-77B879E179DB}\ProgID	60e2547a445aaea49990c73f6dce90f52.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{BFD1C493-BE73-4660-9924-7C23CF34C11D}\ = "SputnikHelper"	SputnikHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D1384D8-DA46-44FF-8E24-2049552FF9D7}\ = "ISputnikHelperObj"	SputnikHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D1384D8-DA46-44FF-8E24-2049552FF9D7}\ = "ISputnikHelperObj"	SputnikHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MailRuSputnik.MailRuBHO\CLSID	60e2547a445aaea49990c73f6dce90f52.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SputnikHelper.SputnikHelperObj\CLSID\ = "{D2D4C0D4-2E88-40D0-A0DB-B8F9AC388529}"	SputnikHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MailRuSputnik.MailRuBHO.1\CLSID\ = "{8984B388-A5BB-4DF7-B274-77B879E179DB}"	60e2547a445aaea49990c73f6dce90f52.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8984B388-A5BB-4DF7-B274-77B879E179DB}\InprocServer32\ = "C:\\Program Files (x86)\\Mail.Ru\\Sputnik\\MailRuSputnik.dll"	60e2547a445aaea49990c73f6dce90f52.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8984B388-A5BB-4DF7-B274-77B879E179DB}\TypeLib\ = "{D9396DCA-81B4-4C62-8C48-619573A3C4E6}"	60e2547a445aaea49990c73f6dce90f52.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SputnikHelper.SputnikHelperObj.1\CLSID\ = "{D2D4C0D4-2E88-40D0-A0DB-B8F9AC388529}"	SputnikHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D2D4C0D4-2E88-40D0-A0DB-B8F9AC388529}	SputnikHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A6024453-8AD2-4424-8C4E-AB8BDE5506B9}\1.0\ = "SputnikHelper 1.0 Type Library"	SputnikHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A6024453-8AD2-4424-8C4E-AB8BDE5506B9}\1.0\0	SputnikHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{09900DE8-1DCA-443F-9243-26FF581438AF}	60e2547a445aaea49990c73f6dce90f52.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MailRuSputnik.MailRuBHO.1\CLSID	60e2547a445aaea49990c73f6dce90f52.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MailRu.MailRuSputnikObj\CurVer\ = "MailRu.MailRuSputnikObj.1"	60e2547a445aaea49990c73f6dce90f52.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MailRu.MailRuSputnikObj.1	60e2547a445aaea49990c73f6dce90f52.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{09900DE8-1DCA-443F-9243-26FF581438AF}\TypeLib	60e2547a445aaea49990c73f6dce90f52.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\SputnikHelper.EXE	SputnikHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D2D4C0D4-2E88-40D0-A0DB-B8F9AC388529}\ = "SputnikHelperObj Class"	SputnikHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A6024453-8AD2-4424-8C4E-AB8BDE5506B9}\1.0\0\win32\ = "C:\\Program Files (x86)\\Mail.Ru\\Sputnik\\SputnikHelper.exe"	SputnikHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A6024453-8AD2-4424-8C4E-AB8BDE5506B9}\1.0\HELPDIR	SputnikHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D1384D8-DA46-44FF-8E24-2049552FF9D7}\TypeLib\Version = "1.0"	SputnikHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D1384D8-DA46-44FF-8E24-2049552FF9D7}\TypeLib\ = "{A6024453-8AD2-4424-8C4E-AB8BDE5506B9}"	SputnikHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D1384D8-DA46-44FF-8E24-2049552FF9D7}\ProxyStubClsid32	SputnikHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8984B388-A5BB-4DF7-B274-77B879E179DB}\Programmable	60e2547a445aaea49990c73f6dce90f52.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8984B388-A5BB-4DF7-B274-77B879E179DB}\VersionIndependentProgID\ = "MailRuSputnik.MailRuBHO"	60e2547a445aaea49990c73f6dce90f52.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{09900DE8-1DCA-443F-9243-26FF581438AF}\ = "Спутник@Mail.Ru"	60e2547a445aaea49990c73f6dce90f52.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{09900DE8-1DCA-443F-9243-26FF581438AF}\InprocServer32\ThreadingModel = "Apartment"	60e2547a445aaea49990c73f6dce90f52.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{09900DE8-1DCA-443F-9243-26FF581438AF}\ProgID	60e2547a445aaea49990c73f6dce90f52.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1668	93cbede35b76f947099432c29ae922d2.exe
1960	60e2547a445aaea49990c73f6dce90f52.exe
1960	60e2547a445aaea49990c73f6dce90f52.exe
920	GuardMailRu.exe
920	GuardMailRu.exe
588	GuardMailRu.exe
588	GuardMailRu.exe
588	GuardMailRu.exe
588	GuardMailRu.exe
588	GuardMailRu.exe
588	GuardMailRu.exe
588	GuardMailRu.exe
588	GuardMailRu.exe
588	GuardMailRu.exe
588	GuardMailRu.exe
588	GuardMailRu.exe
588	GuardMailRu.exe
588	GuardMailRu.exe
588	GuardMailRu.exe
588	GuardMailRu.exe
588	GuardMailRu.exe
588	GuardMailRu.exe
588	GuardMailRu.exe
588	GuardMailRu.exe
588	GuardMailRu.exe
588	GuardMailRu.exe
588	GuardMailRu.exe
588	GuardMailRu.exe
588	GuardMailRu.exe
588	GuardMailRu.exe
588	GuardMailRu.exe
588	GuardMailRu.exe
588	GuardMailRu.exe
588	GuardMailRu.exe
588	GuardMailRu.exe
588	GuardMailRu.exe
588	GuardMailRu.exe
588	GuardMailRu.exe
588	GuardMailRu.exe
588	GuardMailRu.exe
588	GuardMailRu.exe
588	GuardMailRu.exe
588	GuardMailRu.exe
588	GuardMailRu.exe
588	GuardMailRu.exe
588	GuardMailRu.exe
588	GuardMailRu.exe
588	GuardMailRu.exe
588	GuardMailRu.exe
588	GuardMailRu.exe
588	GuardMailRu.exe
588	GuardMailRu.exe
588	GuardMailRu.exe
588	GuardMailRu.exe
588	GuardMailRu.exe
588	GuardMailRu.exe
588	GuardMailRu.exe
588	GuardMailRu.exe
588	GuardMailRu.exe
588	GuardMailRu.exe
588	GuardMailRu.exe
588	GuardMailRu.exe
588	GuardMailRu.exe
588	GuardMailRu.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 1480 wrote to memory of 1668	1480	a95f207ca6b9ff09a248614ae30b3ddfbe1aaad61ccca7438451fdaa879b0c8b.exe	28
PID 1480 wrote to memory of 1668	1480	a95f207ca6b9ff09a248614ae30b3ddfbe1aaad61ccca7438451fdaa879b0c8b.exe	28
PID 1480 wrote to memory of 1668	1480	a95f207ca6b9ff09a248614ae30b3ddfbe1aaad61ccca7438451fdaa879b0c8b.exe	28
PID 1480 wrote to memory of 1668	1480	a95f207ca6b9ff09a248614ae30b3ddfbe1aaad61ccca7438451fdaa879b0c8b.exe	28
PID 1668 wrote to memory of 608	1668	93cbede35b76f947099432c29ae922d2.exe	30
PID 1668 wrote to memory of 608	1668	93cbede35b76f947099432c29ae922d2.exe	30
PID 1668 wrote to memory of 608	1668	93cbede35b76f947099432c29ae922d2.exe	30
PID 1668 wrote to memory of 608	1668	93cbede35b76f947099432c29ae922d2.exe	30
PID 1668 wrote to memory of 608	1668	93cbede35b76f947099432c29ae922d2.exe	30
PID 1668 wrote to memory of 608	1668	93cbede35b76f947099432c29ae922d2.exe	30
PID 1668 wrote to memory of 608	1668	93cbede35b76f947099432c29ae922d2.exe	30
PID 608 wrote to memory of 364	608	60e2547a445aaea49990c73f6dce90f51.exe	31
PID 608 wrote to memory of 364	608	60e2547a445aaea49990c73f6dce90f51.exe	31
PID 608 wrote to memory of 364	608	60e2547a445aaea49990c73f6dce90f51.exe	31
PID 608 wrote to memory of 364	608	60e2547a445aaea49990c73f6dce90f51.exe	31
PID 608 wrote to memory of 1476	608	60e2547a445aaea49990c73f6dce90f51.exe	33
PID 608 wrote to memory of 1476	608	60e2547a445aaea49990c73f6dce90f51.exe	33
PID 608 wrote to memory of 1476	608	60e2547a445aaea49990c73f6dce90f51.exe	33
PID 608 wrote to memory of 1476	608	60e2547a445aaea49990c73f6dce90f51.exe	33
PID 1668 wrote to memory of 1960	1668	93cbede35b76f947099432c29ae922d2.exe	35
PID 1668 wrote to memory of 1960	1668	93cbede35b76f947099432c29ae922d2.exe	35
PID 1668 wrote to memory of 1960	1668	93cbede35b76f947099432c29ae922d2.exe	35
PID 1668 wrote to memory of 1960	1668	93cbede35b76f947099432c29ae922d2.exe	35
PID 1668 wrote to memory of 1960	1668	93cbede35b76f947099432c29ae922d2.exe	35
PID 1668 wrote to memory of 1960	1668	93cbede35b76f947099432c29ae922d2.exe	35
PID 1668 wrote to memory of 1960	1668	93cbede35b76f947099432c29ae922d2.exe	35
PID 1960 wrote to memory of 1588	1960	60e2547a445aaea49990c73f6dce90f52.exe	36
PID 1960 wrote to memory of 1588	1960	60e2547a445aaea49990c73f6dce90f52.exe	36
PID 1960 wrote to memory of 1588	1960	60e2547a445aaea49990c73f6dce90f52.exe	36
PID 1960 wrote to memory of 1588	1960	60e2547a445aaea49990c73f6dce90f52.exe	36
PID 1960 wrote to memory of 2016	1960	60e2547a445aaea49990c73f6dce90f52.exe	37
PID 1960 wrote to memory of 2016	1960	60e2547a445aaea49990c73f6dce90f52.exe	37
PID 1960 wrote to memory of 2016	1960	60e2547a445aaea49990c73f6dce90f52.exe	37
PID 1960 wrote to memory of 2016	1960	60e2547a445aaea49990c73f6dce90f52.exe	37
PID 1960 wrote to memory of 1136	1960	60e2547a445aaea49990c73f6dce90f52.exe	41
PID 1960 wrote to memory of 1136	1960	60e2547a445aaea49990c73f6dce90f52.exe	41
PID 1960 wrote to memory of 1136	1960	60e2547a445aaea49990c73f6dce90f52.exe	41
PID 1960 wrote to memory of 1136	1960	60e2547a445aaea49990c73f6dce90f52.exe	41
PID 1960 wrote to memory of 920	1960	60e2547a445aaea49990c73f6dce90f52.exe	43
PID 1960 wrote to memory of 920	1960	60e2547a445aaea49990c73f6dce90f52.exe	43
PID 1960 wrote to memory of 920	1960	60e2547a445aaea49990c73f6dce90f52.exe	43
PID 1960 wrote to memory of 920	1960	60e2547a445aaea49990c73f6dce90f52.exe	43
PID 920 wrote to memory of 1968	920	GuardMailRu.exe	45
PID 920 wrote to memory of 1968	920	GuardMailRu.exe	45
PID 920 wrote to memory of 1968	920	GuardMailRu.exe	45
PID 920 wrote to memory of 1968	920	GuardMailRu.exe	45

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	60e2547a445aaea49990c73f6dce90f52.exe

C:\Users\Admin\AppData\Local\Temp\a95f207ca6b9ff09a248614ae30b3ddfbe1aaad61ccca7438451fdaa879b0c8b.exe
"C:\Users\Admin\AppData\Local\Temp\a95f207ca6b9ff09a248614ae30b3ddfbe1aaad61ccca7438451fdaa879b0c8b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Users\Admin\AppData\Local\Temp\93cbede35b76f947099432c29ae922d2.exe
  "C:\Users\Admin\AppData\Local\Temp\93cbede35b76f947099432c29ae922d2.exe" /c mailru
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1668
- - C:\Users\Admin\AppData\Local\Temp\60e2547a445aaea49990c73f6dce90f51.exe
    "C:\Users\Admin\AppData\Local\Temp\60e2547a445aaea49990c73f6dce90f51.exe" /uninstall /silent
    3⤵
    - Executes dropped EXE
    - Modifies Internet Explorer settings
    - Suspicious use of WriteProcessMemory
    PID:608
  - - C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\System32\netsh.exe" firewall delete allowedprogram "SputnikHelper.exe"
      4⤵
      Modifies Windows Firewall
      PID:364
  - - C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\System32\netsh.exe" firewall delete allowedprogram "SputnikFlashPlayer.exe"
      4⤵
      Modifies Windows Firewall
      PID:1476
- - C:\Users\Admin\AppData\Local\Temp\60e2547a445aaea49990c73f6dce90f52.exe
    "C:\Users\Admin\AppData\Local\Temp\60e2547a445aaea49990c73f6dce90f52.exe" /silent /rfr=openpr /mpcln=9516 /partner_new_url=http://smstransfers.net/toolbar.php?id=3930&file_id=343303&guid=$__GUID&sig=$__SIG
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - Installs/modifies Browser Helper Object
    - Drops file in Program Files directory
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1960
  - - C:\Program Files (x86)\Mail.Ru\Sputnik\SputnikHelper.exe
      "C:\Program Files (x86)\Mail.Ru\Sputnik\SputnikHelper.exe" /RegServer
      4⤵
      Executes dropped EXE
      Modifies registry class
      PID:1588
  - - C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\System32\netsh.exe" firewall add allowedprogram "C:\Program Files (x86)\Mail.Ru\Sputnik\SputnikHelper.exe" "C:\Program Files (x86)\Mail.Ru\Sputnik\SputnikHelper.exe" ENABLE ALL
      4⤵
      Modifies Windows Firewall
      PID:2016
  - - C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\System32\netsh.exe" firewall add allowedprogram "C:\Program Files (x86)\Mail.Ru\Sputnik\SputnikFlashPlayer.exe" "C:\Program Files (x86)\Mail.Ru\Sputnik\SputnikFlashPlayer.exe" ENABLE ALL
      4⤵
      Modifies Windows Firewall
      PID:1136
  - - C:\Users\Admin\AppData\Local\Temp\GuardMailRu.exe
      "C:\Users\Admin\AppData\Local\Temp\GuardMailRu.exe" /INSTALL2 /LANG=ru /GUID={1B9EFBA9-8B1D-4A3E-90E8-A4EBC950745E}
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Checks whether UAC is enabled
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:920
    - - C:\Program Files (x86)\Mail.Ru\Guard\GuardMailRu.exe
        
        "C:\Program Files (x86)\Mail.Ru\Guard\GuardMailRu.exe" /gui
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1968

C:\Program Files (x86)\Mail.Ru\Guard\GuardMailRu.exe
"C:\Program Files (x86)\Mail.Ru\Guard\GuardMailRu.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
PID:588

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Mail.Ru\Guard\GuardMailRu.exe

Filesize
1.6MB

MD5
4e808bd83cc5ecf45163fc7942657a1a

SHA1
35cf5e55111a95a8d67f14d6efe80f46c240159a

SHA256
a6ccc5b32f422b74b2fe68456b6c89543984ba67fa5716cc144e2b5e9e9b3c11

SHA512
4c61f777bef89be7a89c95ebd6e82bfc67f49ba8a2e5e1995e570ccf45ec43609a461fb072f44882e2766ac4db44468694d1b561939e68cac3b36d37988ad96f

Download Submit
C:\Program Files (x86)\Mail.Ru\Guard\GuardMailRu.exe

Filesize
1.6MB

MD5
4e808bd83cc5ecf45163fc7942657a1a

SHA1
35cf5e55111a95a8d67f14d6efe80f46c240159a

SHA256
a6ccc5b32f422b74b2fe68456b6c89543984ba67fa5716cc144e2b5e9e9b3c11

SHA512
4c61f777bef89be7a89c95ebd6e82bfc67f49ba8a2e5e1995e570ccf45ec43609a461fb072f44882e2766ac4db44468694d1b561939e68cac3b36d37988ad96f

Download Submit
C:\Program Files (x86)\Mail.Ru\Sputnik\MailRuSputnik.dll

Filesize
1.5MB

MD5
56d85d7003505c771b2e9dbde94cc198

SHA1
8a4415d69ac95281fb8ed7b23f5ef8ac7f2987d1

SHA256
0d90251790d8886dedb79129a8cdfad69b44675cfe6f7c4924f69bdff18f69e0

SHA512
113c511dbe49a61ebcedf9900adf814039be639392f7408d581b7e80448cd6881985a4649b8d9ac9998d835d3c3bc5a3164d6a91a9ba5dae84aaab38376acd27

Download Submit
C:\Program Files (x86)\Mail.Ru\Sputnik\SputnikHelper.exe

Filesize
263KB

MD5
087f605952660f57198f90625324dba1

SHA1
2e1e5f0132c7bc6df36cde8debfc6fa7adfb6b54

SHA256
52c532141e36ddbfe58424781827f8996b18a86fdf6d088f95fe063cf9c4f4cd

SHA512
38e2d5ff20f814c94d5abe5f3b53f8480c64f78e2e2b57ce864d421f9fece1fc04c093ceee1449bde66392894bd7c07d25e4692a4c0337f05fd021e7f5fff103

Download Submit
C:\Program Files (x86)\Mail.Ru\Sputnik\SputnikHelper.exe

Filesize
263KB

MD5
087f605952660f57198f90625324dba1

SHA1
2e1e5f0132c7bc6df36cde8debfc6fa7adfb6b54

SHA256
52c532141e36ddbfe58424781827f8996b18a86fdf6d088f95fe063cf9c4f4cd

SHA512
38e2d5ff20f814c94d5abe5f3b53f8480c64f78e2e2b57ce864d421f9fece1fc04c093ceee1449bde66392894bd7c07d25e4692a4c0337f05fd021e7f5fff103

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7f472b435693c9b3e07d288321067c90

SHA1
f033c9e7e368f4939de58c45e9a7e67853aa5497

SHA256
feaaaa08881920ffb1e39de296d2c13ad408a40deb06131584e968ec591f5073

SHA512
6577686f34c5a0dfe2f54b718217c88d2b9a7a03a149df1e4458dcc4fb689d85b3d433001cb82fc58f44fe2af69fb76438ecd82133916f15843d196b68563be6

Download Submit
C:\Users\Admin\AppData\Local\Temp\60e2547a445aaea49990c73f6dce90f51.exe

Filesize
3.8MB

MD5
e60a475bd1f3fd8ef26341406da4ddaa

SHA1
3478887290966bf94525dfed829746b39731e627

SHA256
859bbdd2ab0e14cbfe3a951fad3ec723984d962f74f17813220abc8887fd3338

SHA512
424164da27f9750764eb08ec30468f9e036fae9f5b59181054c4c2e1ba4d1d710e06d49409e608fbeec14b0efc60e726254b7280c848f9f3ec95f3dbb00d91f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\60e2547a445aaea49990c73f6dce90f51.exe

Filesize
3.8MB

MD5
e60a475bd1f3fd8ef26341406da4ddaa

SHA1
3478887290966bf94525dfed829746b39731e627

SHA256
859bbdd2ab0e14cbfe3a951fad3ec723984d962f74f17813220abc8887fd3338

SHA512
424164da27f9750764eb08ec30468f9e036fae9f5b59181054c4c2e1ba4d1d710e06d49409e608fbeec14b0efc60e726254b7280c848f9f3ec95f3dbb00d91f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\60e2547a445aaea49990c73f6dce90f52.exe

Filesize
3.8MB

MD5
e60a475bd1f3fd8ef26341406da4ddaa

SHA1
3478887290966bf94525dfed829746b39731e627

SHA256
859bbdd2ab0e14cbfe3a951fad3ec723984d962f74f17813220abc8887fd3338

SHA512
424164da27f9750764eb08ec30468f9e036fae9f5b59181054c4c2e1ba4d1d710e06d49409e608fbeec14b0efc60e726254b7280c848f9f3ec95f3dbb00d91f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\60e2547a445aaea49990c73f6dce90f52.exe

Filesize
3.8MB

MD5
e60a475bd1f3fd8ef26341406da4ddaa

SHA1
3478887290966bf94525dfed829746b39731e627

SHA256
859bbdd2ab0e14cbfe3a951fad3ec723984d962f74f17813220abc8887fd3338

SHA512
424164da27f9750764eb08ec30468f9e036fae9f5b59181054c4c2e1ba4d1d710e06d49409e608fbeec14b0efc60e726254b7280c848f9f3ec95f3dbb00d91f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\93cbede35b76f947099432c29ae922d2.exe

Filesize
6.9MB

MD5
76827e19ac4b6c300c8bc37754b321a9

SHA1
60f1144731e4e8e98d22a59df821256307c26364

SHA256
a95f207ca6b9ff09a248614ae30b3ddfbe1aaad61ccca7438451fdaa879b0c8b

SHA512
beb2072de102d2d4d5925bd63925faa00828ad5e14f152d01544902e58293fb012991b6c614c3ff87c0928f4782b02f0302faff0f9fc0c672f4a9a1793bbc81b

Download Submit
C:\Users\Admin\AppData\Local\Temp\93cbede35b76f947099432c29ae922d2.exe

Filesize
6.9MB

MD5
76827e19ac4b6c300c8bc37754b321a9

SHA1
60f1144731e4e8e98d22a59df821256307c26364

SHA256
a95f207ca6b9ff09a248614ae30b3ddfbe1aaad61ccca7438451fdaa879b0c8b

SHA512
beb2072de102d2d4d5925bd63925faa00828ad5e14f152d01544902e58293fb012991b6c614c3ff87c0928f4782b02f0302faff0f9fc0c672f4a9a1793bbc81b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GuardMailRu.exe

Filesize
1.6MB

MD5
4e808bd83cc5ecf45163fc7942657a1a

SHA1
35cf5e55111a95a8d67f14d6efe80f46c240159a

SHA256
a6ccc5b32f422b74b2fe68456b6c89543984ba67fa5716cc144e2b5e9e9b3c11

SHA512
4c61f777bef89be7a89c95ebd6e82bfc67f49ba8a2e5e1995e570ccf45ec43609a461fb072f44882e2766ac4db44468694d1b561939e68cac3b36d37988ad96f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GuardMailRu.exe

Filesize
1.6MB

MD5
4e808bd83cc5ecf45163fc7942657a1a

SHA1
35cf5e55111a95a8d67f14d6efe80f46c240159a

SHA256
a6ccc5b32f422b74b2fe68456b6c89543984ba67fa5716cc144e2b5e9e9b3c11

SHA512
4c61f777bef89be7a89c95ebd6e82bfc67f49ba8a2e5e1995e570ccf45ec43609a461fb072f44882e2766ac4db44468694d1b561939e68cac3b36d37988ad96f

Download Submit
\Program Files (x86)\Mail.Ru\Sputnik\MailRuSputnik.dll

Filesize
1.5MB

MD5
56d85d7003505c771b2e9dbde94cc198

SHA1
8a4415d69ac95281fb8ed7b23f5ef8ac7f2987d1

SHA256
0d90251790d8886dedb79129a8cdfad69b44675cfe6f7c4924f69bdff18f69e0

SHA512
113c511dbe49a61ebcedf9900adf814039be639392f7408d581b7e80448cd6881985a4649b8d9ac9998d835d3c3bc5a3164d6a91a9ba5dae84aaab38376acd27

Download Submit
\Program Files (x86)\Mail.Ru\Sputnik\MailRuSputnik.dll

Filesize
1.5MB

MD5
56d85d7003505c771b2e9dbde94cc198

SHA1
8a4415d69ac95281fb8ed7b23f5ef8ac7f2987d1

SHA256
0d90251790d8886dedb79129a8cdfad69b44675cfe6f7c4924f69bdff18f69e0

SHA512
113c511dbe49a61ebcedf9900adf814039be639392f7408d581b7e80448cd6881985a4649b8d9ac9998d835d3c3bc5a3164d6a91a9ba5dae84aaab38376acd27

Download Submit
\Program Files (x86)\Mail.Ru\Sputnik\SputnikHelper.exe

Filesize
263KB

MD5
087f605952660f57198f90625324dba1

SHA1
2e1e5f0132c7bc6df36cde8debfc6fa7adfb6b54

SHA256
52c532141e36ddbfe58424781827f8996b18a86fdf6d088f95fe063cf9c4f4cd

SHA512
38e2d5ff20f814c94d5abe5f3b53f8480c64f78e2e2b57ce864d421f9fece1fc04c093ceee1449bde66392894bd7c07d25e4692a4c0337f05fd021e7f5fff103

Download Submit
\Program Files (x86)\Mail.Ru\Sputnik\SputnikHelper.exe

Filesize
263KB

MD5
087f605952660f57198f90625324dba1

SHA1
2e1e5f0132c7bc6df36cde8debfc6fa7adfb6b54

SHA256
52c532141e36ddbfe58424781827f8996b18a86fdf6d088f95fe063cf9c4f4cd

SHA512
38e2d5ff20f814c94d5abe5f3b53f8480c64f78e2e2b57ce864d421f9fece1fc04c093ceee1449bde66392894bd7c07d25e4692a4c0337f05fd021e7f5fff103

Download Submit
\Program Files (x86)\Mail.Ru\Sputnik\SputnikHelper.exe

Filesize
263KB

MD5
087f605952660f57198f90625324dba1

SHA1
2e1e5f0132c7bc6df36cde8debfc6fa7adfb6b54

SHA256
52c532141e36ddbfe58424781827f8996b18a86fdf6d088f95fe063cf9c4f4cd

SHA512
38e2d5ff20f814c94d5abe5f3b53f8480c64f78e2e2b57ce864d421f9fece1fc04c093ceee1449bde66392894bd7c07d25e4692a4c0337f05fd021e7f5fff103

Download Submit
\Program Files (x86)\Mail.Ru\Sputnik\SputnikHelper.exe

Filesize
263KB

MD5
087f605952660f57198f90625324dba1

SHA1
2e1e5f0132c7bc6df36cde8debfc6fa7adfb6b54

SHA256
52c532141e36ddbfe58424781827f8996b18a86fdf6d088f95fe063cf9c4f4cd

SHA512
38e2d5ff20f814c94d5abe5f3b53f8480c64f78e2e2b57ce864d421f9fece1fc04c093ceee1449bde66392894bd7c07d25e4692a4c0337f05fd021e7f5fff103

Download Submit
\Users\Admin\AppData\Local\Temp\60e2547a445aaea49990c73f6dce90f51.exe

Filesize
3.8MB

MD5
e60a475bd1f3fd8ef26341406da4ddaa

SHA1
3478887290966bf94525dfed829746b39731e627

SHA256
859bbdd2ab0e14cbfe3a951fad3ec723984d962f74f17813220abc8887fd3338

SHA512
424164da27f9750764eb08ec30468f9e036fae9f5b59181054c4c2e1ba4d1d710e06d49409e608fbeec14b0efc60e726254b7280c848f9f3ec95f3dbb00d91f3

Download Submit
\Users\Admin\AppData\Local\Temp\60e2547a445aaea49990c73f6dce90f51.exe

Filesize
3.8MB

MD5
e60a475bd1f3fd8ef26341406da4ddaa

SHA1
3478887290966bf94525dfed829746b39731e627

SHA256
859bbdd2ab0e14cbfe3a951fad3ec723984d962f74f17813220abc8887fd3338

SHA512
424164da27f9750764eb08ec30468f9e036fae9f5b59181054c4c2e1ba4d1d710e06d49409e608fbeec14b0efc60e726254b7280c848f9f3ec95f3dbb00d91f3

Download Submit
\Users\Admin\AppData\Local\Temp\60e2547a445aaea49990c73f6dce90f51.exe

Filesize
3.8MB

MD5
e60a475bd1f3fd8ef26341406da4ddaa

SHA1
3478887290966bf94525dfed829746b39731e627

SHA256
859bbdd2ab0e14cbfe3a951fad3ec723984d962f74f17813220abc8887fd3338

SHA512
424164da27f9750764eb08ec30468f9e036fae9f5b59181054c4c2e1ba4d1d710e06d49409e608fbeec14b0efc60e726254b7280c848f9f3ec95f3dbb00d91f3

Download Submit
\Users\Admin\AppData\Local\Temp\60e2547a445aaea49990c73f6dce90f51.exe

Filesize
3.8MB

MD5
e60a475bd1f3fd8ef26341406da4ddaa

SHA1
3478887290966bf94525dfed829746b39731e627

SHA256
859bbdd2ab0e14cbfe3a951fad3ec723984d962f74f17813220abc8887fd3338

SHA512
424164da27f9750764eb08ec30468f9e036fae9f5b59181054c4c2e1ba4d1d710e06d49409e608fbeec14b0efc60e726254b7280c848f9f3ec95f3dbb00d91f3

Download Submit
\Users\Admin\AppData\Local\Temp\60e2547a445aaea49990c73f6dce90f52.exe

Filesize
3.8MB

MD5
e60a475bd1f3fd8ef26341406da4ddaa

SHA1
3478887290966bf94525dfed829746b39731e627

SHA256
859bbdd2ab0e14cbfe3a951fad3ec723984d962f74f17813220abc8887fd3338

SHA512
424164da27f9750764eb08ec30468f9e036fae9f5b59181054c4c2e1ba4d1d710e06d49409e608fbeec14b0efc60e726254b7280c848f9f3ec95f3dbb00d91f3

Download Submit
\Users\Admin\AppData\Local\Temp\60e2547a445aaea49990c73f6dce90f52.exe

Filesize
3.8MB

MD5
e60a475bd1f3fd8ef26341406da4ddaa

SHA1
3478887290966bf94525dfed829746b39731e627

SHA256
859bbdd2ab0e14cbfe3a951fad3ec723984d962f74f17813220abc8887fd3338

SHA512
424164da27f9750764eb08ec30468f9e036fae9f5b59181054c4c2e1ba4d1d710e06d49409e608fbeec14b0efc60e726254b7280c848f9f3ec95f3dbb00d91f3

Download Submit
\Users\Admin\AppData\Local\Temp\60e2547a445aaea49990c73f6dce90f52.exe

Filesize
3.8MB

MD5
e60a475bd1f3fd8ef26341406da4ddaa

SHA1
3478887290966bf94525dfed829746b39731e627

SHA256
859bbdd2ab0e14cbfe3a951fad3ec723984d962f74f17813220abc8887fd3338

SHA512
424164da27f9750764eb08ec30468f9e036fae9f5b59181054c4c2e1ba4d1d710e06d49409e608fbeec14b0efc60e726254b7280c848f9f3ec95f3dbb00d91f3

Download Submit
\Users\Admin\AppData\Local\Temp\60e2547a445aaea49990c73f6dce90f52.exe

Filesize
3.8MB

MD5
e60a475bd1f3fd8ef26341406da4ddaa

SHA1
3478887290966bf94525dfed829746b39731e627

SHA256
859bbdd2ab0e14cbfe3a951fad3ec723984d962f74f17813220abc8887fd3338

SHA512
424164da27f9750764eb08ec30468f9e036fae9f5b59181054c4c2e1ba4d1d710e06d49409e608fbeec14b0efc60e726254b7280c848f9f3ec95f3dbb00d91f3

Download Submit
\Users\Admin\AppData\Local\Temp\93cbede35b76f947099432c29ae922d2.exe

Filesize
6.9MB

MD5
76827e19ac4b6c300c8bc37754b321a9

SHA1
60f1144731e4e8e98d22a59df821256307c26364

SHA256
a95f207ca6b9ff09a248614ae30b3ddfbe1aaad61ccca7438451fdaa879b0c8b

SHA512
beb2072de102d2d4d5925bd63925faa00828ad5e14f152d01544902e58293fb012991b6c614c3ff87c0928f4782b02f0302faff0f9fc0c672f4a9a1793bbc81b

Download Submit
\Users\Admin\AppData\Local\Temp\GuardMailRu.exe

Filesize
1.6MB

MD5
4e808bd83cc5ecf45163fc7942657a1a

SHA1
35cf5e55111a95a8d67f14d6efe80f46c240159a

SHA256
a6ccc5b32f422b74b2fe68456b6c89543984ba67fa5716cc144e2b5e9e9b3c11

SHA512
4c61f777bef89be7a89c95ebd6e82bfc67f49ba8a2e5e1995e570ccf45ec43609a461fb072f44882e2766ac4db44468694d1b561939e68cac3b36d37988ad96f

Download Submit
\Users\Admin\AppData\Local\Temp\GuardMailRu.exe

Filesize
1.6MB

MD5
4e808bd83cc5ecf45163fc7942657a1a

SHA1
35cf5e55111a95a8d67f14d6efe80f46c240159a

SHA256
a6ccc5b32f422b74b2fe68456b6c89543984ba67fa5716cc144e2b5e9e9b3c11

SHA512
4c61f777bef89be7a89c95ebd6e82bfc67f49ba8a2e5e1995e570ccf45ec43609a461fb072f44882e2766ac4db44468694d1b561939e68cac3b36d37988ad96f

Download Submit
\Users\Admin\AppData\Local\Temp\GuardMailRu.exe

Filesize
1.6MB

MD5
4e808bd83cc5ecf45163fc7942657a1a

SHA1
35cf5e55111a95a8d67f14d6efe80f46c240159a

SHA256
a6ccc5b32f422b74b2fe68456b6c89543984ba67fa5716cc144e2b5e9e9b3c11

SHA512
4c61f777bef89be7a89c95ebd6e82bfc67f49ba8a2e5e1995e570ccf45ec43609a461fb072f44882e2766ac4db44468694d1b561939e68cac3b36d37988ad96f

Download Submit
\Users\Admin\AppData\Local\Temp\GuardMailRu.exe

Filesize
1.6MB

MD5
4e808bd83cc5ecf45163fc7942657a1a

SHA1
35cf5e55111a95a8d67f14d6efe80f46c240159a

SHA256
a6ccc5b32f422b74b2fe68456b6c89543984ba67fa5716cc144e2b5e9e9b3c11

SHA512
4c61f777bef89be7a89c95ebd6e82bfc67f49ba8a2e5e1995e570ccf45ec43609a461fb072f44882e2766ac4db44468694d1b561939e68cac3b36d37988ad96f

Download Submit
memory/1480-58-0x0000000000400000-0x0000000000AF8000-memory.dmp

Filesize
7.0MB

Download
memory/1480-54-0x0000000000400000-0x0000000000AF8000-memory.dmp

Filesize
7.0MB

Download
memory/1480-55-0x0000000076831000-0x0000000076833000-memory.dmp

Filesize
8KB

Download
memory/1480-62-0x0000000000400000-0x0000000000AF8000-memory.dmp

Filesize
7.0MB

Download
memory/1480-56-0x0000000000400000-0x0000000000AF8000-memory.dmp

Filesize
7.0MB

Download
memory/1480-57-0x0000000000400000-0x0000000000AF8000-memory.dmp

Filesize
7.0MB

Download
memory/1668-64-0x0000000000400000-0x0000000000AF8000-memory.dmp

Filesize
7.0MB

Download
memory/1668-106-0x0000000000400000-0x0000000000AF8000-memory.dmp

Filesize
7.0MB

Download