5767724a51f17b238a1430ce22810473ce1eb1cb2211a6f356c51ee143b3ec8f

Analysis

max time kernel
144s
max time network
144s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29/12/2023, 21:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04c124d16ae427d67e2805c62c7c2b39.exe
Size

32KB
MD5

04c124d16ae427d67e2805c62c7c2b39
SHA1

3389d1548f4508c087a0b9def501ff801332a97d
SHA256

5767724a51f17b238a1430ce22810473ce1eb1cb2211a6f356c51ee143b3ec8f
SHA512

954315427a4360cfb4dcb2c8baa5f48b1804a55c9d7e1f9ccf67537c73d2965dd35574c47ba787dfa74ad6a805ba07ca7a7e05e0102d34fac6a91dcbb4882338
SSDEEP

384:GTe/OmxDM6AbQBw+8tWp3WrGQ6mXjDBRJwGaRLlvn:ae2mxDMBbQB97SGQrXj1POR

Score

8^/10

upx

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\drivers\gm.dls	04c124d16ae427d67e2805c62c7c2b39.exe
File created	C:\WINDOWS\SysWOW64\drivers\gmreadme.txt	04c124d16ae427d67e2805c62c7c2b39.exe
File created	C:\WINDOWS\SysWOW64\drivers\wimmount.sys	04c124d16ae427d67e2805c62c7c2b39.exe

Manipulates Digital Signatures 1 IoCs

Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\wintrust.dll	04c124d16ae427d67e2805c62c7c2b39.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2440-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/2440-4-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/files/0x000100000000e664-9.dat	upx
behavioral1/memory/2440-101-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/2440-123-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/2440-124-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/2440-711-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/2440-1475-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/2440-1837-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/2440-2277-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/2440-2465-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\capisp.dll	04c124d16ae427d67e2805c62c7c2b39.exe
File created	C:\WINDOWS\SysWOW64\IMJP10.IME	04c124d16ae427d67e2805c62c7c2b39.exe
File created	C:\WINDOWS\SysWOW64\dskquoui.dll	04c124d16ae427d67e2805c62c7c2b39.exe
File created	C:\WINDOWS\SysWOW64\hcproviders.dll	04c124d16ae427d67e2805c62c7c2b39.exe
File created	C:\WINDOWS\SysWOW64\wshrm.dll	04c124d16ae427d67e2805c62c7c2b39.exe
File created	C:\WINDOWS\SysWOW64\cttune.exe	04c124d16ae427d67e2805c62c7c2b39.exe
File created	C:\WINDOWS\SysWOW64\diskmgmt.msc	04c124d16ae427d67e2805c62c7c2b39.exe
File created	C:\WINDOWS\SysWOW64\KBDIT142.DLL	04c124d16ae427d67e2805c62c7c2b39.exe
File created	C:\WINDOWS\SysWOW64\spopk.dll	04c124d16ae427d67e2805c62c7c2b39.exe
File created	C:\WINDOWS\SysWOW64\uxlibres.dll	04c124d16ae427d67e2805c62c7c2b39.exe
File created	C:\WINDOWS\SysWOW64\apircl.dll	04c124d16ae427d67e2805c62c7c2b39.exe
File created	C:\WINDOWS\SysWOW64\KBDAZEL.DLL	04c124d16ae427d67e2805c62c7c2b39.exe
File created	C:\WINDOWS\SysWOW64\netcfgx.dll	04c124d16ae427d67e2805c62c7c2b39.exe
File created	C:\WINDOWS\SysWOW64\netutils.dll	04c124d16ae427d67e2805c62c7c2b39.exe
File created	C:\WINDOWS\SysWOW64\rasdlg.dll	04c124d16ae427d67e2805c62c7c2b39.exe
File created	C:\WINDOWS\SysWOW64\themecpl.dll	04c124d16ae427d67e2805c62c7c2b39.exe
File created	C:\WINDOWS\SysWOW64\forfiles.exe	04c124d16ae427d67e2805c62c7c2b39.exe
File created	C:\WINDOWS\SysWOW64\msmpeg2vdec.dll	04c124d16ae427d67e2805c62c7c2b39.exe
File created	C:\WINDOWS\SysWOW64\mswsock.dll	04c124d16ae427d67e2805c62c7c2b39.exe
File created	C:\WINDOWS\SysWOW64\netmsg.dll	04c124d16ae427d67e2805c62c7c2b39.exe
File created	C:\WINDOWS\SysWOW64\UIRibbon.dll	04c124d16ae427d67e2805c62c7c2b39.exe
File created	C:\WINDOWS\SysWOW64\vfwwdm32.dll	04c124d16ae427d67e2805c62c7c2b39.exe
File created	C:\WINDOWS\SysWOW64\d3d10core.dll	04c124d16ae427d67e2805c62c7c2b39.exe
File created	C:\WINDOWS\SysWOW64\d3d10_1.dll	04c124d16ae427d67e2805c62c7c2b39.exe
File created	C:\WINDOWS\SysWOW64\DeviceCenter.dll	04c124d16ae427d67e2805c62c7c2b39.exe
File created	C:\WINDOWS\SysWOW64\KBDBGPH.DLL	04c124d16ae427d67e2805c62c7c2b39.exe
File opened for modification	C:\WINDOWS\SysWOW64\mfc110jpn.dll	04c124d16ae427d67e2805c62c7c2b39.exe
File created	C:\WINDOWS\SysWOW64\mfpmp.exe	04c124d16ae427d67e2805c62c7c2b39.exe
File created	C:\WINDOWS\SysWOW64\nlmsprep.dll	04c124d16ae427d67e2805c62c7c2b39.exe
File created	C:\WINDOWS\SysWOW64\tapi32.dll	04c124d16ae427d67e2805c62c7c2b39.exe
File created	C:\WINDOWS\SysWOW64\autochk.exe	04c124d16ae427d67e2805c62c7c2b39.exe
File created	C:\WINDOWS\SysWOW64\credssp.dll	04c124d16ae427d67e2805c62c7c2b39.exe
File created	C:\WINDOWS\SysWOW64\TsWpfWrp.exe	04c124d16ae427d67e2805c62c7c2b39.exe
File created	C:\WINDOWS\SysWOW64\wups.dll	04c124d16ae427d67e2805c62c7c2b39.exe
File created	C:\WINDOWS\SysWOW64\dpx.dll	04c124d16ae427d67e2805c62c7c2b39.exe
File created	C:\WINDOWS\SysWOW64\rpcrt4.dll	04c124d16ae427d67e2805c62c7c2b39.exe
File created	C:\WINDOWS\SysWOW64\StorageContextHandler.dll	04c124d16ae427d67e2805c62c7c2b39.exe
File created	C:\WINDOWS\SysWOW64\isoburn.exe	04c124d16ae427d67e2805c62c7c2b39.exe
File created	C:\WINDOWS\SysWOW64\kbdgeoqw.dll	04c124d16ae427d67e2805c62c7c2b39.exe
File created	C:\WINDOWS\SysWOW64\Mpeg2Data.ax	04c124d16ae427d67e2805c62c7c2b39.exe
File created	C:\WINDOWS\SysWOW64\vbscript.dll	04c124d16ae427d67e2805c62c7c2b39.exe
File created	C:\WINDOWS\SysWOW64\vds_ps.dll	04c124d16ae427d67e2805c62c7c2b39.exe
File created	C:\WINDOWS\SysWOW64\wlangpui.dll	04c124d16ae427d67e2805c62c7c2b39.exe
File created	C:\WINDOWS\SysWOW64\DevicePairing.dll	04c124d16ae427d67e2805c62c7c2b39.exe
File opened for modification	C:\WINDOWS\SysWOW64\mfc140u.dll	04c124d16ae427d67e2805c62c7c2b39.exe
File created	C:\WINDOWS\SysWOW64\elshyph.dll	04c124d16ae427d67e2805c62c7c2b39.exe
File created	C:\WINDOWS\SysWOW64\NlsLexicons0013.dll	04c124d16ae427d67e2805c62c7c2b39.exe
File created	C:\WINDOWS\SysWOW64\wvc.dll	04c124d16ae427d67e2805c62c7c2b39.exe
File created	C:\WINDOWS\SysWOW64\api-ms-win-crt-private-l1-1-0.dll	04c124d16ae427d67e2805c62c7c2b39.exe
File created	C:\WINDOWS\SysWOW64\C_1143.NLS	04c124d16ae427d67e2805c62c7c2b39.exe
File created	C:\WINDOWS\SysWOW64\KBDGEO.DLL	04c124d16ae427d67e2805c62c7c2b39.exe
File created	C:\WINDOWS\SysWOW64\KBDINMAR.DLL	04c124d16ae427d67e2805c62c7c2b39.exe
File created	C:\WINDOWS\SysWOW64\sxstrace.exe	04c124d16ae427d67e2805c62c7c2b39.exe
File created	C:\WINDOWS\SysWOW64\tpm.msc	04c124d16ae427d67e2805c62c7c2b39.exe
File created	C:\WINDOWS\SysWOW64\api-ms-win-crt-multibyte-l1-1-0.dll	04c124d16ae427d67e2805c62c7c2b39.exe
File created	C:\WINDOWS\SysWOW64\dtsh.dll	04c124d16ae427d67e2805c62c7c2b39.exe
File created	C:\WINDOWS\SysWOW64\Magnification.dll	04c124d16ae427d67e2805c62c7c2b39.exe
File opened for modification	C:\WINDOWS\SysWOW64\vcamp140.dll	04c124d16ae427d67e2805c62c7c2b39.exe
File created	C:\WINDOWS\SysWOW64\wlanext.exe	04c124d16ae427d67e2805c62c7c2b39.exe
File created	C:\WINDOWS\SysWOW64\C_28595.NLS	04c124d16ae427d67e2805c62c7c2b39.exe
File created	C:\WINDOWS\SysWOW64\gpprnext.dll	04c124d16ae427d67e2805c62c7c2b39.exe
File created	C:\WINDOWS\SysWOW64\EAPQEC.DLL	04c124d16ae427d67e2805c62c7c2b39.exe
File created	C:\WINDOWS\SysWOW64\ncrypt.dll	04c124d16ae427d67e2805c62c7c2b39.exe
File created	C:\WINDOWS\SysWOW64\rasmontr.dll	04c124d16ae427d67e2805c62c7c2b39.exe

Drops file in Windows directory 26 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\WindowsUpdate.log	04c124d16ae427d67e2805c62c7c2b39.exe
File opened for modification	C:\WINDOWS\system.ini	04c124d16ae427d67e2805c62c7c2b39.exe
File opened for modification	C:\WINDOWS\Ultimate.xml	04c124d16ae427d67e2805c62c7c2b39.exe
File created	C:\WINDOWS\notepad.exe	04c124d16ae427d67e2805c62c7c2b39.exe
File created	C:\WINDOWS\winhlp32.exe	04c124d16ae427d67e2805c62c7c2b39.exe
File opened for modification	C:\WINDOWS\setupact.log	04c124d16ae427d67e2805c62c7c2b39.exe
File created	C:\WINDOWS\write.exe	04c124d16ae427d67e2805c62c7c2b39.exe
File opened for modification	C:\WINDOWS\DtcInstall.log	04c124d16ae427d67e2805c62c7c2b39.exe
File opened for modification	C:\WINDOWS\PFRO.log	04c124d16ae427d67e2805c62c7c2b39.exe
File created	C:\WINDOWS\splwow64.exe	04c124d16ae427d67e2805c62c7c2b39.exe
File created	C:\WINDOWS\twain_32.dll	04c124d16ae427d67e2805c62c7c2b39.exe
File created	C:\WINDOWS\WMSysPr9.prx	04c124d16ae427d67e2805c62c7c2b39.exe
File created	C:\WINDOWS\explorer.exe	04c124d16ae427d67e2805c62c7c2b39.exe
File created	C:\WINDOWS\HelpPane.exe	04c124d16ae427d67e2805c62c7c2b39.exe
File opened for modification	C:\WINDOWS\TSSysprep.log	04c124d16ae427d67e2805c62c7c2b39.exe
File created	C:\WINDOWS\twunk_16.exe	04c124d16ae427d67e2805c62c7c2b39.exe
File created	C:\WINDOWS\mib.bin	04c124d16ae427d67e2805c62c7c2b39.exe
File opened for modification	C:\WINDOWS\Starter.xml	04c124d16ae427d67e2805c62c7c2b39.exe
File opened for modification	C:\WINDOWS\msdfmap.ini	04c124d16ae427d67e2805c62c7c2b39.exe
File created	C:\WINDOWS\twunk_32.exe	04c124d16ae427d67e2805c62c7c2b39.exe
File created	C:\WINDOWS\bfsvc.exe	04c124d16ae427d67e2805c62c7c2b39.exe
File created	C:\WINDOWS\fveupdate.exe	04c124d16ae427d67e2805c62c7c2b39.exe
File opened for modification	C:\WINDOWS\setuperr.log	04c124d16ae427d67e2805c62c7c2b39.exe
File created	C:\WINDOWS\twain.dll	04c124d16ae427d67e2805c62c7c2b39.exe
File created	C:\WINDOWS\hh.exe	04c124d16ae427d67e2805c62c7c2b39.exe
File opened for modification	C:\WINDOWS\win.ini	04c124d16ae427d67e2805c62c7c2b39.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 57 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "8"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "8"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002213d23592f6d648a137f9bf65c22cfa00000000020000000000106600000001000020000000277a03f4165b929d128157d6c53ec2c6b7c0017d3d112370284dab9565baa900000000000e8000000002000020000000a6e5bad70c7bace94b00a4d2c66ac109b1e078d1580c93e04ceb97e85cff0ce620000000db2a536f21b945280efdb477d9f601d16193c49c8c51377e9666b1cace3dfca8400000008cc9fcef20ae2d0c6f9ae8d8922d1fa1fcee4606b890fd4e9cfd29637ea57e5833fae7dbe606b599db58b064ae0f732a15dcf1b9f098d4e84fe502e9304f53d3	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002213d23592f6d648a137f9bf65c22cfa00000000020000000000106600000001000020000000884cd2976702f0d7dbb1f7a1a8b7f6bfe270bd9f8637cc014a1818a7964d064c000000000e8000000002000020000000f47b097c912e7ed001e4f66d6a3c5c320575d3fd962abbd329e1f0d245c1b2b490000000e645e9ec0f6aa636a3ae3f37bf0d919a88104bd42b46d9b3945acd2770b08e7f04a4863ac707d970a63b93ef07b4a4cee7533ec088a451b8f9eb46365b1dd24f78be1944b0d2704c60fe651aff94e4363b11e6f89661333ca18b408fce531e682e43988d9d7ef4178af2d64e15858afaa8f8a15e34450ce3712e295e9e9494d26646c17aa348359631a52b51056c9e86400000005eb1cbb0bff5c430cef4819f48b4e4d47b063c2a5543c97691801871640361c15b579576ae955b7340f03ec2f696d46ac32b6ba103f2bc5163060db0b45ca050	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "118"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "118"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "8"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "100"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50a1fa42c93ada01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{51872D61-A6BC-11EE-9E63-EE9A2FAC8CC3} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "100"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "118"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "233"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "233"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "100"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "410065702"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "233"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1908	iexplore.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2536	IEXPLORE.EXE
Token: SeIncBasePriorityPrivilege	2536	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1908	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1908	iexplore.exe
1908	iexplore.exe
2536	IEXPLORE.EXE
2536	IEXPLORE.EXE
2536	IEXPLORE.EXE
2536	IEXPLORE.EXE
1336	IEXPLORE.EXE
1336	IEXPLORE.EXE
1336	IEXPLORE.EXE
1336	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 1908	2440	04c124d16ae427d67e2805c62c7c2b39.exe	30
PID 2440 wrote to memory of 1908	2440	04c124d16ae427d67e2805c62c7c2b39.exe	30
PID 2440 wrote to memory of 1908	2440	04c124d16ae427d67e2805c62c7c2b39.exe	30
PID 2440 wrote to memory of 1908	2440	04c124d16ae427d67e2805c62c7c2b39.exe	30
PID 1908 wrote to memory of 2536	1908	iexplore.exe	32
PID 1908 wrote to memory of 2536	1908	iexplore.exe	32
PID 1908 wrote to memory of 2536	1908	iexplore.exe	32
PID 1908 wrote to memory of 2536	1908	iexplore.exe	32
PID 1908 wrote to memory of 1336	1908	iexplore.exe	34
PID 1908 wrote to memory of 1336	1908	iexplore.exe	34
PID 1908 wrote to memory of 1336	1908	iexplore.exe	34
PID 1908 wrote to memory of 1336	1908	iexplore.exe	34

C:\Users\Admin\AppData\Local\Temp\04c124d16ae427d67e2805c62c7c2b39.exe
"C:\Users\Admin\AppData\Local\Temp\04c124d16ae427d67e2805c62c7c2b39.exe"
1⤵
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.freeav.com/
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1908
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1908 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2536
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1908 CREDAT:537614 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A

Filesize
893B

MD5
d4ae187b4574036c2d76b6df8a8c1a30

SHA1
b06f409fa14bab33cbaf4a37811b8740b624d9e5

SHA256
a2ce3a0fa7d2a833d1801e01ec48e35b70d84f3467cc9f8fab370386e13879c7

SHA512
1f44a360e8bb8ada22bc5bfe001f1babb4e72005a46bc2a94c33c4bd149ff256cce6f35d65ca4f7fc2a5b9e15494155449830d2809c8cf218d0b9196ec646b0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4f1e0f24b20c5ada109e9b0d627f967e

SHA1
0d7ca56c87d0f67033a17eff5bb8b58f373d3e0e

SHA256
9570fee363c2198aa72042d02e5fc174c4ab3e1eff41052ffac57c78bce12138

SHA512
b99910f9bb39b2c52ecbe981b0673459c30767af634ea1b2f7e167bf17051e1f1756d859432e4b4d6bb603927838e6009eb24d1ce8d84686ad538f4a5edbfe98

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ddbfd47023d36abfd6e770cdd911b67d

SHA1
d5ce57cabe7bc7f448e0b161444b8272e86ac54f

SHA256
8cd2235d9bef0993f58bd20e7ae572b0d761eb554ad2fda23f9f7b219cf96e5f

SHA512
8fd4e80cce7fe396096a7dbb6339f08a8f352a6223e5a120980d4a954db67c1fe5e30ee8154fb3c34782a66bfd29dc312e91468d8d6dc4cc230b1560fc7dd410

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5ef6a118352dda4a814798b31afbfee2

SHA1
37313f44161478fcbfcc209c64931894f6f691c2

SHA256
d07f618b38dcf56ac42a9dcd3e5d4c563dab555d4638b947b3f508d6c6f38652

SHA512
58572ecf2995d8565e61054fba820354f91fde6cfa8150ccd6d6946bbae85a1e35b8c3e07637a152954be20ddbadf640c3460e6399405db6bf45316fc4172926

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
80164affe2b229b237c1f69a6b16c1f6

SHA1
30561ada0c8c54a52f3c937fb3ea7b0100ce3417

SHA256
0a81f1e18acc40e54fc89a5c290573d0395a99e349df83dc3cb6f72f41969887

SHA512
a48cbc75ba1be9ac43b2364280cfcdf121d0e22d5afe4839251b97a60b22fc416e1026747fc2dcacc1af777b3c6674e4b747f9fd2fd130296315f72d462e0bc3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c360f6646653dd8f1c227a0edb560816

SHA1
91e1884928fb60c71aae52b4280a7558f6bb53a7

SHA256
cf0c0ca9ed62eeb3ff524cae47b52e3f45fb0a5075e6058de100777f20da9148

SHA512
bdd8825e325a82f8a12307eb25047b94d6675b47da96230e5e006bf3155848b9b450eb974d848698e4b226fc00db3882185ada7a2ee3c85e03511b59ca9aa464

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
30543500fc59dbc1ac56e9e38115d97a

SHA1
29b02a101a766f46f2265a0eb68db664fd343a3b

SHA256
5830266349351412c7739c7cfbbc33d37b5d5c34eb7f8d863f45f7e0a096e5c8

SHA512
c3a0f68671dc755948be90c2c12ec38fe23adb1f9e4ed74f7768d0fc30c60575b53fcb828764957a0894702ff74a430ad34fbca1884660b5af9dc218bf46bf6e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2efe0109cb492afba62f9bfc2b5ef87b

SHA1
34ee32eca4d5e2ff90f8e17a669d83767bd5c124

SHA256
bc07c4fd0319e61ec3b53596d242d3eb1455f509ac167075c8e65e1713d379b6

SHA512
1317c6b0a8969ea4d5ae960e9dc7f615e4d2ba4fd05a41bc9a818db418ff566fc5ace6342bdedb3209aef14ced08937de506156f2356787a2edc342b6cac7f09

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8e3c22ea7ee4781be0ea5d4145d9ce02

SHA1
44889096eba89e81dd4b044e157d0c383329d3e0

SHA256
dffbdcc92c17b846f84e37095cd1398e1f3f9ea2512090af9df3042b8183eef6

SHA512
ac8841e20f064567ed7f2e325647bdb2f4ca2335069f86f34c27afb99bb50022e6b6c5264a6585567e46c47f8f3561fd08327f7e971739111096f677476bc877

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7dd9538fb8ca2cdcfc2dece8918d4ca9

SHA1
02ed66a880d44e4a055c97445a0f862232b799c8

SHA256
350eca25dcde5c18bed96d559d18ff9ac6e84af8eb5a32a08cea1575d4c19ac5

SHA512
e9609f4ab86eebb21481d14e05e5fc86d158c5f4ed57ed1debd4f54574577fad34c356d32a493da9117fffa95a702bc68d7a70c7655986a95c5b1a7b33941977

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d2af089250368a7dcb24395781cf69a2

SHA1
55f381a04c9a73c4bdfc4c08a0e159570e0847af

SHA256
2d04fd88af0e33d437062b1baf8da327dcce3a3cb8f75959e07116fcf818d8d7

SHA512
ddb705ba5a57d3856f779981ad78b54e1d0f588b852092dd75124db2b7dca16caa9df8816a44dc4823af822d7c6855221527f85ed0d45951789372123ed6619a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c59b40a317bf9a09f990dbd91d3baacd

SHA1
002f6ad3a43a709189054a96908d2b053a731953

SHA256
eb93bab4431e3f8abf4124c2f2905a33ad79f8a4a84fb83e4ab5ee1f7475adc0

SHA512
b5454ca5177718e0bf51b8fa75c7c5536392334312e3b8815ac5025c1f81dfa7535184f24f883d20b63ec2ebff542964dcce920692f9b5de0ab3c15e4bf3bf97

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bdb5dc6ecbb032b92b91339cae7bc78d

SHA1
b09e47968b76aa03461589bdfd44fa708c6616ca

SHA256
30d5f8984803b407df160a9ce12b724e35a2c7a391f6666333a695c0eecc6423

SHA512
9c35df0f2a008bd2d71e8f56b9f90ed85189954f24b62e4a5c8b261d04c92c4b955e0b3bc5e4882d68ecef5d6f3f5d95a0838a4a45f8f5fa890ef50987f54983

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
34de089d5c6bec5130f5b58098fd0d71

SHA1
05c6472fc4383348da199a5715731f942ede7dbc

SHA256
c56e06232a88e98d0e3ed6be9ddf07baf8a63776e8d28aa1093886684f5ae8f6

SHA512
ecbe6ffe000cfe67fe14c5f3dc272b3744a45e10cb35ddf8f50210cab24b2ba2590d585952ee50a471c3e15a66b74a639cc9b98df61373704659f84934789f92

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6388d31041691776d546674f0b2252fe

SHA1
9312502bc50aea1eb1c148f8bd636a04cc3bfeca

SHA256
40d2290031ef51a06ef49de6d679f3dc98bced82d9e3c76f87e7cf8859fc595a

SHA512
dfbf21f709f947ecbb22dc21d1bca2ec132f6be15bb35a56f0b714a217e4f5cf941293f69c0d0bf4ddccf158e542188965ef7655bf5cf1a64064855a7575ffd4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b1c443da296807d2db4011083f4ad8e8

SHA1
510f760f32fadfd52ecc296bc946f529d1495a8f

SHA256
35d1cb05bbe18b786c11b2b2a0ec4e67a8a5158f1b30561ea3a3bd92622bb008

SHA512
546596afda0aabd58293bf6ddd79478b9be859eea5e5ff7bb37447dc1a52dd08752c9cc6234cd6a1a8eaa02b152ad160a4e5ae4887b0b5767faf853863fd34e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
aa01c6ea5b1d6696cb8458f8947bcdfd

SHA1
9f8956dc7f17d4f6c0658612c62c37811de9cca5

SHA256
0dff0c839e7689345383cc5def6d7be773cc2783298651c4b5b68ca1211bb44f

SHA512
498efcc76c5d4f3b04609e461f368f0167021a087ec398e43992a396024eea39b764d4891503b85a1af9b6d184f88e68b5efddc70a63d6e9710f750dbd468865

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
22fa1219c1dc06697cf8406e5eefb39a

SHA1
ef372750b96ca60f4cf95051b9167fa547b14f91

SHA256
0b1bac5d5ac2ab41013fad6bab434aabcf8f97ca5f5a70748f5ae50f3ea025ba

SHA512
d30e081e9d088cf5de108552069c91f18a6dbba8c4ff1d1e1e46f009601e3d26bef072278c0655cd8784c931678cfb0522a8323837b7e584cbc5d04d10f570ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6085a1746f9b69ca582a2cc27e1b765e

SHA1
31125e1ccdb366a299d716327bad90fdec3eb3e5

SHA256
5387e6d581c30c5a47cf9f915b2d41acef2d701260fdc21be5b2e86a2ecbebbc

SHA512
461b0475443439791cf0effa86be29b836e6dce7247055924094bf332ae3fbdd252bb8aa515f60b9e3c4b4983346c957db12e80dfabadc820a5597da9faa4ca8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d7fc2b2f5fb2763c7499e231f0d2863d

SHA1
bb92f458ff256e87cfaa13ffd26de0f65f3b62ed

SHA256
734eaf2c3a5229085531c7108608fe11569a95746d4c8e75b1c9e3b6bfd75baf

SHA512
e24814a6b8ae3609c63b9326a0e2686d51c2986aea52459c0461ccde2a60f443b544c5842ef75e9e704dc663dbb9d48048374033413d4c72b93a925fb3460184

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
22f31c74f69cbcaadaf0d5fe53c10bb4

SHA1
7289445a0f398be55361c1e2f259e768f1c16d91

SHA256
b445615b9a50c93a77d28caf491be66b5aa1a66552ca6382a8487a76a3bbf732

SHA512
92daf498ab3cb8deb2f4cedd2359eacb80f5f029e461d8519fc74ef151ea3ffba93533e40ac6ac46e9cbe7b1d45a276bf0b29bae406bccab198eece972696767

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ad3efe1965483969de8e71365e34c8dc

SHA1
8ae55bd0a82295d375e8143f5a5c97de640ea3d6

SHA256
3907728c10bad6328620fcfdd5b31f12787397b213d7d1397e767588807cfe69

SHA512
2d26453957e93a151a2af465cc69dc1d5f83e02bd5a46eb5d5f84c39ca290f7a06048050cfacd9c73279736e945c1e2ebd3a32b19da7fe9c4cb115313d731a65

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2e220d22314954a129614dbf0d4c8c7b

SHA1
865574827642b2d0eb1e3880acadc9b7d05c1cd8

SHA256
013c53f7f6e2d94014b61f0e0b1782f41086f98e1b67dd8d4bc40b24846dee1f

SHA512
b050c07d36ed2ae118a138053e021227fc7787189083d507752d24a625b251287bdc26a9dc49d863ec323eb85d7be95dc69724c0e46926e794f15091ac4ef6a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
237857d589b42d7288431a8fb35cbe18

SHA1
88feaeb20846ded8af5c4bcb559fc5d04b734e70

SHA256
83ba851cac17b79b71fac047818dec1ef57a5caaf66a85e95f621983608fbdbd

SHA512
d37655b9d1a91fddf3eb2466c28a03c70505bdf9cefa8f466fc4bc1ac3ec3c44a1eabe98708b39b46e9485b10cc978408e77d0d49128fa34dbe79212c7154a2c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
13960f2865cb9db7b66203122bfb680c

SHA1
69ba55bdbc4149c4bac3ca2f11913e1acec607eb

SHA256
dc6f28be0cc8a86afd930bfd237bf6715c5d6166ca4f3308e4aa9393531670ce

SHA512
bab9e8a43a45a0b64965ab9c6c1e8d8875f06331ff3ed1d72a33e831b64f4264091367bcd1faa43a0e032acc06e6da2875a262eda17abdeca633fe002170f038

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fd9392ed4ecfc4283b9c58bd8ce86dea

SHA1
f5a02e6cae8f38c4d8265d508982da3acbf98feb

SHA256
e993b495804e7f918c9429fb5ba2402ef95cc00b7c80b574b7cafb50f68a0946

SHA512
b3f658f82133f9f3a458306c31b05ac7cb4c2e7eaaade1499324090dc7707a7ea629528b8820654b988cf9861e62681f8d6d979c629148b18f92f9f2de89cc8c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
81c56912bf3da8ebb56cf1a2ad5ec98e

SHA1
27de1a5b9a79001770eab06dbf62d3468cd7a66c

SHA256
13122a7ccc46468178250d0f500ad1c650f3c6045566701513810c094cdf92fb

SHA512
8f275a3ba0afc57597a4cbb30df1bc7188789224113a4ed3a7f5c6cb954839d650d74fee7e9ec5fa68996c514cb0eb013d58d8d7985aa6e64e4088200f1a43a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9ab150ef421a45d1c1ea3c9061a6d871

SHA1
12e49cf67f23c9035d5915e9013a0e30e943b3d8

SHA256
c005325f560e30be88a397fbcb7a27cb437c61e90dcb2a355c4e2b3e3774a915

SHA512
982edb2ee2809d5fa2e2291f5357218dac8a61296cb6b076cd9d00410798dad2879154de7c3e923751aa8737e68083b15fceeefe908b41bb2331afd98b1dffe3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bd3aab4de3b32685102ac3965df9d695

SHA1
252897b062d8966edb291ce97451917f51d469a3

SHA256
a06b997661c5b9411151126af17d5b5842985433243b8a3574bd61a5faeee9dd

SHA512
b54fc4875250441e5da4f1fd5fe252b0816b1564b14b8e12960cfcb618a4e2fa840c0e738b31bab460117e46d294a3bfe32f11d5760cd7669ac6d6dfe9a9c557

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d939f47190f683527d06b62e90373496

SHA1
47ed29e906553b71c2fe9539f0fab9f897039ee3

SHA256
604eb896f4cd170efc5d9210160e4f1cfa69bc6def24f12148c85c7077ca911d

SHA512
35a4172536fe29e72d378ae6a3776f09ae606ff34862aa324cbea89e2c049912e1ed1c3a962c79271f7520c42bccf35c4936f3449419bb940c36e8102981288e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e298fa4d24d8a7bfca2a8cb29c6093a5

SHA1
417faf5862e599a5dff0818c58f7627bb5a9d89d

SHA256
c7a8968470c5b2ea44e3299b57c278b832fbaee045bdb941e28738e9a0339f02

SHA512
740ce9777f649387ece6f0a755bac8cfaa802acc415806168dff6c0506831fea9feda7bb0cdf87b5cf2d156a27c26d3578627ce8e27e412966d13cfd86b2e36a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a26e7dfb054759ddb5f7544f63ff0f09

SHA1
b6f8c837d73d5e1beba63a3d625f9bffbf4f5f7b

SHA256
7438b583d9e6187d504d25fd251139ca1f1d284c16398fa3640c88b7743d2f92

SHA512
a72d16cb22c9125e520dbc989ef91405cf1550abf1e7ea1f812e3d473c2cdebf325c3a9f72a6abca61d1f7a7e02bb739f52048e7ecc4a564c8a8ca8d526eb9ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4b8f4d30284b7a128bd8bf123f9baa1f

SHA1
116da7f6502f75fed1951e2f1efa4339c98470c3

SHA256
f52a71ed9e611c5ce7421b73a06a929d43b91a0af2f16f0d7f0ac67201f7c350

SHA512
77abb764d9278f4020fa4a3496be154e8d5edbe0f521fc2c61583134533676c533ae60a7a3fac047abd05366cb1f127d136916226bcc2ecd4325affad55ca7b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fd1cee92524269b650b9d8129a2cf8f7

SHA1
3840ee1c2bbdf85760fbd21a39c8db63e0ef8b53

SHA256
482f9e8e84dce6417d7f587759d2e7d3ebe44f0c88808472039a3eed2f1deca6

SHA512
770d6566dae21aaa922a5e3a70841aef45a500fe2a24558279f778a0f8675a4e4b498d4e3b3a9d643fb9ac535455876205e53cf93e27b0c05a23a18b887b14de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
775ba0c541910c7cbf525966995d61f6

SHA1
4f7c1f58e33bb352b3ca307b3c6a12b1f3680c9b

SHA256
fcaad42c2f31bfc13541ddf08c87d96bf62fef9cc54877466e448776971f9e2f

SHA512
140456088954eaca6358f821d98eada7210685f2c79d9f8697944d796867bd2cfa06412aaad050b20a913f1de86f895a92f8c0063b3c4cbb54b153f37e1b4791

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cd6699afab8be7b3dbd0fbad842e6672

SHA1
6759cfa7264961d6b83ad4331237e1c06f0caa15

SHA256
0e2c14f525fc86a611049146f5d942901d813ab118a11f16b9fd4f700e761016

SHA512
1ba9232ec4b618d5f744dc897e4da1c8e78f3c9210acd06c53aaed31d05de5e4cd2b7328e1521e06004af8a4e4cebe14e91833c2a1a0a46ce477abd6511be66e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A

Filesize
252B

MD5
15d6e821391f1fc31ee95f5669f0cea3

SHA1
28f3c1f2d13326348385098f8356438e103b00f4

SHA256
ed7407142999abe54b188860083dfcd29b4228910c0e971194ac9e8415bbfc75

SHA512
f734093f2576a0548ce46a20dbb6504b6f6216a9fb7a467c7129dd89604ea8ccd79ac7ea0343b0e1e789f8ca7d33aca6d5c321573a5d50541b80bf0df9d90d78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\2DOR4HTE\www.avira[1].xml

Filesize
223B

MD5
1cb18b11c5e645e743fde473374fc7e4

SHA1
576c14b48c4dc53902c9705670208a8f1a769ef3

SHA256
0b47bed3173547a28b2eb869b261c9abab38eb31230c949e35b670ec155397be

SHA512
ba9cad9cddff05514e12ca188ebe5e5d73782b8e7227abe88449d75d6de0a9871bd858fa4f1ed987494362233568e3596c0a43fcc7a5f007126b4b594b285be3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\t83hqs9\imagestore.dat

Filesize
1KB

MD5
994567f66afd4aa826c71a74d425d2a7

SHA1
b026ee74be20def63083940b7371669244e9a701

SHA256
2d53fa9514bd69ceb78355befdc393ab9226a22bd726133b91e01104e0ea893c

SHA512
aa682ffab41271e54b2a64d30a6ab13e19669847b8ac6e54e5067415fddaf2044e6634ba3dc81cad4280aa4de3b6539ac58e25bec9a4d5b3a62928cec574a2ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4R90HQQX\favicon-32x32[1].png

Filesize
1KB

MD5
13e4a579c3cfa586f665ecd794e0462c

SHA1
b629b7170f76734c495630191e665b6a88024268

SHA256
a961b4999fbb3ea58527df10b36cfd5c6ac7cf9fd12a0ecede32a8f7f48fec30

SHA512
813d424cb854ecda3bd1cb73e87af2e1072364e5e6345e2a7ff0c93cdac34628146786f1f5fbfa869b95d72ff0071414af13c4453545e76b3f627c1343cbdc8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3C96.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3CA7.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\GC0NXGHM.txt

Filesize
390B

MD5
5cd518abefd09a0da958a2577edd1f1d

SHA1
2b9427991322bb806c30ef0bb7d74830f6a80ecc

SHA256
3fe522b14c72ea3895c56f52f4fc2078efa9539a223dd562ec124c776cf5769d

SHA512
797050182d024e90bb9a80067c14646f8f9691e1ca6fa78a42e101de9a0b7b6d4b5b586459a9e54e00ca06aae593e01d8ca53b5709065a8af7148aede151024f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\NYRH9QQH.txt

Filesize
577B

MD5
7907ad11256c424e67bb1ea5c574d307

SHA1
b3a7d57fae5d90455b7d9ce4daefea5562ef595f

SHA256
8d51c1408131683ed186bfe2ccbd250d9837df21222aa690ba62437075a898ee

SHA512
1a5201297913ed2c0b88e63cff38c7ad623657289e59df58b86875863ab289d8f3ec1eea85008bb53b981e8c862d2ead96bb5c7354f9bc358732cfa55c283622

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\O7WJ735M.txt

Filesize
392B

MD5
debb3cde950486010015c1fcd8345437

SHA1
3473bd61ab948f60a02706fdc20b0b44cdd4c37b

SHA256
6dfa8a73bba25a10107e3b136d53236c695bf8eedb7ab5a18013896508734f47

SHA512
1e54fbecead465f49ef6beb15d5e7b87439029bf6b45262672d69cc2a4c1d188d3a7ae28e92babb485b663e1953208075474c5ba494e05a46358543fc96ad3cb

Download Submit
C:\Windows\setuperr.log

Filesize
27KB

MD5
123e61acfea7dc3b1cd7206a900c7dc3

SHA1
63326778a1103a707149b1a4066ca2dd30d84c8d

SHA256
ea4ea33bb8675a612df2075657b8d4367ec09bad127218fd84b277bba0ae9a07

SHA512
1303eb3963e9ed0e64daf1dd199fac1294869f4207954cf199fccecdc8dd03fb9a200cb24ceb64c5da69251f3d0b642239c73a5437e1225abdc1b42771bde8d2

Download Submit
memory/2440-1475-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2440-2277-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2440-2465-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2440-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2440-4-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2440-711-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2440-101-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2440-1837-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2440-123-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2440-124-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download