a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c

Analysis

max time kernel
209s
max time network
232s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2022, 19:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c.exe
Size

116KB
MD5

2dd5566a545c687b3b770f24d9a4fa4f
SHA1

8ca957d133a82ba2344401f05a9a320ee37c1c09
SHA256

a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c
SHA512

a2fe42aa3b4081feee4924b79ccf49390394af7d5a8ed3f73addc437d9a3acd3eb272da945cb14b2eeaf29f516cc6bc106ba6e843327990a39ccf1057f103d1c
SSDEEP

1536:oJwB93uVGLnuTaLupX7RFJGE+RsPaaxSVKR0mI53pAs34vc7OtK0iDg+SI37:LB93bbuTaqIESsCaxfRHOAsogOteDJj

Score

8^/10

vmprotect

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3632	a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c.exe

VMProtect packed file 8 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/3552-132-0x0000000000400000-0x0000000000431000-memory.dmp	vmprotect
behavioral2/memory/3552-133-0x0000000000400000-0x0000000000431000-memory.dmp	vmprotect
behavioral2/files/0x000b000000022deb-134.dat	vmprotect
behavioral2/files/0x000b000000022deb-135.dat	vmprotect
behavioral2/memory/3632-137-0x0000000000400000-0x0000000000431000-memory.dmp	vmprotect
behavioral2/memory/3552-138-0x0000000000400000-0x0000000000431000-memory.dmp	vmprotect
behavioral2/memory/3632-139-0x0000000000400000-0x0000000000431000-memory.dmp	vmprotect
behavioral2/memory/3552-141-0x0000000000400000-0x0000000000431000-memory.dmp	vmprotect

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Virtualized	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Virtualized	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{D4E57798-75CC-11ED-BF5F-D668443210E4}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B6CBC348-75CC-11ED-BF5F-D668443210E4}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\IECompatUaCache\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\PrivacIE\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Crashpad\throttle_store.dat	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\CrashpadMetrics-active.pma	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\IECompatCache\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{CCC8D78A-75CC-11ED-BF5F-D668443210E4}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\DNTException\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\IECompatCache\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\PrivacIE\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\DNTException\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{0BB46383-75CD-11ED-BF5F-D668443210E4}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Crashpad\throttle_store.dat	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\IECompatCache\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat	msedge.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\dnserror[1]	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\PrivacIE\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\IECompatUaCache\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{D4E5779A-75CC-11ED-BF5F-D668443210E4}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\TraversinIE.exe	a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoaming	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\DNTException\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{E6CE3FE5-75CC-11ED-BF5F-D668443210E4}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\IECompatUaCache\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Crashpad\throttle_store.dat	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{021F145C-75CD-11ED-BF5F-D668443210E4}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F3018CCC-75CC-11ED-BF5F-D668443210E4}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\CrashpadMetrics.pma	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\CrashpadMetrics-active.pma	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoaming	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c.exe	a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B6CBC348-75CC-11ED-BF5F-D668443210E4}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Virtualized	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoaming	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoaming	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Virtualized	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\IECompatUaCache\Low	IEXPLORE.EXE

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3552	a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c.exe
3632	a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c.exe

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{B686A502-75CC-11ED-BF5F-D668443210E4} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\Software\Microsoft\Edge\IEToEdge	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\iexplore\LoadTimeArray = 04000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\MAO Settings	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	ie_to_edge_stub.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ie_to_edge_stub.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\iexplore\Flags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Feeds	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@ieframe.dll,-12512 = "Bing"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main\SearchBandMigrationVersion = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\EdgeUpdate\ClientState\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\iexplore\LoadTimeArray = b3000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main\OperationalData = "12"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\iexplore	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\SecuritySafe = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\EdgeUpdate\ClientState\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\dr = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\iexplore\Type = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\iexplore\Type = "3"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\Flags = "1024"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\iexplore\Count = "5"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\iexplore	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\SecuritySafe = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\iexplore\Time = e6070c00030007000100120019007402	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3632	a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c.exe
Token: SeIncBasePriorityPrivilege	3552	a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c.exe

Suspicious use of FindShellTrayWindow 22 IoCs

pid	Process
388	IEXPLORE.EXE
388	IEXPLORE.EXE
2212	IEXPLORE.EXE
2212	IEXPLORE.EXE
1460	IEXPLORE.EXE
1460	IEXPLORE.EXE
4948	IEXPLORE.EXE
4948	IEXPLORE.EXE
4948	IEXPLORE.EXE
4948	IEXPLORE.EXE
4948	IEXPLORE.EXE
4948	IEXPLORE.EXE
4948	IEXPLORE.EXE
4948	IEXPLORE.EXE
3444	IEXPLORE.EXE
3444	IEXPLORE.EXE
3444	IEXPLORE.EXE
3444	IEXPLORE.EXE
3444	IEXPLORE.EXE
3444	IEXPLORE.EXE
3444	IEXPLORE.EXE
3444	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 26 IoCs

pid	Process
4468	IEXPLORE.EXE
4468	IEXPLORE.EXE
3896	IEXPLORE.EXE
3896	IEXPLORE.EXE
388	IEXPLORE.EXE
388	IEXPLORE.EXE
3432	IEXPLORE.EXE
3432	IEXPLORE.EXE
2212	IEXPLORE.EXE
2212	IEXPLORE.EXE
852	IEXPLORE.EXE
852	IEXPLORE.EXE
1460	IEXPLORE.EXE
1460	IEXPLORE.EXE
1816	IEXPLORE.EXE
1816	IEXPLORE.EXE
4948	IEXPLORE.EXE
4948	IEXPLORE.EXE
3768	IEXPLORE.EXE
3768	IEXPLORE.EXE
1428	IEXPLORE.EXE
1428	IEXPLORE.EXE
3444	IEXPLORE.EXE
3444	IEXPLORE.EXE
4800	IEXPLORE.EXE
4800	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 55 IoCs

description	pid	Process	procid_target
PID 3552 wrote to memory of 4468	3552	a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c.exe	84
PID 3552 wrote to memory of 4468	3552	a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c.exe	84
PID 3632 wrote to memory of 3896	3632	a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c.exe	86
PID 3632 wrote to memory of 3896	3632	a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c.exe	86
PID 4468 wrote to memory of 4292	4468	IEXPLORE.EXE	88
PID 4468 wrote to memory of 4292	4468	IEXPLORE.EXE	88
PID 4468 wrote to memory of 4292	4468	IEXPLORE.EXE	88
PID 3896 wrote to memory of 1836	3896	IEXPLORE.EXE	87
PID 3896 wrote to memory of 1836	3896	IEXPLORE.EXE	87
PID 3896 wrote to memory of 1836	3896	IEXPLORE.EXE	87
PID 3632 wrote to memory of 388	3632	a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c.exe	90
PID 3632 wrote to memory of 388	3632	a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c.exe	90
PID 3552 wrote to memory of 2712	3552	a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c.exe	91
PID 3552 wrote to memory of 2712	3552	a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c.exe	91
PID 3552 wrote to memory of 2712	3552	a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c.exe	91
PID 388 wrote to memory of 3432	388	IEXPLORE.EXE	92
PID 388 wrote to memory of 3432	388	IEXPLORE.EXE	92
PID 388 wrote to memory of 3432	388	IEXPLORE.EXE	92
PID 3632 wrote to memory of 2212	3632	a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c.exe	94
PID 3632 wrote to memory of 2212	3632	a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c.exe	94
PID 2212 wrote to memory of 852	2212	IEXPLORE.EXE	95
PID 2212 wrote to memory of 852	2212	IEXPLORE.EXE	95
PID 2212 wrote to memory of 852	2212	IEXPLORE.EXE	95
PID 3632 wrote to memory of 1460	3632	a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c.exe	96
PID 3632 wrote to memory of 1460	3632	a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c.exe	96
PID 1460 wrote to memory of 1816	1460	IEXPLORE.EXE	97
PID 1460 wrote to memory of 1816	1460	IEXPLORE.EXE	97
PID 1460 wrote to memory of 1816	1460	IEXPLORE.EXE	97
PID 3632 wrote to memory of 4948	3632	a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c.exe	102
PID 3632 wrote to memory of 4948	3632	a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c.exe	102
PID 4948 wrote to memory of 3768	4948	IEXPLORE.EXE	103
PID 4948 wrote to memory of 3768	4948	IEXPLORE.EXE	103
PID 4948 wrote to memory of 3768	4948	IEXPLORE.EXE	103
PID 3768 wrote to memory of 4748	3768	IEXPLORE.EXE	106
PID 3768 wrote to memory of 4748	3768	IEXPLORE.EXE	106
PID 4748 wrote to memory of 3956	4748	ie_to_edge_stub.exe	107
PID 4748 wrote to memory of 3956	4748	ie_to_edge_stub.exe	107
PID 3956 wrote to memory of 4480	3956	msedge.exe	110
PID 3956 wrote to memory of 4480	3956	msedge.exe	110
PID 3632 wrote to memory of 1428	3632	a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c.exe	111
PID 3632 wrote to memory of 1428	3632	a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c.exe	111
PID 1428 wrote to memory of 2632	1428	IEXPLORE.EXE	112
PID 1428 wrote to memory of 2632	1428	IEXPLORE.EXE	112
PID 1428 wrote to memory of 2632	1428	IEXPLORE.EXE	112
PID 3632 wrote to memory of 3444	3632	a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c.exe	118
PID 3632 wrote to memory of 3444	3632	a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c.exe	118
PID 3444 wrote to memory of 4800	3444	IEXPLORE.EXE	119
PID 3444 wrote to memory of 4800	3444	IEXPLORE.EXE	119
PID 3444 wrote to memory of 4800	3444	IEXPLORE.EXE	119
PID 4800 wrote to memory of 1932	4800	IEXPLORE.EXE	120
PID 4800 wrote to memory of 1932	4800	IEXPLORE.EXE	120
PID 1932 wrote to memory of 3496	1932	ie_to_edge_stub.exe	121
PID 1932 wrote to memory of 3496	1932	ie_to_edge_stub.exe	121
PID 3496 wrote to memory of 2244	3496	msedge.exe	122
PID 3496 wrote to memory of 2244	3496	msedge.exe	122

C:\Users\Admin\AppData\Local\Temp\a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c.exe
"C:\Users\Admin\AppData\Local\Temp\a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3552
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://qt.pzdnf.com/dos/qt.html
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4468
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4468 CREDAT:17410 /prefetch:2
    3⤵
    PID:4292
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\A5A837~1.EXE > nul
  2⤵
  PID:2712

C:\Windows\SysWOW64\a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c.exe
C:\Windows\SysWOW64\a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3632
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://qt.pzdnf.com/NewCC/NewQT.TXT
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3896
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3896 CREDAT:17410 /prefetch:2
    3⤵
    PID:1836
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://qt.pzdnf.com/NewCC/NewQT.TXT
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:388
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:388 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies data under HKEY_USERS
    - Suspicious use of SetWindowsHookEx
    PID:3432
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://qt.pzdnf.com/NewCC/NewQT.TXT
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2212 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies data under HKEY_USERS
    - Suspicious use of SetWindowsHookEx
    PID:852
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://qt.pzdnf.com/NewCC/NewQT.TXT
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1460
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1460 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies data under HKEY_USERS
    - Suspicious use of SetWindowsHookEx
    PID:1816
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://qt.pzdnf.com/NewCC/NewQT.TXT
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4948
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4948 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies data under HKEY_USERS
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3768
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe" --from-ie-to-edge=3 --ie-frame-hwnd=5008c
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4748
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --from-ie-to-edge=3 --ie-frame-hwnd=5008c
        5⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of WriteProcessMemory
        
        PID:3956
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0x40,0x10c,0x7ffd9cb246f8,0x7ffd9cb24708,0x7ffd9cb24718
        6⤵
        Drops file in System32 directory
        
        PID:4480
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://qt.pzdnf.com/NewCC/NewQT.TXT
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1428
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1428 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies data under HKEY_USERS
    PID:2632
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://qt.pzdnf.com/NewCC/NewQT.TXT
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3444
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3444 CREDAT:17410 /prefetch:2
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4800
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe" --from-ie-to-edge=3 --ie-frame-hwnd=70098
      4⤵
      Modifies data under HKEY_USERS
      Suspicious use of WriteProcessMemory
      PID:1932
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --from-ie-to-edge=3 --ie-frame-hwnd=70098
        5⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of WriteProcessMemory
        
        PID:3496
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffd9cb246f8,0x7ffd9cb24708,0x7ffd9cb24718
        6⤵
        Drops file in System32 directory
        
        PID:2244

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c.exe

Filesize
116KB

MD5
2dd5566a545c687b3b770f24d9a4fa4f

SHA1
8ca957d133a82ba2344401f05a9a320ee37c1c09

SHA256
a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c

SHA512
a2fe42aa3b4081feee4924b79ccf49390394af7d5a8ed3f73addc437d9a3acd3eb272da945cb14b2eeaf29f516cc6bc106ba6e843327990a39ccf1057f103d1c

Download Submit
C:\Windows\SysWOW64\a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c.exe

Filesize
116KB

MD5
2dd5566a545c687b3b770f24d9a4fa4f

SHA1
8ca957d133a82ba2344401f05a9a320ee37c1c09

SHA256
a5a8377ca7d5996323cbb08072e8ad5803fbf65dad5c5298284b73e09b52f91c

SHA512
a2fe42aa3b4081feee4924b79ccf49390394af7d5a8ed3f73addc437d9a3acd3eb272da945cb14b2eeaf29f516cc6bc106ba6e843327990a39ccf1057f103d1c

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\desktop.ini

Filesize
402B

MD5
881dfac93652edb0a8228029ba92d0f5

SHA1
5b317253a63fecb167bf07befa05c5ed09c4ccea

SHA256
a45e345556901cd98b9bf8700b2a263f1da2b2e53dbdf69b9e6cfab6e0bd3464

SHA512
592b24deb837d6b82c692da781b8a69d9fa20bbaa3041d6c651839e72f45ac075a86cb967ea2df08fa0635ae28d6064a900f5d15180b9037bb8ba02f9e8e1810

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c9ff64ebe10ba04b16d9b6f96eae8831

SHA1
f87cc891a4f3d57ba23af3f6a56644ba11f5cc3a

SHA256
ef26ca2187ed205d15845b68978070e4b8ac3d316f7c5d9d6be05a8674195855

SHA512
146e5494747dc1f767a7a72b26e5bd6fb3ad3edc054d1b1bec26dc2d904f60f1bc9591966f5afc7146bd654d8013cc415e4caddc262bb58954a1867f037cc376

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5883698e8500c6b495bdade058dfb92b

SHA1
87f575109f2afe70cf8b238493c63a3c33d92898

SHA256
52af176890c29191d62aaf3daa9f116fb49d41e19bf54a8703a28dfdcb26c772

SHA512
08ca3c6eb7acffecb9f45733bc1ba48142e20466449de008c7b45b19803f18dfd53833a545bcedb78826fa94155f50e890d1020a5da507db82a9bab784c82c96

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Crashpad\throttle_store.dat

Filesize
20B

MD5
9e4e94633b73f4a7680240a0ffd6cd2c

SHA1
e68e02453ce22736169a56fdb59043d33668368f

SHA256
41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304

SHA512
193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B6CBC348-75CC-11ED-BF5F-D668443210E4}.dat

Filesize
3KB

MD5
648ff5b5dc2914fd9a29f85cfa318718

SHA1
ec5379c81de9f1c1ab602226879742ebff7c0c37

SHA256
1a2f5dd720e7d9fa45c5ad2770542903ec8fae541018c562650041b43ecf11ad

SHA512
f6d749107c089c739b459344db189f105f7140f07e1a1dbe1030a8a94810b765ccd9d247cc47cf19c5e292b6b0ca8111b6e7f6bd729533e746d0c225b689485b

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{CCC8D78A-75CC-11ED-BF5F-D668443210E4}.dat

Filesize
5KB

MD5
442ef8794b817ab5ef97dc28a9227f57

SHA1
7854f8f38ab2391d5ab9b22e6f43dbeaa92b2abd

SHA256
920cff42be3e71157930b51fdbd83f19a971035d365314ddc66eda69b190c279

SHA512
0aec7cd2d955f4d17d597b77cd4d366093a0eede24eaf492618f50800e6f824152d0fa768b657bbfc86173d72dffa8d1917783731ddcd278551dc69d6b933fd0

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{D4E57798-75CC-11ED-BF5F-D668443210E4}.dat

Filesize
5KB

MD5
911423e4f2306a8bb6d36ec6553a4071

SHA1
c492aa5ade2cd6219a61d863b1db9078c4d76a7b

SHA256
12eb99a6668b78bb31cdc9b294d6af91fc1884461f31e4791e302acf615ab599

SHA512
47923cb898d6e8a8aefb4320ab22c34e61e5b659906d62c73b1269b366ea3012bd04de311a79c1c31c8ff672e90ef0588631741eff5caadcab7e7b68b7d66c59

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E6CE3FE3-75CC-11ED-BF5F-D668443210E4}.dat

Filesize
5KB

MD5
4fdcde01b50a11193a55755c7c8a0fc0

SHA1
69162e6660a5c193f7b2158b3148adc701e19939

SHA256
a2d791fbcaa2b1be73d7648219b268fb8868347d66f98a8e4316252ca0a5a30c

SHA512
c18aadcc813ca3343168cb966745394abea50696c050ca37c032093ff75b0c06e40616c11a25b25d3a929c92a54bcac25ccd101b536e63c6b70d9ecf4d91d794

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{CCC8D78C-75CC-11ED-BF5F-D668443210E4}.dat

Filesize
4KB

MD5
b76cb65c5ad2dc8360881238fe929c2a

SHA1
9d41f1d32dec2810854e5121a007a4595fd99c6a

SHA256
31119ebcdc31cf82ad754ec7dec8d769e6c8dcb713de2c8a1bc652b1a4d98540

SHA512
fc1cf58c381f047b842a6fb52d8c54bf1974c63bdcdf59696f38bdcc0b4924767aac743365fc492ad56f5ee6ba5d71d116d0d7655297e715f95ea1712a4b3fc6

Download Submit
memory/3552-132-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3552-133-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3552-141-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3552-138-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3632-139-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3632-137-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download