a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c

Analysis

max time kernel
196s
max time network
238s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 19:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c.exe
Size

116KB
MD5

2dd5566a545c687b3b770f24d9a4fa4f
SHA1

8ca957d133a82ba2344401f05a9a320ee37c1c09
SHA256

a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c
SHA512

a2fe42aa3b4081feee4924b79ccf49390394af7d5a8ed3f73addc437d9a3acd3eb272da945cb14b2eeaf29f516cc6bc106ba6e843327990a39ccf1057f103d1c
SSDEEP

1536:oJwB93uVGLnuTaLupX7RFJGE+RsPaaxSVKR0mI53pAs34vc7OtK0iDg+SI37:LB93bbuTaqIESsCaxfRHOAsogOteDJj

Score

8^/10

vmprotect

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
856	a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c.exe

VMProtect packed file 5 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/296-55-0x0000000000400000-0x0000000000431000-memory.dmp	vmprotect
behavioral1/memory/296-56-0x0000000000400000-0x0000000000431000-memory.dmp	vmprotect
behavioral1/files/0x000b000000012333-57.dat	vmprotect
behavioral1/memory/856-61-0x0000000000400000-0x0000000000431000-memory.dmp	vmprotect
behavioral1/memory/296-63-0x0000000000400000-0x0000000000431000-memory.dmp	vmprotect

Deletes itself 1 IoCs

pid	Process
1996	cmd.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\DNTException\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\QLSWN3PH.txt	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NewErrorPageTemplate[1]	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{CB950A91-75CC-11ED-AE55-6A950B37D0A0}.dat	IEXPLORE.EXE
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\errorPageStrings[1]	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\08FKQ4EG.txt	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url:favicon	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B8A439B1-75CC-11ED-AE55-6A950B37D0A0}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\QGFHGTFG.txt	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[1].ico	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\N2SBL2QI.txt	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\httpErrorPagesScripts[1]	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\ULXIXF3X.txt	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\WOJNH78Q.txt	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\YRDHZNTF.txt	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c.exe	a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{CB950A93-75CC-11ED-AE55-6A950B37D0A0}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoaming	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{F1744AF3-75CC-11ED-AE55-6A950B37D0A0}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B8A439B1-75CC-11ED-AE55-6A950B37D0A0}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatCache\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NewErrorPageTemplate[1]	IEXPLORE.EXE
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\httpErrorPagesScripts[1]	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B8A439B1-75CC-11ED-AE55-6A950B37D0A0}.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{DE837A11-75CC-11ED-AE55-6A950B37D0A0}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{DE837A11-75CC-11ED-AE55-6A950B37D0A0}.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\J8L8W7CU.txt	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\X7R0478N.txt	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{DE837A11-75CC-11ED-AE55-6A950B37D0A0}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\TraversinIE.exe	a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{DE837A13-75CC-11ED-AE55-6A950B37D0A0}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\dnserror[1]	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\DNTException\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoaming	IEXPLORE.EXE

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
296	a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c.exe
856	a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c.exe

Modifies Internet Explorer settings 1 TTPs 22 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B89D1591-75CC-11ED-AE55-6A950B37D0A0} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\DisplayName = "Bing"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000005000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0045000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021494-0000-0000-C000-000000000046}\Enum\Implementing = 1c00000001000000e6070c0003000700010011000d001a0200000000	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{95C3B504-47C6-4141-ADAB-8862A97112D0}\WpadDecisionReason = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000006000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0045000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021494-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\Software	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{DE837A11-75CC-11ED-AE55-6A950B37D0A0} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Passport\LowDAMap	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000004000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\F12	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{95C3B504-47C6-4141-ADAB-8862A97112D0}\WpadDecision = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\Software\Microsoft\Internet Explorer	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{95C3B504-47C6-4141-ADAB-8862A97112D0}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021493-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2300000023000000430300007b020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\Flags = "1024"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\F12	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Suggested Sites\DataStreamEnabledState = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	IEXPLORE.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	856	a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c.exe
Token: SeIncBasePriorityPrivilege	296	a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1968	IEXPLORE.EXE
1968	IEXPLORE.EXE
1060	IEXPLORE.EXE
1060	IEXPLORE.EXE
1060	IEXPLORE.EXE
1060	IEXPLORE.EXE
1060	IEXPLORE.EXE
1060	IEXPLORE.EXE
1060	IEXPLORE.EXE
1060	IEXPLORE.EXE
2028	IEXPLORE.EXE
2028	IEXPLORE.EXE
2028	IEXPLORE.EXE
2028	IEXPLORE.EXE
2028	IEXPLORE.EXE
2028	IEXPLORE.EXE
2028	IEXPLORE.EXE
2028	IEXPLORE.EXE
1544	IEXPLORE.EXE
1544	IEXPLORE.EXE
1544	IEXPLORE.EXE
1544	IEXPLORE.EXE
1544	IEXPLORE.EXE
1544	IEXPLORE.EXE
1544	IEXPLORE.EXE
1544	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 20 IoCs

pid	Process
520	IEXPLORE.EXE
520	IEXPLORE.EXE
2020	IEXPLORE.EXE
2020	IEXPLORE.EXE
1968	IEXPLORE.EXE
1968	IEXPLORE.EXE
1616	IEXPLORE.EXE
1616	IEXPLORE.EXE
1060	IEXPLORE.EXE
1060	IEXPLORE.EXE
1952	IEXPLORE.EXE
1952	IEXPLORE.EXE
2028	IEXPLORE.EXE
2028	IEXPLORE.EXE
1516	IEXPLORE.EXE
1516	IEXPLORE.EXE
1544	IEXPLORE.EXE
1544	IEXPLORE.EXE
1604	IEXPLORE.EXE
1604	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 55 IoCs

description	pid	Process	procid_target
PID 296 wrote to memory of 2020	296	a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c.exe	29
PID 296 wrote to memory of 2020	296	a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c.exe	29
PID 296 wrote to memory of 2020	296	a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c.exe	29
PID 296 wrote to memory of 2020	296	a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c.exe	29
PID 856 wrote to memory of 520	856	a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c.exe	30
PID 856 wrote to memory of 520	856	a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c.exe	30
PID 856 wrote to memory of 520	856	a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c.exe	30
PID 856 wrote to memory of 520	856	a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c.exe	30
PID 520 wrote to memory of 924	520	IEXPLORE.EXE	31
PID 520 wrote to memory of 924	520	IEXPLORE.EXE	31
PID 520 wrote to memory of 924	520	IEXPLORE.EXE	31
PID 520 wrote to memory of 1092	520	IEXPLORE.EXE	33
PID 520 wrote to memory of 1092	520	IEXPLORE.EXE	33
PID 520 wrote to memory of 1092	520	IEXPLORE.EXE	33
PID 520 wrote to memory of 1092	520	IEXPLORE.EXE	33
PID 2020 wrote to memory of 1808	2020	IEXPLORE.EXE	34
PID 2020 wrote to memory of 1808	2020	IEXPLORE.EXE	34
PID 2020 wrote to memory of 1808	2020	IEXPLORE.EXE	34
PID 2020 wrote to memory of 1808	2020	IEXPLORE.EXE	34
PID 296 wrote to memory of 1996	296	a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c.exe	35
PID 296 wrote to memory of 1996	296	a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c.exe	35
PID 296 wrote to memory of 1996	296	a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c.exe	35
PID 296 wrote to memory of 1996	296	a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c.exe	35
PID 856 wrote to memory of 1968	856	a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c.exe	36
PID 856 wrote to memory of 1968	856	a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c.exe	36
PID 856 wrote to memory of 1968	856	a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c.exe	36
PID 856 wrote to memory of 1968	856	a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c.exe	36
PID 1968 wrote to memory of 1616	1968	IEXPLORE.EXE	37
PID 1968 wrote to memory of 1616	1968	IEXPLORE.EXE	37
PID 1968 wrote to memory of 1616	1968	IEXPLORE.EXE	37
PID 1968 wrote to memory of 1616	1968	IEXPLORE.EXE	37
PID 856 wrote to memory of 1060	856	a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c.exe	38
PID 856 wrote to memory of 1060	856	a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c.exe	38
PID 856 wrote to memory of 1060	856	a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c.exe	38
PID 856 wrote to memory of 1060	856	a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c.exe	38
PID 1060 wrote to memory of 1952	1060	IEXPLORE.EXE	39
PID 1060 wrote to memory of 1952	1060	IEXPLORE.EXE	39
PID 1060 wrote to memory of 1952	1060	IEXPLORE.EXE	39
PID 1060 wrote to memory of 1952	1060	IEXPLORE.EXE	39
PID 856 wrote to memory of 2028	856	a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c.exe	41
PID 856 wrote to memory of 2028	856	a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c.exe	41
PID 856 wrote to memory of 2028	856	a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c.exe	41
PID 856 wrote to memory of 2028	856	a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c.exe	41
PID 2028 wrote to memory of 1516	2028	IEXPLORE.EXE	42
PID 2028 wrote to memory of 1516	2028	IEXPLORE.EXE	42
PID 2028 wrote to memory of 1516	2028	IEXPLORE.EXE	42
PID 2028 wrote to memory of 1516	2028	IEXPLORE.EXE	42
PID 856 wrote to memory of 1544	856	a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c.exe	43
PID 856 wrote to memory of 1544	856	a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c.exe	43
PID 856 wrote to memory of 1544	856	a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c.exe	43
PID 856 wrote to memory of 1544	856	a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c.exe	43
PID 1544 wrote to memory of 1604	1544	IEXPLORE.EXE	44
PID 1544 wrote to memory of 1604	1544	IEXPLORE.EXE	44
PID 1544 wrote to memory of 1604	1544	IEXPLORE.EXE	44
PID 1544 wrote to memory of 1604	1544	IEXPLORE.EXE	44

C:\Users\Admin\AppData\Local\Temp\a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c.exe
"C:\Users\Admin\AppData\Local\Temp\a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:296
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://qt.pzdnf.com/dos/qt.html
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2020 CREDAT:275457 /prefetch:2
    3⤵
    PID:1808
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\A5A837~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1996

C:\Windows\SysWOW64\a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c.exe
C:\Windows\SysWOW64\a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:856
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://qt.pzdnf.com/NewCC/NewQT.TXT
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:520
- - C:\Windows\System32\ie4uinit.exe
    "C:\Windows\System32\ie4uinit.exe" -ShowQLIcon
    3⤵
    - Drops file in System32 directory
    PID:924
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:520 CREDAT:275457 /prefetch:2
    3⤵
    PID:1092
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://qt.pzdnf.com/NewCC/NewQT.TXT
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1968 CREDAT:275457 /prefetch:2
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious use of SetWindowsHookEx
    PID:1616
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://qt.pzdnf.com/NewCC/NewQT.TXT
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1060
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1060 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies data under HKEY_USERS
    - Suspicious use of SetWindowsHookEx
    PID:1952
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://qt.pzdnf.com/NewCC/NewQT.TXT
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2028 CREDAT:275457 /prefetch:2
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious use of SetWindowsHookEx
    PID:1516
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://qt.pzdnf.com/NewCC/NewQT.TXT
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1544
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1544 CREDAT:275457 /prefetch:2
    3⤵
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    PID:1604

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c.exe

Filesize
116KB

MD5
2dd5566a545c687b3b770f24d9a4fa4f

SHA1
8ca957d133a82ba2344401f05a9a320ee37c1c09

SHA256
a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c

SHA512
a2fe42aa3b4081feee4924b79ccf49390394af7d5a8ed3f73addc437d9a3acd3eb272da945cb14b2eeaf29f516cc6bc106ba6e843327990a39ccf1057f103d1c

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini

Filesize
80B

MD5
3c106f431417240da12fd827323b7724

SHA1
2345cc77576f666b812b55ea7420b8d2c4d2a0b5

SHA256
e469ed17b4b54595b335dc51817a52b81fcf13aad7b7b994626f84ec097c5d57

SHA512
c7391b6b9c4e00494910303e8a6c4dca5a5fc0c461047ef95e3be1c8764928af344a29e2e7c92819174894b51ae0e69b5e11a9dc7cb093f984553d34d5e737bb

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\desktop.ini

Filesize
402B

MD5
881dfac93652edb0a8228029ba92d0f5

SHA1
5b317253a63fecb167bf07befa05c5ed09c4ccea

SHA256
a45e345556901cd98b9bf8700b2a263f1da2b2e53dbdf69b9e6cfab6e0bd3464

SHA512
592b24deb837d6b82c692da781b8a69d9fa20bbaa3041d6c651839e72f45ac075a86cb967ea2df08fa0635ae28d6064a900f5d15180b9037bb8ba02f9e8e1810

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442

Filesize
1KB

MD5
0fab858373745ab41df8a2b9145ef2f2

SHA1
d0f6290586fc7ce0ce275685e8b67b89c86176d1

SHA256
e8bb09f5c2360a4f8b60b6800e941f92b4bc825fec8be8151c3bfd77ca7aab07

SHA512
3a15f8ce5ad507a58850fa6609d785a89ad906e7401152da2808d06fdb36f33bd191633b81ab84e77b9006f20ad7e19893ded3f2725c359cfa770cb68d049545

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442

Filesize
416B

MD5
8ee95deeb6b3bdf1a999ba88ac67f3a3

SHA1
e943f465b67a62e55e0cde398bef7d9e39422fba

SHA256
8f8d239247cb4c6ae7c943cfbf085807282e15248b30a49c1d467eaaef2c3ce7

SHA512
6cb4b37939cd56ea8cf21576bd888df8b33ad5b1d9ba6e6c95245813b1407b079851747094a880602d2c27546c760e0babd16cd01e08c148ab23fb87bec35bec

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2e6d4b3cc27f5360b57a286be67babe2

SHA1
3c3cba85d2fdf77a09a41b968bf5f1130a3b7471

SHA256
47bdeec043a36f440e06655ab67be78eb84cb0a9725637c890dbfc4cfee1acb1

SHA512
6e7da2dd167ccee86a15af521737bd775743b679e638ef15dbcbe8cef3278d1d9927c098242797617385e4943e0fa35317873e4e54ce107c5fa526cbbfc2fc0e

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
03a01225c97714fe3d862e89a139c659

SHA1
28ff62a4b07c74c4a6fa278a678e5a1f973a80e8

SHA256
bfbb8cf26250b1ce7cf539d25f41f640c4aa70259f6837b6919a59585e569f8d

SHA512
891fd9412aa92a449c24daf8e7bf4a823adec7ae53977618e87025ddcb386ad5256bd379c97d77ebc27a54deed57ff34f3906353fcdb90b224cc31fadca1961f

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B8A439B1-75CC-11ED-AE55-6A950B37D0A0}.dat

Filesize
5KB

MD5
43b8abfe98c733604e390ddad633fefa

SHA1
c25314a196b59d2d5f974905043d6357fd24f065

SHA256
509d45fae794a15d69a8f4515af462a91e26637a25cebcaaf0e65048d35a679e

SHA512
e26f08e58e232deec2c1e042e9c6d106743b063ed7623abb509bdc02b919bfc62341a10137ac84fd8092118ffbc53c285eabc04626beba2b7c091474ee5b00b7

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{CB950A91-75CC-11ED-AE55-6A950B37D0A0}.dat

Filesize
5KB

MD5
3c1875dfc0c6c28056a562106c3cc184

SHA1
f730b9658771cf9d12ee9528b6083a38daafe421

SHA256
3d21683318fbb1538de0905091d6696506775225b1cd5d36db4e93bdfa735672

SHA512
bfb2523cdc23aea271550c4944cc621c3453c4e0b8cc7d0fbf81cca6bcbf8ebe107186a3c6058c0d02a987e3eb664cd651f1c7c6f6f3f6f2e6afb120215d1a92

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{DE837A11-75CC-11ED-AE55-6A950B37D0A0}.dat

Filesize
5KB

MD5
d84a036a38111ef4fbe8f4211cdb9eae

SHA1
c4dd3f530e57b2189094531485893cde89176f17

SHA256
1018847fd281a55f54f9bd4af264207edf382ba80999ffabb6f7cc682d8c4ab9

SHA512
a1c84533de99e61f59c9d56dc211b54ed1b40342e68d083e1336786cdc9afd4b085e174c2739c848979d8b723e9c7ae58f70a0a0872dcd3147b5e3f319f0e44d

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F1744AF1-75CC-11ED-AE55-6A950B37D0A0}.dat

Filesize
5KB

MD5
47d23610db0deef9519b430ea6aba3a7

SHA1
22011bdb8d2127963edfe53826a03afe2fced1a2

SHA256
93fddf8966c54538c2ec9e2b9aafa8d55411529e6ec90131dcad347554629b68

SHA512
eaa99676b92635d751149e95007fb404598a679b9d0e3a2272abc843ff29123b0b56de97583551fc99b1195a11218762edb575a62b3ecbed9882f05ad6f903e3

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{B8A439B3-75CC-11ED-AE55-6A950B37D0A0}.dat

Filesize
4KB

MD5
0df1a1350fdeda0c332217e3877f9ffa

SHA1
a0a0475e8fc0c9ccc5253bf22c84f89f5e897c6d

SHA256
1838aaf0b2531376831b120bf5478310ea37186a77d7a7d6a797d37cbc149754

SHA512
1dd7a541dee2bc19d3d6bf794d5a78d43bbc61d8c7f374ad13248e2a98d1359d0c976aca77e52feb91608d027261c57ef78abe06fe96c441e4ebe2585c2dd2ad

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{CB950A93-75CC-11ED-AE55-6A950B37D0A0}.dat

Filesize
4KB

MD5
23a33d867d75e97e90b12a7290ac552c

SHA1
7b52e3a2492a97763e93499bc0e9f292d43967e4

SHA256
d300c2e676cd1bcf36d70cd4b29019e717e9cba843f126fafb497730c66f9c2d

SHA512
608ba22546cd8948b1b8950dfc9acb64a3ecc267a791d8c4c1cee09890398b99cedf2cbfe1d77e3b506f7c593cbb40036a29698d76eedcb65e4e31e52760f51e

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{DE837A13-75CC-11ED-AE55-6A950B37D0A0}.dat

Filesize
4KB

MD5
9ff85cbab728364eac487be9c64ed14a

SHA1
52e1cde2d651cfee732e498f808c976ad0c1996f

SHA256
1a66d1533a22c52990a8616c0828fc568fb723bfd9dadca22e08539ae3f03e47

SHA512
51e5ca0ba4b1ee363f134220a3e02bb2725eea38b2e5d4124dd3b5a6c004d0e3c1b69d7a4b513e344d96da707da11cb845c9b62dc19540396f8b9b27c0454948

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\imagestore\cqoxpxj\imagestore.dat

Filesize
4KB

MD5
5f2443354190329d2175da56ab935941

SHA1
796cea9631a9f537c5bd5119fdbeb48f13fa688f

SHA256
3e52f5030d5514dd0cd53b53f893ec20efbe8e659ab35e75457a05764b7fc578

SHA512
c869186136b2bf110d10a2a7795f88ce4ad39d96ff36b157cf8fa1dd01dd0da5802ee0f6441a8874efe238bd95c313aa7980d6fe53d5c472dcacf35813cb8d8d

Download Submit
memory/296-54-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download
memory/296-63-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/296-56-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/296-55-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/856-61-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download