hxxps://web[.]archive[.]org/web/20010202091800/hxxp://www[.]gorillaz[.]com/index_N_mie45[.]html

Analysis

max time kernel
1557s
max time network
1521s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
14/02/2023, 05:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://web.archive.org/web/20010202091800/http://www.gorillaz.com/index_N_mie45.html

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{166B1BCA-3F9C-11CF-8075-444553540000}\ = "Macromedia Shockwave Director 8.0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{166B1BCA-3F9C-11CF-8075-444553540000}\IsInstalled = 01000000	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{166B1BCA-3F9C-11CF-8075-444553540000}\Locale = "EN"	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A202491-F00D-11cf-87CC-0020AFEECF20}	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A202491-F00D-11cf-87CC-0020AFEECF20}\ComponentID = "Director"	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{166B1BCA-3F9C-11CF-8075-444553540000}	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{166B1BCA-3F9C-11CF-8075-444553540000}\Version = "8,0,0,205"	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A202491-F00D-11cf-87CC-0020AFEECF20}\ = "Macromedia Shockwave Director 8.0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A202491-F00D-11cf-87CC-0020AFEECF20}\IsInstalled = 01000000	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A202491-F00D-11cf-87CC-0020AFEECF20}\Version = "8,0,0,205"	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A202491-F00D-11cf-87CC-0020AFEECF20}\Locale = "EN"	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{166B1BCA-3F9C-11CF-8075-444553540000}\ComponentID = "Director"	IEXPLORE.EXE

Loads dropped DLL 8 IoCs

pid	Process
4796	IEXPLORE.EXE
4796	IEXPLORE.EXE
4796	IEXPLORE.EXE
4796	IEXPLORE.EXE
4796	IEXPLORE.EXE
4796	IEXPLORE.EXE
4796	IEXPLORE.EXE
4796	IEXPLORE.EXE

Drops file in System32 directory 50 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Macromed\Director\Xtras\Flashass.x32	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\Macromed\Director\SwDir.dll	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\Macromed\Director\SET967.tmp	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\Macromed\Director\asiport.rsr	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\Macromed\Director\Xtras\Swastrm.x32	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\ie32dsw.ocx	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\m5drvr32.rsr	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\asifont.map	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\Macromed\Director\asifont.map	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\Macromed\Director\D60Xtra.MCH	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\Macromed\Director\Xtras\Netfile.x32	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\swadcmpr.x32	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\Macromed\Director\IE32DSW.ocx	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\Macromed\Director\Xtras\Mix32.x32	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\Macromed\Director\SET956.tmp	IEXPLORE.EXE
File created	C:\Windows\SysWOW64\Macromed\Director\SET956.tmp	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\Macromed\Director\M5drvr32.exe	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\ie32dsw.txt	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\Macromed\Director\idle32.exe	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\Macromed\Director\xobglu32.dll	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\Macromed\Director\Xtras\JPEGImpo.x32	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\xobglu32.dll	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\m5if32.dll	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\asiport.rsr	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\swastrm.x32	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\Macromed\Director\iml32.dll	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\Macromed\Director\M5if32.dll	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\Macromed\Director\xobglu16.dll	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\Macromed\Director\m5if32.dll	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\Macromed\Director\Xtras\Brwsserv.x32	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\Macromed\Director\Xtras\GIFImpor.x32	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\Macromed\Director\Xtras\SoundImp.x32	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\Macromed\Director\SET968.tmp	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\Macromed\Shockwave 8\SET969.tmp	IEXPLORE.EXE
File created	C:\Windows\SysWOW64\Macromed\Shockwave 8\SET969.tmp	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\Macromed\Director\Xtras\Swadcmpr.x32	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\Macromed\Director\swdir.dll	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\Macromed\Director\dirapi.mch	IEXPLORE.EXE
File created	C:\Windows\SysWOW64\Macromed\Director\SET968.tmp	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\Macromed\Shockwave 8\Shockwave Log	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\Macromed\Director\m5drvr32.rsr	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\Macromed\Director\Xtras\Netlingo.x32	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\xobglu16.dll	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\m5drvr32.exe	IEXPLORE.EXE
File created	C:\Windows\SysWOW64\Macromed\Director\SET967.tmp	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\Macromed\Director\ie32dsw.txt	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\Macromed\Director\m5drvr32.exe	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\intro.dcr	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\Macromed\Director\dirapi.dll	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\Macromed\Shockwave 8\Control.dll	IEXPLORE.EXE

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\INF\SET96A.tmp	IEXPLORE.EXE
File opened for modification	C:\Windows\INF\swdir.inf	IEXPLORE.EXE
File opened for modification	C:\Windows\Downloaded Program Files\SETA46.tmp	IEXPLORE.EXE
File created	C:\Windows\Downloaded Program Files\SETA46.tmp	IEXPLORE.EXE
File opened for modification	C:\Windows\Downloaded Program Files\swdir.inf	IEXPLORE.EXE
File opened for modification	C:\Windows\INF\SET96A.tmp	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.adobe.com\ = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0c734154240d901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4045993172"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31014977"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\adobe.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4045993172"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0db2a524240d901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{1BB4CB25-AC35-11ED-BF5F-621DF61BAEF5} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "8"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000001fa2f1b5efd754aa347fc72bf85968b000000000200000000001066000000010000200000001822db886238af74ded89099ed7423ef2362df7a835b6451dbfbe723b2e002c5000000000e80000000020000200000004acd5b1b152fbb3871ccba52fc643c20f2c9d88695ec8d09b6c697cce0519e35200000008618756f7a8d6d5bf89658d6fe1087e8a2220dc8f2777a4ccb97ce12e5632f3640000000e020ae7e728b635842a98f4258be078ce37670a7b8c86398e6dea417723daf6cb6b467fd93d00a9c4a6d4db979f3c1671f2ad1bf777edd384486d32e9db87799	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4038336902"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\DOMStorage\adobe.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.adobe.com	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50acda484240d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000001fa2f1b5efd754aa347fc72bf85968b00000000020000000000106600000001000020000000e9e3c84ee0b6e25e69e8ec67fd54e97b5ac33ed5c93c8122209d09f72d8bdc43000000000e80000000020000200000003f94d3a41db9f2d8a1a358c305d0a0d1d439e7b34c8ad083321b29a980307dcb20000000c36961de0b022b83839a317770ad36797098a632b54ef02da04096559bbf856c40000000c85c691f1154ac4bf0617fc98dc464d20598210fda5912cae29958c8ec4607366beb967e4a20b4f8b68137c39e6c2b938dbb1df1373c726d590d8dfd2360c775	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31014977"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000001fa2f1b5efd754aa347fc72bf85968b00000000020000000000106600000001000020000000f83c272aac9d29624d514863e9c50ca0f5a284a7d3c130df120da99d7bcfe5df000000000e8000000002000020000000f8510adbf496090acc2d10bea6f03894c59cb764a2db1940edda75bcf85f58dd20000000bcbb4cc8840b5967c082c7968c7f1b641fc0832e94369b1530be9bd1f7b0f06f40000000dc1cc6f420f2a636fb68a9081e207ef9602de7d8493e259c1444d3641e5a9cbf9f59c3b4b9d18f1fcc5c65bf7b790af6efe7a8991eaf2253fe28e70adc23538f	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4038336902"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "383122936"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50fc940c4240d901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\OperationalData = "525"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31014977"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\adobe.com\Total = "8"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000001fa2f1b5efd754aa347fc72bf85968b0000000002000000000010660000000100002000000064c4e8486d96bf5a6900af91e21e02448706b2ba07f9ccd45e72c32814b38885000000000e80000000020000200000004dc34160b73d2fd41b7c1cadf4a7e345bd5c25d74bfaca3869c553242c28215e20000000f0355f2b6c0675095d1e2b4ef72f7b4271a815ece610ca44ed85bdcca8f85c1f400000006bff5ffca7532125abdbea31d625fc24b941914704607be724f0dc07d0125c8a30ae519216ac1155e2b9a3c500f6f27ea8d0e7038bd428e14743a5afb2f31ad9	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d04671e84140d901	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000001fa2f1b5efd754aa347fc72bf85968b0000000002000000000010660000000100002000000022f2daff0e0871bb2afbde3781ef2a6c826006f6086080761206a37809bcb3b7000000000e800000000200002000000097074b7b3105833fb8134bfb38218ca4ed345700d5f305984346d65099ab68e620000000ea69b6b8a3aa8d927cc43e40a16bbc161d5d59d719b10abbc8961cf3b719428e40000000bb8974c0df14a11776a25e482deeb23978790a2df7765a46963e459365ad9ac33b5f4ee16e2cf9314608e4b6583613934f1c78765d81a97ed0e6bd8cc1138fdd	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 305b58004240d901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.adobe.com\ = "8"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\adobe.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 206fc7194240d901	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 502831534240d901	iexplore.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{166B1BC9-3F9C-11CF-8075-444553540000}	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SWCtl.SWCtl.8\ = "Shockwave ActiveX Control"	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SWCtl.SWCtl.7\CLSID\ = "{166B1BCA-3F9C-11CF-8075-444553540000}"	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SWCtl.SWCtl.1\CLSID\ = "{166B1BCA-3F9C-11CF-8075-444553540000}"	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{166B1BCA-3F9C-11CF-8075-444553540000}\InprocServer32	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{166B1BCA-3F9C-11CF-8075-444553540000}\TypeLib	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.dxr\Content Type = "application/x-director"	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{166B1BC7-3F9C-11CF-8075-444553540000}\1.0	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{166B1BC8-3F9C-11CF-8075-444553540000}\ = "IShockwaveCtl"	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{166B1BC8-3F9C-11CF-8075-444553540000}\TypeLib\Version = "1.0"	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.dxr	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{166B1BC8-3F9C-11CF-8075-444553540000}\TypeLib\Version = "1.0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{166B1BC8-3F9C-11CF-8075-444553540000}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{166B1BCA-3F9C-11CF-8075-444553540000}\ToolboxBitmap32	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{166B1BCA-3F9C-11CF-8075-444553540000}\MiscStatus\ = "0"	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{166B1BCA-3F9C-11CF-8075-444553540000}\EnableFullPage\.dcr	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-director\Extension = ".dir"	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{166B1BC9-3F9C-11CF-8075-444553540000}\ = "_ShockwaveEvents"	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{166B1BC8-3F9C-11CF-8075-444553540000}	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{166B1BC8-3F9C-11CF-8075-444553540000}\ProxyStubClsid32	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{166B1BC9-3F9C-11CF-8075-444553540000}	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SWCtl.SWCtl.7	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SWCtl.SWCtl\CurVer	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{166B1BCA-3F9C-11CF-8075-444553540000}\Programmable	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{166B1BCA-3F9C-11CF-8075-444553540000}\Version\ = "1.0"	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-director	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{166B1BC7-3F9C-11CF-8075-444553540000}\1.0\FLAGS	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{166B1BC9-3F9C-11CF-8075-444553540000}\ProxyStubClsid32	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{166B1BC9-3F9C-11CF-8075-444553540000}\TypeLib\Version = "1.0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{166B1BCA-3F9C-11CF-8075-444553540000}\InprocServer32\ = "C:\\Windows\\SysWow64\\macromed\\director\\SwDir.dll"	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SWCtl.SWCtl.1\ = "Shockwave ActiveX Control"	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{166B1BCA-3F9C-11CF-8075-444553540000}\MiscStatus	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{166B1BCA-3F9C-11CF-8075-444553540000}\Version	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{166B1BC7-3F9C-11CF-8075-444553540000}	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{166B1BC7-3F9C-11CF-8075-444553540000}\1.0\FLAGS\ = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{166B1BC8-3F9C-11CF-8075-444553540000}\TypeLib\ = "{166B1BC7-3F9C-11CF-8075-444553540000}"	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{166B1BC8-3F9C-11CF-8075-444553540000}	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SWCtl.SWCtl.7\ = "Shockwave ActiveX Control"	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{166B1BCA-3F9C-11CF-8075-444553540000}\ = "Shockwave ActiveX Control"	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{166B1BC7-3F9C-11CF-8075-444553540000}\1.0\0\win32	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{166B1BC9-3F9C-11CF-8075-444553540000}\TypeLib\ = "{166B1BC7-3F9C-11CF-8075-444553540000}"	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{166B1BCA-3F9C-11CF-8075-444553540000}\MiscStatus\1\ = "131473"	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{166B1BC7-3F9C-11CF-8075-444553540000}\1.0\0	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{166B1BC9-3F9C-11CF-8075-444553540000}\TypeLib	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SWCtl.SWCtl.8\CLSID\ = "{166B1BCA-3F9C-11CF-8075-444553540000}"	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SWCtl.SWCtl.1	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{166B1BCA-3F9C-11CF-8075-444553540000}\Control	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-director\CLSID = "{166B1BCA-3F9C-11CF-8075-444553540000}"	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{166B1BC9-3F9C-11CF-8075-444553540000}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{166B1BC9-3F9C-11CF-8075-444553540000}\ProxyStubClsid32	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{166B1BC8-3F9C-11CF-8075-444553540000}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SWCtl.SWCtl.8\CLSID	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{166B1BCA-3F9C-11CF-8075-444553540000}\ProgID	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{166B1BCA-3F9C-11CF-8075-444553540000}\VersionIndependentProgID	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{166B1BC9-3F9C-11CF-8075-444553540000}\TypeLib	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{166B1BC9-3F9C-11CF-8075-444553540000}\TypeLib\ = "{166B1BC7-3F9C-11CF-8075-444553540000}"	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SWCtl.SWCtl.8	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{166B1BCA-3F9C-11CF-8075-444553540000}\ProgID\ = "SWCtl.SWCtl.8"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\.dcr\Content Type = "application/x-director"	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.dir	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.dir\Content Type = "application/x-director"	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{166B1BC7-3F9C-11CF-8075-444553540000}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\Macromed\\Shockwave 8\\Control.dll"	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{166B1BCA-3F9C-11CF-8075-444553540000}\MiscStatus\1	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{166B1BCA-3F9C-11CF-8075-444553540000}\EnableFullPage\.dir	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4212	iexplore.exe
4212	iexplore.exe
4212	iexplore.exe
4212	iexplore.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4212	iexplore.exe
4212	iexplore.exe
4212	iexplore.exe

Suspicious use of SetWindowsHookEx 33 IoCs

pid	Process
4212	iexplore.exe
4212	iexplore.exe
4796	IEXPLORE.EXE
4796	IEXPLORE.EXE
4212	iexplore.exe
4212	iexplore.exe
4796	IEXPLORE.EXE
4796	IEXPLORE.EXE
4796	IEXPLORE.EXE
4796	IEXPLORE.EXE
4796	IEXPLORE.EXE
4796	IEXPLORE.EXE
4796	IEXPLORE.EXE
1940	IEXPLORE.EXE
1940	IEXPLORE.EXE
1940	IEXPLORE.EXE
1940	IEXPLORE.EXE
1940	IEXPLORE.EXE
1940	IEXPLORE.EXE
1940	IEXPLORE.EXE
1940	IEXPLORE.EXE
1940	IEXPLORE.EXE
1940	IEXPLORE.EXE
1940	IEXPLORE.EXE
1940	IEXPLORE.EXE
1940	IEXPLORE.EXE
1940	IEXPLORE.EXE
4796	IEXPLORE.EXE
4796	IEXPLORE.EXE
4212	iexplore.exe
4212	iexplore.exe
4796	IEXPLORE.EXE
4796	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4212 wrote to memory of 4796	4212	iexplore.exe	79
PID 4212 wrote to memory of 4796	4212	iexplore.exe	79
PID 4212 wrote to memory of 4796	4212	iexplore.exe	79
PID 4212 wrote to memory of 1940	4212	iexplore.exe	90
PID 4212 wrote to memory of 1940	4212	iexplore.exe	90
PID 4212 wrote to memory of 1940	4212	iexplore.exe	90

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://web.archive.org/web/20010202091800/http://www.gorillaz.com/index_N_mie45.html
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4212
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4212 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Installed Components in the registry
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:4796
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4212 CREDAT:82992 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

Filesize
1KB

MD5
123eebfa9c4674b9a9dba93a6503535d

SHA1
35da3408a551766428801521eb35ae447c530b07

SHA256
fd3fe6656e5063cf4917143c6ad08a66acf39d7dcd77c87af2eb165b79edee25

SHA512
f28285ab5cd55c81380fe78cc0ea1468ea8bc7b9e97af2dbe3b188f65c7775d0a99d07feac4c5536a77df66254cc562e1780eb6330c5f7fbe3fe33561878d4d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
3e472b0f5a701aa836fb601ca75b32f6

SHA1
36058caf014a2a437db05da767e8992cf44fd7ab

SHA256
8b96d03923483c423948faac348c850ec54cd35621836d1612259b825f6498ea

SHA512
5885c94f81236f2aedb5c30fffa128550eb5b52e609ef5ae2bc5a21b50500cc08652bdcc4eb037137ca703b7c9b18e47965d33906f8b3b7b028347681b7470fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

Filesize
1KB

MD5
21b360b4c1b4f4ec4ba4390f62ffec96

SHA1
9fe33f6c986e9f27849586800dc10a980ee8d28b

SHA256
f9da43b6652fe57d22b73cf1860560124c7aaf93cb16960bde1b9f44ea91c3ed

SHA512
bb24e86a5b3a46a1a37370b9fe016cb03d5bb985de148cc8cb523735f30379c9e110f2f9594747f128f63bafa7f5fd0ad2c4be4be170ee4fa88d5f81b165f634

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

Filesize
450B

MD5
47942d71ba1e875812eef82defade62c

SHA1
76eb06ec18bb0f72a4219694575f93d288e5f3eb

SHA256
e94aea785bee2ce7b0165ae9126382f5c7ff82c42c3e34f9c27e8d75c78af938

SHA512
dda9230c9727043797a179cf1f17d6eee2afe78336a4d367e7a2233b5b21864249817cf52eba914b566f780795b97936649be94f35492663e2cff9f0d5649017

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
20fc284a030dc96c9084ed31ff0027bf

SHA1
ca1e6badb3eebcad421e4ab21703f91ab3d84cbf

SHA256
f0e493b93a7a25e057dfd202175b697e1cde383d1ec9411e978bfe032c2f4be2

SHA512
6f21ded945935d21c1bd276e0f8036bccfde5863cbd6f8bfdbaa45f2d51fc9b07ae8ad50bdb7c2fa7a12937847da1464d629f2b8ca4eda1805950ef099171239

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

Filesize
458B

MD5
3e84730b71551a0c4e768600721e9db8

SHA1
2875205980e7721c3f40f9feb9a857fbcad7042f

SHA256
1c38ad637a1d1fd0177d944ea5931012fc40f4896b230e10fb8dc9cb74294428

SHA512
b29b2e93e3a7251faeb517e4cc954a5900e55c3e29f90b91759893553d3bc954bde963ed1095976cee20f04ccb5c9a321516dc2c88fdd881eb88d5b5ea1ef20b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1TQVPNOO\banner-styles[1].css

Filesize
9KB

MD5
4b5cea24262df595204c9b9dffca6baf

SHA1
ed683d4d21521475c07ae495491d018d277a702e

SHA256
a2cd0a669823436fe6831d3b41b5a7b65cb0ad66134075b0181093c2be9ee9b3

SHA512
f034ac48792d52446676fba02a211d2250a2141154e92a447fb452e742cf1abb969b1d882e69ec8b4fc1e725e46639d8e1b839d705fac11cfdf9d754bd658486

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1TQVPNOO\loading[1].gif

Filesize
913B

MD5
feb463f3270afee4352651aac697d7e5

SHA1
5e5a327ab6775341662529f6bd07726dd96ff141

SHA256
5a3bb1567ffd3cf6269b276f47563078b2d0a846156bca648d9624eb9ef6af1d

SHA512
6cc388b70daabecf51a20bb0f7e6b75c5ba020d08e48fe3672d4e39d61adeb6a6566ee91c64fa42d9bf6b5feff48b761a4ac4aebc95192ed8ee35a64acd1fb36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1TQVPNOO\wayback-toolbar-logo-200[1].png

Filesize
6KB

MD5
ae0fda819bd640cded44232c583e7f7d

SHA1
74d0063d50e80c791ec1e99ea57b6871b32869be

SHA256
c417dc1cf27e6b75ba04c31798f7b4243a1d151989d6636bbec2468596977a5d

SHA512
cc867a472e7cc5783fe48f297dd83a12a87411bf9fde63bf790ef8d0d15a3b55ee1ed8c94513e241abf2072787d602fac343ce686fdbae9f4ee82638eeb02616

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\54DSOF0M\bundle-playback[1].js

Filesize
29KB

MD5
923131585efee1eff8a895b0a19e1e6e

SHA1
b6e6ec3dc9b4d1ce88f791406793070b86bc8c5c

SHA256
7fca1349371b9d851da2b30cf129516da594a16dc9a73886544c7a8e9435514a

SHA512
b4105d269a942d869632c21aee95a57c25ba479c94a8b1cfd3e3aee615019a836c45f0ba999a107301e843d1760db7cc536ef72edc9cdca66d5f58c5ac442eb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\54DSOF0M\record[1].css

Filesize
7KB

MD5
472be5b2c7d9bab301c23764eb1b46ec

SHA1
392bf4071bea86126319e3884052ea6ca4b6c404

SHA256
1bb9ec9606127186687985e4358f0259053b9f4aa7ce17bd9b7bb7ed9276dc56

SHA512
43dad757716c09d6466935a596a2e92a311378aa9b340411769c4035b8c357ded73c8fb76301e0db84dff9c3ff17e6b70e650690e0fac2d467ad3162d76831cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\54DSOF0M\wm_tb_nxt_on[1].png

Filesize
294B

MD5
92551ea37fb1656ec298066eab8734d9

SHA1
25ff7724b9c796053f8ca94a5caa3fe6d5f32956

SHA256
9a6c9fd420d028bf2b57e850d9dba5df9aea7c4e3d50e7a2387dc99fd11ab5ce

SHA512
7a07990582c5dfcd29f0a0e7eaf42bca211a6f55ca099949c383c001f5fec34d7b8a911c2a562278f7e25141da45b19864f7c83006ce7e686e828d3d1ff082a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\54DSOF0M\wombat[1].js

Filesize
119KB

MD5
2639a5ee0f7ad46ccf8a0ed7c746e4da

SHA1
187155e72ea2a9f3ab4e8aef971511077f2440cf

SHA256
ecfb89be9949e898d8eb3c76cf4de5f43890d91b18bb90c42fc282d2595f0134

SHA512
07df01b545bf39552012fc2ac7aa3b913bd24520b60b6f08969ab3552233026d9ad9430466b114366e37113d451151d8e4ad13e5658bd07a0f9cd5c038a8fc56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\90MK9CXD\analytics[1].js

Filesize
14KB

MD5
613d7d6f6dbee8c7a848d03263c6f2b6

SHA1
950bb80801952739151261995316fcc9ac67c3e9

SHA256
459a9b73080a7c167a3125954be51db158867f805bd51e7bf1e4b66e8a46033c

SHA512
009ab89ef7cf0305ce9ddf48df4b1d4687557561f670238fc072b5f539ae41f6d0eb91d2e58e5bd11428885ece26d633772d33ccb19d75c26aee4e0f6b47da95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\90MK9CXD\wombat[1].js

Filesize
119KB

MD5
2639a5ee0f7ad46ccf8a0ed7c746e4da

SHA1
187155e72ea2a9f3ab4e8aef971511077f2440cf

SHA256
ecfb89be9949e898d8eb3c76cf4de5f43890d91b18bb90c42fc282d2595f0134

SHA512
07df01b545bf39552012fc2ac7aa3b913bd24520b60b6f08969ab3552233026d9ad9430466b114366e37113d451151d8e4ad13e5658bd07a0f9cd5c038a8fc56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\CYD2NY1G\banner-styles[1].css

Filesize
9KB

MD5
4b5cea24262df595204c9b9dffca6baf

SHA1
ed683d4d21521475c07ae495491d018d277a702e

SHA256
a2cd0a669823436fe6831d3b41b5a7b65cb0ad66134075b0181093c2be9ee9b3

SHA512
f034ac48792d52446676fba02a211d2250a2141154e92a447fb452e742cf1abb969b1d882e69ec8b4fc1e725e46639d8e1b839d705fac11cfdf9d754bd658486

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\CYD2NY1G\bundle-playback[1].js

Filesize
29KB

MD5
923131585efee1eff8a895b0a19e1e6e

SHA1
b6e6ec3dc9b4d1ce88f791406793070b86bc8c5c

SHA256
7fca1349371b9d851da2b30cf129516da594a16dc9a73886544c7a8e9435514a

SHA512
b4105d269a942d869632c21aee95a57c25ba479c94a8b1cfd3e3aee615019a836c45f0ba999a107301e843d1760db7cc536ef72edc9cdca66d5f58c5ac442eb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\CYD2NY1G\iconochive[1].css

Filesize
5KB

MD5
aadbcc29c209482b1adf0f4cd1a0255e

SHA1
bdeceaa51becb05161016e10ef65550198747f6e

SHA256
bc2ff0a6b9cf9b088c61c1eefb303f3e9e592a66d37b699d751fcdfc1fcef560

SHA512
49c3fa060cee6b763f1b92e7a3be23232e7bc016847994119ad63cce40410dc64035b55887cb1c467a3f51674d99f89ec8ada65b14c8f8ee1f02be7c8c97c170

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\CYD2NY1G\loading[1].gif

Filesize
913B

MD5
feb463f3270afee4352651aac697d7e5

SHA1
5e5a327ab6775341662529f6bd07726dd96ff141

SHA256
5a3bb1567ffd3cf6269b276f47563078b2d0a846156bca648d9624eb9ef6af1d

SHA512
6cc388b70daabecf51a20bb0f7e6b75c5ba020d08e48fe3672d4e39d61adeb6a6566ee91c64fa42d9bf6b5feff48b761a4ac4aebc95192ed8ee35a64acd1fb36

Download Submit
C:\Windows\SysWOW64\Macromed\Director\SwDir.dll

Filesize
48KB

MD5
d1b5e77fa1bb745df4762ab4105bb0d1

SHA1
175643992f684a43774822f6f61cf656380fe292

SHA256
9902dda196676cab64077acb78febeb17b14c9b2e6a5f399edc98129fc3cfa54

SHA512
dd89b42f21cf7834198ce1da3e9bba6235bb7b67d33b942df6a173646f1bc7309336869dc1c143693ccd9459a23c9f83378a0ad75297143874290c3a2fc63040

Download Submit
C:\Windows\SysWOW64\Macromed\Director\SwDir.dll

Filesize
48KB

MD5
d1b5e77fa1bb745df4762ab4105bb0d1

SHA1
175643992f684a43774822f6f61cf656380fe292

SHA256
9902dda196676cab64077acb78febeb17b14c9b2e6a5f399edc98129fc3cfa54

SHA512
dd89b42f21cf7834198ce1da3e9bba6235bb7b67d33b942df6a173646f1bc7309336869dc1c143693ccd9459a23c9f83378a0ad75297143874290c3a2fc63040

Download Submit
C:\Windows\SysWOW64\Macromed\Director\SwDir.dll

Filesize
48KB

MD5
d1b5e77fa1bb745df4762ab4105bb0d1

SHA1
175643992f684a43774822f6f61cf656380fe292

SHA256
9902dda196676cab64077acb78febeb17b14c9b2e6a5f399edc98129fc3cfa54

SHA512
dd89b42f21cf7834198ce1da3e9bba6235bb7b67d33b942df6a173646f1bc7309336869dc1c143693ccd9459a23c9f83378a0ad75297143874290c3a2fc63040

Download Submit
C:\Windows\SysWOW64\Macromed\Director\SwDir.dll

Filesize
48KB

MD5
d1b5e77fa1bb745df4762ab4105bb0d1

SHA1
175643992f684a43774822f6f61cf656380fe292

SHA256
9902dda196676cab64077acb78febeb17b14c9b2e6a5f399edc98129fc3cfa54

SHA512
dd89b42f21cf7834198ce1da3e9bba6235bb7b67d33b942df6a173646f1bc7309336869dc1c143693ccd9459a23c9f83378a0ad75297143874290c3a2fc63040

Download Submit
C:\Windows\SysWOW64\Macromed\Shockwave 8\Control.dll

Filesize
528KB

MD5
a449cae01aa4c7c1ee6ccda346e4ffbc

SHA1
41a612f622d5b637f326749695500964e25a21fd

SHA256
f2d08eaaca25a1a9f8c312775fc4757db4969a05a2727503411458ac3d5e0921

SHA512
060b96c3d5697ef33c2f1e8a353e34858693d0964dad452fe87e077a5bf8f7fac4f79cf114e2aa7ab110564f660b34a9a1a480f0799af43bb4dd130894a85060

Download Submit
C:\Windows\SysWOW64\Macromed\Shockwave 8\Control.dll

Filesize
528KB

MD5
a449cae01aa4c7c1ee6ccda346e4ffbc

SHA1
41a612f622d5b637f326749695500964e25a21fd

SHA256
f2d08eaaca25a1a9f8c312775fc4757db4969a05a2727503411458ac3d5e0921

SHA512
060b96c3d5697ef33c2f1e8a353e34858693d0964dad452fe87e077a5bf8f7fac4f79cf114e2aa7ab110564f660b34a9a1a480f0799af43bb4dd130894a85060

Download Submit
C:\Windows\SysWOW64\Macromed\Shockwave 8\Control.dll

Filesize
528KB

MD5
a449cae01aa4c7c1ee6ccda346e4ffbc

SHA1
41a612f622d5b637f326749695500964e25a21fd

SHA256
f2d08eaaca25a1a9f8c312775fc4757db4969a05a2727503411458ac3d5e0921

SHA512
060b96c3d5697ef33c2f1e8a353e34858693d0964dad452fe87e077a5bf8f7fac4f79cf114e2aa7ab110564f660b34a9a1a480f0799af43bb4dd130894a85060

Download Submit
C:\Windows\SysWOW64\Macromed\Shockwave 8\Control.dll

Filesize
528KB

MD5
a449cae01aa4c7c1ee6ccda346e4ffbc

SHA1
41a612f622d5b637f326749695500964e25a21fd

SHA256
f2d08eaaca25a1a9f8c312775fc4757db4969a05a2727503411458ac3d5e0921

SHA512
060b96c3d5697ef33c2f1e8a353e34858693d0964dad452fe87e077a5bf8f7fac4f79cf114e2aa7ab110564f660b34a9a1a480f0799af43bb4dd130894a85060

Download Submit