e158175f492800bb1e95b3adbeefcb4302ad273ee383bf71258ac251dc23e06e

Analysis

max time kernel
9s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 04:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

543f94e0db26cd67c410ad93a39a1641.exe
Size

1.8MB
MD5

543f94e0db26cd67c410ad93a39a1641
SHA1

cfe8c29608a786d77947eb64f510f0439bda255f
SHA256

e158175f492800bb1e95b3adbeefcb4302ad273ee383bf71258ac251dc23e06e
SHA512

ba3d784e987fc335a636e4c9ff25242f2225a9f0adeced2b8e5d237e3630745705316bcb8d1f55bb3232825d9e6ef1cd0b276def7deceb0fec80ad86d4134876
SSDEEP

49152:hSV5acHAHVpS3NIPO836h7FmutmHgKJ4qtDzS:hSTgHVyNIq/mOV4Dm

Score

8^/10

persistence upx

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3676-0-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/3676-25-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/3676-100-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/3676-120-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/3676-174-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/3676-254-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/3676-271-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/3676-356-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/3676-412-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/3676-414-0x0000000000400000-0x00000000004B5000-memory.dmp	upx

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

AutoIT Executable 9 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/3676-25-0x0000000000400000-0x00000000004B5000-memory.dmp	autoit_exe
behavioral2/memory/3676-100-0x0000000000400000-0x00000000004B5000-memory.dmp	autoit_exe
behavioral2/memory/3676-120-0x0000000000400000-0x00000000004B5000-memory.dmp	autoit_exe
behavioral2/memory/3676-174-0x0000000000400000-0x00000000004B5000-memory.dmp	autoit_exe
behavioral2/memory/3676-254-0x0000000000400000-0x00000000004B5000-memory.dmp	autoit_exe
behavioral2/memory/3676-271-0x0000000000400000-0x00000000004B5000-memory.dmp	autoit_exe
behavioral2/memory/3676-356-0x0000000000400000-0x00000000004B5000-memory.dmp	autoit_exe
behavioral2/memory/3676-412-0x0000000000400000-0x00000000004B5000-memory.dmp	autoit_exe
behavioral2/memory/3676-414-0x0000000000400000-0x00000000004B5000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 36 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{22B971A8-A9BE-11EE-BD28-52EF8B93895E} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{22B9BFC8-A9BE-11EE-BD28-52EF8B93895E} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{22B998B8-A9BE-11EE-BD28-52EF8B93895E} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE

Modifies registry class 19 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1497073144-2389943819-3385106915-1000\{7CEF6A21-C6EE-49FF-B7FC-AAF8C937A515}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1497073144-2389943819-3385106915-1000\{D74FE1DF-966F-40DF-A051-C457888D4A6B}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3676	543f94e0db26cd67c410ad93a39a1641.exe
3676	543f94e0db26cd67c410ad93a39a1641.exe
3676	543f94e0db26cd67c410ad93a39a1641.exe
3676	543f94e0db26cd67c410ad93a39a1641.exe
3676	543f94e0db26cd67c410ad93a39a1641.exe
3676	543f94e0db26cd67c410ad93a39a1641.exe
3676	543f94e0db26cd67c410ad93a39a1641.exe
3676	543f94e0db26cd67c410ad93a39a1641.exe
3676	543f94e0db26cd67c410ad93a39a1641.exe
3676	543f94e0db26cd67c410ad93a39a1641.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4960	explorer.exe
Token: SeCreatePagefilePrivilege	4960	explorer.exe
Token: SeShutdownPrivilege	4960	explorer.exe
Token: SeCreatePagefilePrivilege	4960	explorer.exe
Token: SeShutdownPrivilege	4960	explorer.exe
Token: SeCreatePagefilePrivilege	4960	explorer.exe
Token: SeShutdownPrivilege	4960	explorer.exe
Token: SeCreatePagefilePrivilege	4960	explorer.exe
Token: SeShutdownPrivilege	2028	explorer.exe
Token: SeCreatePagefilePrivilege	2028	explorer.exe
Token: SeShutdownPrivilege	2028	explorer.exe
Token: SeCreatePagefilePrivilege	2028	explorer.exe
Token: SeShutdownPrivilege	2028	explorer.exe
Token: SeCreatePagefilePrivilege	2028	explorer.exe

Suspicious use of FindShellTrayWindow 19 IoCs

pid	Process
2084	IEXPLORE.EXE
4288	IEXPLORE.EXE
1932	IEXPLORE.EXE
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
4960	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2084	IEXPLORE.EXE
2084	IEXPLORE.EXE
1932	IEXPLORE.EXE
1932	IEXPLORE.EXE
4288	IEXPLORE.EXE
4288	IEXPLORE.EXE
5068	IEXPLORE.EXE
5068	IEXPLORE.EXE
4384	IEXPLORE.EXE
4384	IEXPLORE.EXE
4712	IEXPLORE.EXE
4712	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 3676 wrote to memory of 1932	3676	543f94e0db26cd67c410ad93a39a1641.exe	96
PID 3676 wrote to memory of 1932	3676	543f94e0db26cd67c410ad93a39a1641.exe	96
PID 3676 wrote to memory of 2084	3676	543f94e0db26cd67c410ad93a39a1641.exe	92
PID 3676 wrote to memory of 2084	3676	543f94e0db26cd67c410ad93a39a1641.exe	92
PID 3676 wrote to memory of 4288	3676	543f94e0db26cd67c410ad93a39a1641.exe	91
PID 3676 wrote to memory of 4288	3676	543f94e0db26cd67c410ad93a39a1641.exe	91
PID 4288 wrote to memory of 4384	4288	IEXPLORE.EXE	95
PID 4288 wrote to memory of 4384	4288	IEXPLORE.EXE	95
PID 4288 wrote to memory of 4384	4288	IEXPLORE.EXE	95
PID 2084 wrote to memory of 5068	2084	IEXPLORE.EXE	94
PID 2084 wrote to memory of 5068	2084	IEXPLORE.EXE	94
PID 2084 wrote to memory of 5068	2084	IEXPLORE.EXE	94
PID 1932 wrote to memory of 4712	1932	IEXPLORE.EXE	93
PID 1932 wrote to memory of 4712	1932	IEXPLORE.EXE	93
PID 1932 wrote to memory of 4712	1932	IEXPLORE.EXE	93
PID 3676 wrote to memory of 3520	3676	543f94e0db26cd67c410ad93a39a1641.exe	46
PID 3676 wrote to memory of 3520	3676	543f94e0db26cd67c410ad93a39a1641.exe	46
PID 3676 wrote to memory of 4960	3676	543f94e0db26cd67c410ad93a39a1641.exe	105
PID 3676 wrote to memory of 4960	3676	543f94e0db26cd67c410ad93a39a1641.exe	105

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3520
- C:\Users\Admin\AppData\Local\Temp\543f94e0db26cd67c410ad93a39a1641.exe
  "C:\Users\Admin\AppData\Local\Temp\543f94e0db26cd67c410ad93a39a1641.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3676
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ie.hi2220.info/ie.html
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4288
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4288 CREDAT:17410 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:4384
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.81830.info/tg14.html
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2084
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2084 CREDAT:17410 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:5068
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.banshao.info
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1932
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1932 CREDAT:17416 /prefetch:2
      4⤵
      PID:5968
- - C:\Users\Public\Desktop\forqd340.exe
    "C:\Users\Public\Desktop\forqd340.exe"
    3⤵
    PID:432

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1932 CREDAT:17410 /prefetch:2
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4712

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4960

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2028

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3828

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:3744

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2244

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3784

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4200

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5052

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4216

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4248

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5740

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:6116

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5724

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5892

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5576

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5064

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5552

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5972

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5192

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:336

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5128

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
PID:5504

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6104

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1696

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1340

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4808

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1080

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5548

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:6108

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\USERS\PUBLIC\DESKTOP\FORQD340.EXE

Filesize
65KB

MD5
f56a9f4fb234f8e9d99d0d1f5df7a7c8

SHA1
537164ac2e818111ee88eedc0a1bb7e6e2892d52

SHA256
5a02a12be400b20af76972abc833223d42e7d0c5f707cac3979849ec3d8b330e

SHA512
7fad89eef202f074eb212cfa7afdd5c285a134dac5248a7407957eed73e8bc21fa8af8760d1e5da5bfd41ffe9564cb3af5075a87cded390132f602a0de182e63

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

Filesize
471B

MD5
fcff0230b5d2518aa5bcb53e5cb6bd95

SHA1
84e02eab4dc8e963711ad054dda8073192c66f04

SHA256
8c0fad7b8bd59ddefd60d837653fae5bc4010ab28cbf658b4c3fe7092fc392c0

SHA512
a334311a9c0ec08264731a82e8f55b47cb3a21e3e95b0cda4881de5a523a81cc783ebfaedeb002a653f1cef71bcc0a3f6abc3e875cfc9b5db3a4ce637b29bc5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

Filesize
412B

MD5
038c5efad30fec41b9d47d631a6b0ed1

SHA1
cb0ed9f02bfd0ed1a2515650d6827398b4e50b3d

SHA256
a9d884e46a340b0835643421b0aac2a5c8987785cb2cc35a362f8c04a95e5f75

SHA512
572304f24488458e002b95cb1a5f751ed56fca955762db14cac885e2b19c2e681d9ee9b50e40bb2fc3dbab8251cc8d6395986fae4e1c8aae68ef05b5693b7100

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{22B971A8-A9BE-11EE-BD28-52EF8B93895E}.dat

Filesize
5KB

MD5
b3d0584844dccf9acfdbab15e4c46af9

SHA1
afe87fbfb0d46f5d12a3fbfa12752ed9c4baecb8

SHA256
634fafe105391daafebde11d4fde73fa5fa4556a7c6535acedf6a1c7cbcfe484

SHA512
cd5f4bd9a9d73a4401423e74170b726dd54080db406a7f234b029e78d76fee77e09947d03fa387d6f3920b7132ff644b701bdb6cdbf8f220279eaa80e4d0507e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{22B998B8-A9BE-11EE-BD28-52EF8B93895E}.dat

Filesize
5KB

MD5
3771ddd09ce7c1874541b0965b1b18fb

SHA1
5cc2217c188b684b6fadff0f24e2c44004b15fa0

SHA256
02c207c6410c5dee1678b7c93713e9d8d1e56e96279727c3437b3c9401e200d3

SHA512
e5c41fa1001ab8c71c10064a42300a079cc76c0c6c242cd58f172731459c44b13c481b503e69b994864cf268d441fbb5312641b15e0ebea92eb1e0213b428fcf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verCD62.tmp

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133487080920806702.txt

Filesize
74KB

MD5
c09e63e4b960a163934b3c29f3bd2cc9

SHA1
d3a43b35c14ae2e353a1a15c518ab2595f6a0399

SHA256
308deca5e1ef4d875fbe0aff3ce4b0b575b28e643dffda819d4390ec77faf157

SHA512
5ca3321034dff47e3afe0b0bdfaffc08782991660910a29375a8e0363794b78247282aba65dbd882ae225aa140ae63927dfd0946a441ee6fa64a1d8c146777b9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\QDDM1QX5\microsoft.windows[1].xml

Filesize
96B

MD5
2415f1b0b1e5150e9f1e871081fd1fad

SHA1
a79e4bfddc3daf75f059fda3547bd18282d993f7

SHA256
3eff25035403aba506d0dbf69c76a22fa90ec66d2094cbf39bc5267a850902ae

SHA512
5d05da9ec1471dbf91f0c474c8db3897130543ff3c4da70724ce3a36adc38f628264c3dae4f54caef493f7593a0986a944dda0e19e947f3dfc34fc16fbd3e6bb

Download Submit
C:\Users\Administrator\Application Data\Tencent\AXSEF\AXSEF.exe

Filesize
382KB

MD5
7b31b83c5877d3dad017cc4aa43870a8

SHA1
8a7049ba60d52b171bf4fb4242c21a4fcf09ee62

SHA256
7b73a79cdacdf8eb370eda7c96e249a47a5da236ff7c061d768d54531fdc2e32

SHA512
530847f851731cf13143e34f5eb581e6f8472e081b3b1bed45276ed2b51b717fc3a8c8b55d2f3fe71cedc8840233813ec36fe96f236139719fcf5291279277b6

Download Submit
memory/1080-327-0x000001EB621F0000-0x000001EB62210000-memory.dmp

Filesize
128KB

Download
memory/1080-329-0x000001EB621B0000-0x000001EB621D0000-memory.dmp

Filesize
128KB

Download
memory/1080-331-0x000001EB627C0000-0x000001EB627E0000-memory.dmp

Filesize
128KB

Download
memory/1340-292-0x0000025031EC0000-0x0000025031EE0000-memory.dmp

Filesize
128KB

Download
memory/1340-290-0x00000250317B0000-0x00000250317D0000-memory.dmp

Filesize
128KB

Download
memory/1340-288-0x0000025031B00000-0x0000025031B20000-memory.dmp

Filesize
128KB

Download
memory/1696-268-0x00000293FED00000-0x00000293FED20000-memory.dmp

Filesize
128KB

Download
memory/1696-272-0x00000293FF0C0000-0x00000293FF0E0000-memory.dmp

Filesize
128KB

Download
memory/1696-270-0x00000293FE9B0000-0x00000293FE9D0000-memory.dmp

Filesize
128KB

Download
memory/3676-254-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3676-100-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3676-271-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3676-174-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3676-120-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3676-412-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3676-356-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3676-414-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3676-0-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3676-25-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/4248-109-0x00000243B5DA0000-0x00000243B5DC0000-memory.dmp

Filesize
128KB

Download
memory/4248-113-0x00000243B6170000-0x00000243B6190000-memory.dmp

Filesize
128KB

Download
memory/4248-111-0x00000243B5D60000-0x00000243B5D80000-memory.dmp

Filesize
128KB

Download
memory/4808-310-0x000002599AB60000-0x000002599AB80000-memory.dmp

Filesize
128KB

Download
memory/4808-306-0x000002599A790000-0x000002599A7B0000-memory.dmp

Filesize
128KB

Download
memory/4808-308-0x000002599A750000-0x000002599A770000-memory.dmp

Filesize
128KB

Download
memory/5052-103-0x00000000048C0000-0x00000000048C1000-memory.dmp

Filesize
4KB

Download
memory/5128-260-0x0000000004320000-0x0000000004321000-memory.dmp

Filesize
4KB

Download
memory/5548-368-0x000001C3E3730000-0x000001C3E3750000-memory.dmp

Filesize
128KB

Download
memory/5548-366-0x000001C3E3320000-0x000001C3E3340000-memory.dmp

Filesize
128KB

Download
memory/5548-364-0x000001C3E3360000-0x000001C3E3380000-memory.dmp

Filesize
128KB

Download
memory/5576-243-0x0000021F2CE70000-0x0000021F2CE90000-memory.dmp

Filesize
128KB

Download
memory/5576-241-0x0000021F2CA60000-0x0000021F2CA80000-memory.dmp

Filesize
128KB

Download
memory/5576-239-0x0000021F2CAA0000-0x0000021F2CAC0000-memory.dmp

Filesize
128KB

Download
memory/5724-184-0x000002B87DF20000-0x000002B87DF40000-memory.dmp

Filesize
128KB

Download
memory/5724-186-0x000002B87E330000-0x000002B87E350000-memory.dmp

Filesize
128KB

Download
memory/5724-182-0x000002B87DF60000-0x000002B87DF80000-memory.dmp

Filesize
128KB

Download
memory/5740-130-0x0000020E26290000-0x0000020E262B0000-memory.dmp

Filesize
128KB

Download
memory/5740-128-0x0000020E262D0000-0x0000020E262F0000-memory.dmp

Filesize
128KB

Download
memory/5740-132-0x0000020E268A0000-0x0000020E268C0000-memory.dmp

Filesize
128KB

Download
memory/5892-224-0x000001A01B8C0000-0x000001A01B8E0000-memory.dmp

Filesize
128KB

Download
memory/5892-222-0x000001A01B4B0000-0x000001A01B4D0000-memory.dmp

Filesize
128KB

Download
memory/5892-220-0x000001A01B4F0000-0x000001A01B510000-memory.dmp

Filesize
128KB

Download
memory/6108-391-0x000001AB7C600000-0x000001AB7C620000-memory.dmp

Filesize
128KB

Download
memory/6108-396-0x000001AB7C9D0000-0x000001AB7C9F0000-memory.dmp

Filesize
128KB

Download
memory/6108-394-0x000001AB7C3C0000-0x000001AB7C3E0000-memory.dmp

Filesize
128KB

Download
memory/6116-150-0x00000183421C0000-0x00000183421E0000-memory.dmp

Filesize
128KB

Download
memory/6116-148-0x0000018341BB0000-0x0000018341BD0000-memory.dmp

Filesize
128KB

Download
memory/6116-146-0x0000018341E00000-0x0000018341E20000-memory.dmp

Filesize
128KB

Download