a7f088a1cd622d248cd2904ba001c8d5eb9ee90db7fe6d043414bd513a6b0275

Analysis

max time kernel
144s
max time network
149s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30-12-2023 02:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b35413142e0ffa56479335bb15a37fa10c531034b0bb137f5643969a0ae76b3a.exe
Size

2.5MB
MD5

f3b0179ba1f2f60ea88c4f14c4e7a829
SHA1

cada0b63415bfdafac480da21742d673a6f1d359
SHA256

b35413142e0ffa56479335bb15a37fa10c531034b0bb137f5643969a0ae76b3a
SHA512

fd4f6e6eec6e565435c7fd7d6e5f79d7f59cca0e9ef068f370c65b270d5d4fa034b0990ecb8fb4427ee58ff5048b88130c2b80002e7d63a15c0b4aec2d342303
SSDEEP

49152:VkJD9VUS2v2/czNA6XgbuzDUyjYFb1nbuZvaMba5A7e0JSkJsGdLtFprqRbFFjfr:y9ESLEzNA6XAycRpuwiPBOGdZGxFFrJh

Score

10^/10

google collection discovery evasion persistence phishing spyware stealer trojan

Malware Config

Signatures

Detected google phishing page
phishing google

Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

5yN0yH9.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	5yN0yH9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	5yN0yH9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	5yN0yH9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	5yN0yH9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	5yN0yH9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	5yN0yH9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	5yN0yH9.exe

Drops startup file 1 IoCs

Processes:

5yN0yH9.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk 5yN0yH9.exe
Executes dropped EXE 4 IoCs

Processes:

EU6Wr47.exefo7Qf38.exe2OC4417.exe5yN0yH9.exe

pid process

2772 EU6Wr47.exe
2196 fo7Qf38.exe
2760 2OC4417.exe
2536 5yN0yH9.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	5yN0yH9.exe

pid	process
2772	EU6Wr47.exe
2196	fo7Qf38.exe
2760	2OC4417.exe
2536	5yN0yH9.exe

Loads dropped DLL 15 IoCs

Processes:

b35413142e0ffa56479335bb15a37fa10c531034b0bb137f5643969a0ae76b3a.exeEU6Wr47.exefo7Qf38.exe2OC4417.exe5yN0yH9.exeWerFault.exe

pid	process
2040	b35413142e0ffa56479335bb15a37fa10c531034b0bb137f5643969a0ae76b3a.exe
2772	EU6Wr47.exe
2772	EU6Wr47.exe
2196	fo7Qf38.exe
2196	fo7Qf38.exe
2760	2OC4417.exe
2196	fo7Qf38.exe
2536	5yN0yH9.exe
2536	5yN0yH9.exe
2536	5yN0yH9.exe
2328	WerFault.exe
2328	WerFault.exe
2328	WerFault.exe
2328	WerFault.exe
2328	WerFault.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

5yN0yH9.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	5yN0yH9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	5yN0yH9.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

5yN0yH9.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	5yN0yH9.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	5yN0yH9.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	5yN0yH9.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

b35413142e0ffa56479335bb15a37fa10c531034b0bb137f5643969a0ae76b3a.exeEU6Wr47.exefo7Qf38.exe5yN0yH9.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b35413142e0ffa56479335bb15a37fa10c531034b0bb137f5643969a0ae76b3a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	EU6Wr47.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	fo7Qf38.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	5yN0yH9.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

92 ipinfo.io
93 ipinfo.io

flow	ioc
92	ipinfo.io
93	ipinfo.io

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\IXP002.TMP\2OC4417.exe	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

5yN0yH9.exe

pid process

2536 5yN0yH9.exe
2536 5yN0yH9.exe
2536 5yN0yH9.exe
2536 5yN0yH9.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2328 2536 WerFault.exe 5yN0yH9.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2352 schtasks.exe
2364 schtasks.exe

pid	pid_target	process	target process
2328	2536	WerFault.exe	5yN0yH9.exe

pid	process
2352	schtasks.exe
2364	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d80bef292bee784c8e3c940d61fdfeb800000000020000000000106600000001000020000000d117987b434703a5da58cdd7c10d41d0a04be85ef1b5fc5f5b0d9d09e700f448000000000e8000000002000020000000688ba5a09d67374b7b1fc4a2cf64570421306525df1bef65a959bc9615362ce5900000002245cd58ce62ff7b107570bd2789449195f1aaf5bce27b3cd66a10c146425064b858e6c6fc6f48d8352ef7eb8763fab4a20489979637789e071e516a6fd0f9b2c62dce0c75e5d3e4987872da9aca448a696f30785ba4a759bfbb3fe90737875bef597df0a05cbdac9b66d236afb2f3ce1f8bb46c58435da7a5e3634c83807781a02a369268242e09c57952cc6da2725c40000000245be6c24c3490a07d5e280a87f8e5050c3f962faf10ec0da1aa8aeda6206ddd54d0168e49703bb995d4b79747f9d735b3024cf2e6882ee3fd7dc0c189383a56	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{98B0EDE1-A6BA-11EE-BF8F-CE253106968E} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{98B114F1-A6BA-11EE-BF8F-CE253106968E} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 901fb170c73ada01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{98B0C6D1-A6BA-11EE-BF8F-CE253106968E} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

5yN0yH9.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	5yN0yH9.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	5yN0yH9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	5yN0yH9.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	5yN0yH9.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	5yN0yH9.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	5yN0yH9.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe5yN0yH9.exe

pid process

1760 powershell.exe
2536 5yN0yH9.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

5yN0yH9.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2536 5yN0yH9.exe
Token: SeDebugPrivilege 1760 powershell.exe
Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

2OC4417.exeiexplore.exeiexplore.exeiexplore.exe

pid process

2760 2OC4417.exe
2760 2OC4417.exe
2760 2OC4417.exe
2032 iexplore.exe
2396 iexplore.exe
2924 iexplore.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

2OC4417.exe

pid process

2760 2OC4417.exe
2760 2OC4417.exe
2760 2OC4417.exe

pid	process
1760	powershell.exe
2536	5yN0yH9.exe

description	pid	process
Token: SeDebugPrivilege	2536	5yN0yH9.exe
Token: SeDebugPrivilege	1760	powershell.exe

pid	process
2760	2OC4417.exe
2760	2OC4417.exe
2760	2OC4417.exe
2032	iexplore.exe
2396	iexplore.exe
2924	iexplore.exe

pid	process
2760	2OC4417.exe
2760	2OC4417.exe
2760	2OC4417.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

5yN0yH9.exeiexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
2536	5yN0yH9.exe
2032	iexplore.exe
2032	iexplore.exe
2396	iexplore.exe
2396	iexplore.exe
2924	iexplore.exe
2924	iexplore.exe
1956	IEXPLORE.EXE
1956	IEXPLORE.EXE
268	IEXPLORE.EXE
268	IEXPLORE.EXE
2148	IEXPLORE.EXE
2148	IEXPLORE.EXE
2148	IEXPLORE.EXE
2148	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b35413142e0ffa56479335bb15a37fa10c531034b0bb137f5643969a0ae76b3a.exeEU6Wr47.exefo7Qf38.exe2OC4417.exeiexplore.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 2040 wrote to memory of 2772	2040	b35413142e0ffa56479335bb15a37fa10c531034b0bb137f5643969a0ae76b3a.exe	EU6Wr47.exe
PID 2040 wrote to memory of 2772	2040	b35413142e0ffa56479335bb15a37fa10c531034b0bb137f5643969a0ae76b3a.exe	EU6Wr47.exe
PID 2040 wrote to memory of 2772	2040	b35413142e0ffa56479335bb15a37fa10c531034b0bb137f5643969a0ae76b3a.exe	EU6Wr47.exe
PID 2040 wrote to memory of 2772	2040	b35413142e0ffa56479335bb15a37fa10c531034b0bb137f5643969a0ae76b3a.exe	EU6Wr47.exe
PID 2040 wrote to memory of 2772	2040	b35413142e0ffa56479335bb15a37fa10c531034b0bb137f5643969a0ae76b3a.exe	EU6Wr47.exe
PID 2040 wrote to memory of 2772	2040	b35413142e0ffa56479335bb15a37fa10c531034b0bb137f5643969a0ae76b3a.exe	EU6Wr47.exe
PID 2040 wrote to memory of 2772	2040	b35413142e0ffa56479335bb15a37fa10c531034b0bb137f5643969a0ae76b3a.exe	EU6Wr47.exe
PID 2772 wrote to memory of 2196	2772	EU6Wr47.exe	fo7Qf38.exe
PID 2772 wrote to memory of 2196	2772	EU6Wr47.exe	fo7Qf38.exe
PID 2772 wrote to memory of 2196	2772	EU6Wr47.exe	fo7Qf38.exe
PID 2772 wrote to memory of 2196	2772	EU6Wr47.exe	fo7Qf38.exe
PID 2772 wrote to memory of 2196	2772	EU6Wr47.exe	fo7Qf38.exe
PID 2772 wrote to memory of 2196	2772	EU6Wr47.exe	fo7Qf38.exe
PID 2772 wrote to memory of 2196	2772	EU6Wr47.exe	fo7Qf38.exe
PID 2196 wrote to memory of 2760	2196	fo7Qf38.exe	2OC4417.exe
PID 2196 wrote to memory of 2760	2196	fo7Qf38.exe	2OC4417.exe
PID 2196 wrote to memory of 2760	2196	fo7Qf38.exe	2OC4417.exe
PID 2196 wrote to memory of 2760	2196	fo7Qf38.exe	2OC4417.exe
PID 2196 wrote to memory of 2760	2196	fo7Qf38.exe	2OC4417.exe
PID 2196 wrote to memory of 2760	2196	fo7Qf38.exe	2OC4417.exe
PID 2196 wrote to memory of 2760	2196	fo7Qf38.exe	2OC4417.exe
PID 2760 wrote to memory of 2396	2760	2OC4417.exe	iexplore.exe
PID 2760 wrote to memory of 2396	2760	2OC4417.exe	iexplore.exe
PID 2760 wrote to memory of 2396	2760	2OC4417.exe	iexplore.exe
PID 2760 wrote to memory of 2396	2760	2OC4417.exe	iexplore.exe
PID 2760 wrote to memory of 2396	2760	2OC4417.exe	iexplore.exe
PID 2760 wrote to memory of 2396	2760	2OC4417.exe	iexplore.exe
PID 2760 wrote to memory of 2396	2760	2OC4417.exe	iexplore.exe
PID 2760 wrote to memory of 2032	2760	2OC4417.exe	iexplore.exe
PID 2760 wrote to memory of 2032	2760	2OC4417.exe	iexplore.exe
PID 2760 wrote to memory of 2032	2760	2OC4417.exe	iexplore.exe
PID 2760 wrote to memory of 2032	2760	2OC4417.exe	iexplore.exe
PID 2760 wrote to memory of 2032	2760	2OC4417.exe	iexplore.exe
PID 2760 wrote to memory of 2032	2760	2OC4417.exe	iexplore.exe
PID 2760 wrote to memory of 2032	2760	2OC4417.exe	iexplore.exe
PID 2760 wrote to memory of 2924	2760	2OC4417.exe	iexplore.exe
PID 2760 wrote to memory of 2924	2760	2OC4417.exe	iexplore.exe
PID 2760 wrote to memory of 2924	2760	2OC4417.exe	iexplore.exe
PID 2760 wrote to memory of 2924	2760	2OC4417.exe	iexplore.exe
PID 2760 wrote to memory of 2924	2760	2OC4417.exe	iexplore.exe
PID 2760 wrote to memory of 2924	2760	2OC4417.exe	iexplore.exe
PID 2760 wrote to memory of 2924	2760	2OC4417.exe	iexplore.exe
PID 2196 wrote to memory of 2536	2196	fo7Qf38.exe	5yN0yH9.exe
PID 2196 wrote to memory of 2536	2196	fo7Qf38.exe	5yN0yH9.exe
PID 2196 wrote to memory of 2536	2196	fo7Qf38.exe	5yN0yH9.exe
PID 2196 wrote to memory of 2536	2196	fo7Qf38.exe	5yN0yH9.exe
PID 2196 wrote to memory of 2536	2196	fo7Qf38.exe	5yN0yH9.exe
PID 2196 wrote to memory of 2536	2196	fo7Qf38.exe	5yN0yH9.exe
PID 2196 wrote to memory of 2536	2196	fo7Qf38.exe	5yN0yH9.exe
PID 2032 wrote to memory of 1956	2032	iexplore.exe	IEXPLORE.EXE
PID 2032 wrote to memory of 1956	2032	iexplore.exe	IEXPLORE.EXE
PID 2032 wrote to memory of 1956	2032	iexplore.exe	IEXPLORE.EXE
PID 2032 wrote to memory of 1956	2032	iexplore.exe	IEXPLORE.EXE
PID 2032 wrote to memory of 1956	2032	iexplore.exe	IEXPLORE.EXE
PID 2032 wrote to memory of 1956	2032	iexplore.exe	IEXPLORE.EXE
PID 2032 wrote to memory of 1956	2032	iexplore.exe	IEXPLORE.EXE
PID 2396 wrote to memory of 268	2396	iexplore.exe	IEXPLORE.EXE
PID 2396 wrote to memory of 268	2396	iexplore.exe	IEXPLORE.EXE
PID 2396 wrote to memory of 268	2396	iexplore.exe	IEXPLORE.EXE
PID 2396 wrote to memory of 268	2396	iexplore.exe	IEXPLORE.EXE
PID 2396 wrote to memory of 268	2396	iexplore.exe	IEXPLORE.EXE
PID 2396 wrote to memory of 268	2396	iexplore.exe	IEXPLORE.EXE
PID 2396 wrote to memory of 268	2396	iexplore.exe	IEXPLORE.EXE
PID 2924 wrote to memory of 2148	2924	iexplore.exe	IEXPLORE.EXE

outlook_office_path 1 IoCs

Processes:

5yN0yH9.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	5yN0yH9.exe

outlook_win_path 1 IoCs

Processes:

5yN0yH9.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	5yN0yH9.exe

C:\Users\Admin\AppData\Local\Temp\b35413142e0ffa56479335bb15a37fa10c531034b0bb137f5643969a0ae76b3a.exe
"C:\Users\Admin\AppData\Local\Temp\b35413142e0ffa56479335bb15a37fa10c531034b0bb137f5643969a0ae76b3a.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2040

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EU6Wr47.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EU6Wr47.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2772

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fo7Qf38.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fo7Qf38.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2196

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2OC4417.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2OC4417.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2760

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/
5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2396

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2396 CREDAT:275457 /prefetch:2
6⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:268

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://facebook.com/login
5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2032

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2032 CREDAT:275457 /prefetch:2
6⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1956

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.youtube.com/
5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2924

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2924 CREDAT:275457 /prefetch:2
6⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2148

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5yN0yH9.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5yN0yH9.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:2536

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1760

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
5⤵
PID:1964

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
6⤵
- Creates scheduled task(s)
PID:2364

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
5⤵
PID:2348

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
6⤵
- Creates scheduled task(s)
PID:2352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 2464
5⤵
- Loads dropped DLL
- Program crash
PID:2328

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
16fffd0e6d70bece262b80ec1e01136d

SHA1
a85cd7bf91876cc1677188a48f655fafd4ef3ad3

SHA256
e42b8f1401f2b649334ceedca8cadb9da203734b036fa9c858074741400663d0

SHA512
1a9da5d91c794f029b6aae6bfee67735497c991ac7fb0c8227f0c9b3e63c25e3c5c838839d2f03744114c7f07aadbe5220c553a89f792ff0ee369ee98567dc4e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
Filesize
724B

MD5
ac89a852c2aaa3d389b2d2dd312ad367

SHA1
8f421dd6493c61dbda6b839e2debb7b50a20c930

SHA256
0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45

SHA512
c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_9E9C5BD522DEAFF0AF9BF0B0877DDF33
Filesize
472B

MD5
3a03d31c0d72895a743a5b3da0960e1a

SHA1
dc6f14a68f2f36f0dbbdf9e48526e2ba3da34bb8

SHA256
a359a47aea123f2d6a7e3b090bbc69fe268c5532da8864d2d6387eed150714ec

SHA512
a5714b9d94f16b38edc2a7d389a0f13f5344f129499e29c4f680a008f05d4ace267ae52e127f55efc5142fb3c3f110388ab713367c5e04180bcf5dc0861034d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_9FBD3BA6168F3C4317F2AAB1E548FE96
Filesize
471B

MD5
1904977116539dc6b5e5548dba0ee208

SHA1
f63812d400027ccbaf53d9e04e1606b61fa1516f

SHA256
caf7d9aaf861969d69745c08b00bff17763cb073918e7747d487cdb6070ca268

SHA512
e9bd3e5a34a62d90acb4bd604f43ea7dc08c694c31343477d547a1500c7baf50bfc0ca0a9eaaed8aa839c8e982921903033ca73556aa7d8b49d6a3bd1ebb76d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
4c7c695a7a720e9192c9d041f47441e7

SHA1
6b1b6ca5cdf7089de6fcfb7c5edbaa7bc7b56cb8

SHA256
79807b2d91b762832ea94f19fae375b0fc5189007dbe88de89f5916b55d1aa80

SHA512
75c0179d4f940822acb0dbe2cbab228c3ea5132bd744c76c18f6028fafe7f28e93a6db55d1d7cc22c7090520a3191e842f4c35d94a08020b7de25f375ed8fe0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
8698794f151d88aaeb71fff59f3d727e

SHA1
181e6e91edadf94deb826363d88912e25b21fdf5

SHA256
0c62af6a644fd016d91bb95cd808d354cbfef7fdd8fd7111414565cbb644461a

SHA512
adff74bff23163d762cc6e10ac8fa1532d228cfb1b7392e43e93da532c390c95169da56d4d008966eae48389b168a4da6f011e0ac81dffe1e7400ae47432f670

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
42d805fe82d86b528626b378022959b9

SHA1
ed6b11fe07cef742230d53d003db3a941f235d2b

SHA256
1a4905ea27e6b7923c0335efff3b60fb45e2fa88e9f821577f02086bdd06d6dd

SHA512
10e154f16901c2f25de8de109d5606ec9cd11288f8dc296eab7202ad0e9d412e1cba85eaefa3f3ca4d07f35f83f544b9c26621a34b75bdad5a4066a37bc87b22

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
0111b0d309b53baa8906fb6b6eff91c0

SHA1
dfaf32875714e61b5fa2c97b1d799a6f73369887

SHA256
40d306184d39c735cf44fc5355f3137ffb9b7126fb95796f83f99858ac70437f

SHA512
08ca3daa88d50792a06d8fa621b08da8c5e7c0f2492024d64ecacc48660a165983dd65153d3754dbec8d205873367cb8281f7623cbd54f38e16b576963987285

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
840095c42e29c9c4464c435fe86c71da

SHA1
bf12ff2c2120a1b8b6da1acf5bfbe1b6a8dfe793

SHA256
528f5b25396fb5fa4713f8e16ecbe94521ad09882095b73cea77bda8e6e67bae

SHA512
e75981cb40bf2826b62f82c62f0660061f75488bea4d912b5148d1ada8b5545fb458d7ae392145791ef2c53b2a092a95872ca8462874357cafd49ee08eda14db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
f2d4463c7cdcb7e89429bc2870955b47

SHA1
18408f9307f1e6dd90608aaa1f0e3c89776e13fd

SHA256
1df71173a38b3afb1ce7cca0b947cd42e36cbc043643a678ca11a477df6bdbbf

SHA512
bbf79b7bc43fc67d44399ffee1f6b053e1015db108cac1a12da76f7576cc6d08b8f26a4dd50993972b0bd7f74a6be9098e63d22f35ea469ee770eca1f86b561e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
8f5e17343ccf353e986ac2dd01069b83

SHA1
1730872a79e9bde9d171426a3f3b9c04ed577c1c

SHA256
a682b6e08bdc19201c849cccb34dfc6c094d205a912fc1879be3f3d3dfb1df19

SHA512
3a36a6b5c41bb1a6bea7c3b1c94c9b18cb148a7a57716ba740a14835373487c6dcb8b186bdf6ea3a56d548dd14661847eb31e50cb5f230930d86ba1310f1ee82

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
544bc6ce403888a92a9c82fb171f4b07

SHA1
320beb8478d86e8d9f1a3e71cc71ea387d2b935b

SHA256
cf2d29d9810aacc9c05228d5796eaf1bd2fcc56e619475ae92dc42a19d14aa49

SHA512
23b6270ee6d0d3ecf62310261eed3bf08e3708fb657c5cf4b44b853e51ee3720536faf75d4b56a5f57b333a3524693b2831f48df7eddbe472889baf8df45b568

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
5ebbceeed0fbe81306a15d0deed8f24f

SHA1
003872a98cfcc18ab77ae1f5445647c14e226390

SHA256
723f2a6180ebaa31bc98f364a424e085ad9b449ce92f9d71308d56f578b1e732

SHA512
5d28714882c6134611da7701c04c1dc2e3cfc52c2a2b20b6076d044c7b9b3f4479e6a3051290c884f593dc0386486016e37a4cc18ec5b0875d61fbfaa11e9bd2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
fd1c8c4a9b34e59a238ed8a8045a3e33

SHA1
c88204d23679a14500fdce6c18094c3d7058225f

SHA256
c1d4b73025cc21518f89b78eaadb35b80d2c57271c135000fe0c222f7c690803

SHA512
107dbcd8eed9eea9043bfcfb282dfb396fc0385839c1475ba4da3cb58f9cbcc09c4df0fd4108f2373dd1ffb7a19fe25665df984930894c5a753da226cd606476

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
b1d3da5a5bbd49df43886d683e6b97d1

SHA1
4b00a53212aa7f292e6e17716a144a2ef878e1cd

SHA256
d9df79986ebfeb7147210a8d69b7244a8da18330563b7ddf41223f8f0c682c4d

SHA512
206f1ec3f344e7bd5c99c63e7ca4a233d868343364988f56cbc510dda4987d7b2aa2727f923f35347f9096141df23cb06ff8c29c94ac68cdff6888aeea0bc5dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
71f38d0124682bf3b991837c14964e06

SHA1
a52910bd55a58604bb95a11a9823329dd8741384

SHA256
41c6dec35e372689412df2412f16ad78cdd8dbb545d34108a8ce5d4d30a5b8ce

SHA512
af94008e9fed392749cff9228785c39fd4962a2db7160af94d60d39e527cb83ae3e4765629859ab639d82d9b0e7fa435be8cfe7b06dbaa1de67b64d10de92294

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
e6a1bbc1450ce8459edba81a592db07d

SHA1
4782adafe1984884839ffe01037e980b763a34e3

SHA256
33d60bb4baa90ccd9f2d8e6f779cd57b436f74887bd12b7eaa5123dff9f1c5ee

SHA512
5c8ad97c519152bd27c7a994b07945b2c286d64b777b479087209c2aeccea3adc37d2a393bbfc977baa8f02531978468fc59e37b59d8190f6d25a192a8af2f5d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
2e98fe2308448262431fd7681de8b9b2

SHA1
64592f3b3188401646eecdfb2f7a74e420f968b5

SHA256
0cf43d9c29a20b6192b038d401ba86f42237587256af13c669c4355abf8cafab

SHA512
2a419173c403c57a9d024e17193cac821fe494482e469d6c254b27b35ea8fdaf6438c44c4d78b2ee486cbf29100b1f7897a5c344dcbb30e03fbd6773f4c2436e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
0c9665fd5a109b8aa97477da9d0042a4

SHA1
d9a82823f825093ef12f32ca6d16ed4e99e82378

SHA256
223de7f397c436315ffbdc7c7a9227d7c1269deee7a0059fb63bb9532a839e07

SHA512
45066769f41f70aa65530068e616569b93124a65e76ccaa7af1537e27456444355ad5dc68634cff58925e6ced787e624619642a673c7b00a2e6c600d43b1db9b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
a982bf5498b0de38193176809ee26816

SHA1
9a82527a2586b0b6d001404751be63abe35343c4

SHA256
a6962aef1f40f9abcbeefc333ecb22df9f43dc6517223d31cfc16530ef5958f8

SHA512
ce010e7e39ea418fb53277cdf0ad463fd5de7d86a109ce1253e61675cbf42ef503e66bf31ad054ed769c0e5d9aa8fd0a4090d0f221e1461eaa201cb1f41f0e97

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
be5b37a72d0aad66ab71bd792584495f

SHA1
f68dc73dc639ecfcd24bbeea4d2a3d83c9714b7d

SHA256
f4ea997adea95b6b53e89e378f0d728c592dff53caf1b2d8cb58f36037da0c30

SHA512
25ca5ba05a5d159b8a95ed56158ac06a4be5f5ad5ea3089b0a599508d9311d63c220fcbb31a85e9dff63757772de1539b3e424194c41702669bc77c4c5ddb659

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
9ad83e5439d43b12d851941637776240

SHA1
3a25dfc3f7684b59e47c240eb7d14fb425d811fd

SHA256
6cad2f64a29d58ba18ac3910e0aae3aa43c762abb9d7b5297b2a6b342b65afe8

SHA512
df4974cfa02869d68e8896f8d5c9c9a9b848d0db340d12231cc8c52ff84cb581bf6ef20d7fed4effc928ff2e4f322f12f64239869e9243a9384229973764a816

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
e3fe965d726f318e7624a2c0aef3551c

SHA1
ac9d00e61e59044dc72b0f406c414734ab8a8a9e

SHA256
c5d756bf15ec3138e831eae803488b5345897604479a6873bf2b59ec76a15172

SHA512
a52b179e58cf76b4c21314a5ab4e093c266c686f9715549872522e76fb5ef66dd7657c138f0d2b41dc90517550c3f7877d6fcd7c3299f88888ca9c43eda6c5d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
75c7d2f43f1f4265c49372b04bd53d20

SHA1
7cea3dddd27a2bd2247aae4338664242d743dfd3

SHA256
a24d45c870968904b76ee1f8d2127d544149a9723fb276e3b708f71e4707389a

SHA512
e1bc94071b9c53061f13024ee92b37d930f4c7bddf193887495e0120138047ddce4d13c7e078abe141b7a23446506f63828de13ad69a9aa91e2f280962bb3f6a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
c3268c35b2b733e78cbaa21cccf8a440

SHA1
91ddfdeb5a54dad4c1d9dc6a70b9134de024cceb

SHA256
9bf753b3cf3b0a69ca9d6d1217169dcb7ae6087f4e66b3f9b8ae28b8626f7bab

SHA512
0eecafb2993d2e77114a5ba045531ea2d13c73daddf31400812c34c964af1cd61994c127cfdadb1e92bab26e84e24b1a54144971d445fe895e725f1d3d1e4cfd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
edf54cb7800fe09abf0caf6d594e6bcf

SHA1
399e00a641e6a6627de4dab216611dca7e54b2dc

SHA256
28eff24fdd6bb1c0b240884ba51982faea9d75248bc1d8d5663e82074b718cd3

SHA512
b0f9a4cf39245a4f56ffed7dc41924c0b04eb5a6652629ef978b576a280b32fbd02c385b64748f545889925de7c11644592e181036ed4f8dfc20b99658db380a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
21caac018c96a60c5f4758cdedca2b8f

SHA1
389f98d04f59665e70c6d56cc1b90b4a7d1a3d03

SHA256
4ca6d9035266cf84ff31a054a5d18dfad165502faa9829e37ffa44dcccd9eabe

SHA512
a73e0c0acdf61167ba946ee4736c4f5a70d2c08ef22933b40f8d24f224dc33d08f08ae85025094c6897e02c8ebfec79365b65d255bbcddde8200c0cb0b29ed2f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
183a9426143f4222b73c3e5702f669f7

SHA1
5b1807ba2dbc2e5942609ea4f90848cf4eb799c8

SHA256
97aefc569d0bb71b6a7ca55a485fdb5be727044ba57cecdef204fc8c4ebb2e51

SHA512
c50c204ec37b27b8099db7a68b1e491065b06fbe93426bb0b014f0c983a009f85bfa65ec1993ba8421c3c208c862b87ba2aa76914c6ed9f6f42b6aeefabea46c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
Filesize
392B

MD5
ebc1b0dd341d9acc432443371d7f24e6

SHA1
98a5fc6c5577182aaab4612e6678c7d1adfebfb0

SHA256
612ba07f3213e7a92f85c064e88f9b7d9186b7ceb9f1cfd11aef28c42f56607f

SHA512
d99127d5d1150ab8305fbc67fb32fe0982ac1bba6a4398a56c2dd98cdf913f7ce14307775ae8e90485d069ff4f45d40affb1cf292748bff6f535d80bbf8d2678

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_9E9C5BD522DEAFF0AF9BF0B0877DDF33
Filesize
406B

MD5
3a5b3de5768842666d59db4e99bb231d

SHA1
a04d709146a739aacce87b74542aae3828777328

SHA256
c5033a0cb5672b44b15582cfdcc6bb79d3f4694ad44a3998b0a1a71017f38973

SHA512
941a937a9d5e25a1c9068c8f42dfe31091bf961040423269728b47218ac0957bab377d2953352e9ee1d3d83e10ff61f14c93fe78a3a70f163a67d7c7eb0e9353

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_9FBD3BA6168F3C4317F2AAB1E548FE96
Filesize
406B

MD5
a1b7c24a4e2996d318d1cdb0727babb6

SHA1
308e8f34763d9c86b1104df09ca11b3f85bfdc91

SHA256
1e3f4c9bfd32cd5d26be7d9e21a4c152a8dcadb6668a6bd5459fc03d6f2f4bc3

SHA512
a0407b252f36dcf410e3a0dcbb11419f5ac38c9d5ca8767f1423771bdf7af474c3855538f1e02c6c8fc350337653539cb4840ce49574f49bdcf434c5088f503c

Download Submit
C:\Users\Admin\AppData\Local\MaxLoonaFest131\MaxLoonaFest131.exe
Filesize
1.5MB

MD5
302fee1f9c5aa09eccc5a6ad51f5007e

SHA1
bc60c16b80d0b8498161a61a9e56d4101a8d0b8a

SHA256
3e67c6c32acb0dee0014f749ecfe30f5862676c7db978cc442c8eb3c4237c7b0

SHA512
163559815db8f14f86076e6d3b6af277bfd7f13af83ebe961d9275a037bbd8579c2955a653311d937be50963f8528f2703384d350248d35c65877ddc33fa9637

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{98B0EDE1-A6BA-11EE-BF8F-CE253106968E}.dat
Filesize
4KB

MD5
bcca8a73f35d59f64aae1788a86b84fc

SHA1
d1de87c37fd255a0d736e717d5604c581dbd4207

SHA256
732f703f40416d49e7be4b1c730a0dec2bcdc0cdb3c5e4d3bf13a1013e9eb678

SHA512
e14f15450577174b2c4d419c571415923e5b870d21657bf45f27264b38c7db15b0cac0ac8ce6264c430f047108346df66fd93e8800d27e5a4780a0f14a80d40d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{98B114F1-A6BA-11EE-BF8F-CE253106968E}.dat
Filesize
5KB

MD5
abb629ae1eaa43d1547ef8cfbf52d584

SHA1
586ed7a17a21c3760ee2e27d62215ca027c2ed17

SHA256
4c4bbee6881b859268e8105d49af66b84d7e4873694afb9eefe572b8e5fc78bd

SHA512
c5f4267226fa0a5025f072d11b18d0a9f2b872bfb138f915b32b9d5a1375f6cdd77256c898f50f92176e744dc96294431cd0bb897fe548f2bd2be70082c8d2bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{98B114F1-A6BA-11EE-BF8F-CE253106968E}.dat
Filesize
5KB

MD5
e4f39b78e4bee9cc12bd06f27dcd82ce

SHA1
38df0724abb39b1cabca0a7171df7edfb4264309

SHA256
e929b29dfae780970219ec887f5db70f1af1b8d002e05ca08e1b69edde435a66

SHA512
9ae5255cff144955b577aa671a065283adbd7c83c5fdec44585b0b89d6d9294dc680fae9046bf1415588e5a3450be34ed229ee7bb74aca2661ff00cadf68bf96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\0ptx2pp\imagestore.dat
Filesize
1KB

MD5
e28990b49a711b25ba83eba2b10225c2

SHA1
aac2fbef620b058134136b2414c1cdad094ec702

SHA256
7f25686375ed0d55d4aac2b4b744545eb9f12657ecb0c53d543ec198108edefe

SHA512
effdbb4d401a5adf9d762f01738d781d7222894884d3a62b0804131f42b7019f4ddb2f2abb0e5bd1470bbddc173f9703433e74fc0d95d7bf6a90dd931b08a52c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\0ptx2pp\imagestore.dat
Filesize
6KB

MD5
1fc1a8fdce9b4a700df53fbef9935433

SHA1
a4a62e4fb90dfa1fd2ab47c0b12b6bd85639d84f

SHA256
70c95152c05f169f32e3ca9eb46d3053d57437a7f36160730dd04a43eeafeda7

SHA512
cd43ae8274edde1cf32513b33a16a07f1fb161197d80aca78a698b03b5b6ed14228244a624d7ac22f9f48b0bcb47d9d5c051789be2136d3453803b16622b4fb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\0ptx2pp\imagestore.dat
Filesize
11KB

MD5
431b338af6ba47f79ff5333136e3ec48

SHA1
e93cfc6d9b3ace27fbbd035148a3fb6ddfe2c77a

SHA256
2f0e91d7a1c0d449ea69721265afa1c25d5b13c83297070e4d3844ab58baeb77

SHA512
b7be44ae8e7164bbd07fa1d2c2dd194bf6b928cac5bb121f4192acf24ac6ba79907cf723c9de3f276e862aac014069b5638fd9714c1c5ef622e2229d37ad8358

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\53STNJLW\favicon[2].ico
Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M2VO416U\hLRJ1GG_y0J[1].ico
Filesize
4KB

MD5
8cddca427dae9b925e73432f8733e05a

SHA1
1999a6f624a25cfd938eef6492d34fdc4f55dedc

SHA256
89676a3fb8639d6531c525e5800ff4cc44d06d27ff5607922d27e390eb5b6e62

SHA512
20fbee2886995c253e762f2bb814ad16890b0989deab4d92394363ef0060b96a634d87c380c7ba1b787a8ab312be968fed9329a729b4e0d64235a09e397db740

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\W79VKSP8\favicon[1].ico
Filesize
1KB

MD5
f2a495d85735b9a0ac65deb19c129985

SHA1
f2e22853e5da3e1017d5e1e319eeefe4f622e8c8

SHA256
8bb1d0fa43a17436d59dd546f6f74c76dc44735def7522c22d8031166db8911d

SHA512
6ca6a89de3fa98ca1efcf0b19b8a80420e023f38ed00f4496dc0f821cea23d24fb0992cee58c6d089f093fdefca42b60bb3a0a0b16c97b9862d75b269ae8463b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8661.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fo7Qf38.exe
Filesize
1.9MB

MD5
60764862bbf223a46037cbebbafb0d0c

SHA1
7ec036c3651fccd8a246a30118f9e1dc62ef7710

SHA256
319d23401d5285e6abab1136687f6987df912e0e656e1775a61179eff9668064

SHA512
5f32cecc0eb02aa616fceee95ec074c536d57b7beee18f30a9356c9e9b5244ff8255cdcfde6cd689bedea411f2aeb7925a34c615b04caab43ebf3060069d1af1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5yN0yH9.exe
Filesize
320KB

MD5
6573cf04773840699a2d5b9d67a9b4c3

SHA1
692c15555d70700287923dcbb2b4b50af9f00cce

SHA256
e91d1d220b5f439beb57d10e51719f4e8c41c5088599fd32a1f32890d40b27d3

SHA512
2aea529304eaefe9d9f61e56a41aa7a01b196d431d2d8f1a2cc46ce4036d06260073999d47a2df8ea972020eb651abd4c33556cdf67eb74be0e2f7e6cfb43e6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar871F.tmp
Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\tempAVSYr1XEOyk5eho\L6G161bdz8oHWeb Data
Filesize
92KB

MD5
c5ab22deca134f4344148b20687651f4

SHA1
c36513b27480dc2d134cefb29a44510a00ec988d

SHA256
1e9bd8064ca87d8441e2702005ef8df9a3647d5542740737abb8a70be7ec9512

SHA512
550f45132525e967d749106b9d3b114d17b066967527bfd5c66613d61b6f3995f87b0f3c09def19eed14b5b757f2501645b5103505d126f1dd66994f50e1257e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\3G166WBL.txt
Filesize
362B

MD5
3f7d552573f38223ee56f1958177eaa6

SHA1
02e6d38e6b39f91c88bf0cfbc3806120c05c67c1

SHA256
7a705ad36382cb056b8dd05f592c41e8c2769939dca5262fa22d3554e03a9970

SHA512
8bb91fb189ccc7856308ce9085d3692ab60f0ac131b9f32bf3d2c03feb78274571b61aceadfb64d193772df029802c426caea2a4dfdfa54f2f040e3548a76624

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\EU6Wr47.exe
Filesize
2.4MB

MD5
9c48487da185e861ba60949a63ecaaab

SHA1
977c0af43b46c7b855e75d195e19a52702cecaf2

SHA256
59d884695032fa9d11282c7f1cff87f0f974434c51016398b141737f54263cf3

SHA512
6b37a301d962742198b7cf0e24d117dc1812029617f06613ef175c8ad7d6ec2735144efd7b355bd5b4422f3ad3dbe3f91f3cb46e55dcf3a056f5636ae6ca4cd3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\EU6Wr47.exe
Filesize
2.1MB

MD5
dfe4c8a541abe408eed5e60985ab041e

SHA1
4df512a0b2a06b2f98d10db2610067d5986f19fb

SHA256
063e34e062ebc7ca47a379341bea837316b03753e44d9fc8246bafe4ddb5c9ea

SHA512
608fd7bbd3c345a8472c868e3e8e18bc590a06a6d9df203cd61a0a96e2dbb84cb3aafff374cb45cb227eb3e5182277b212ba961bf8359145ddccc0e0d9d5ba60

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\2OC4417.exe
Filesize
894KB

MD5
779db1fcaa2b01c67fa62fdcf541137c

SHA1
85aa8928790bc40c8dcfac0585e87526d285905b

SHA256
0b343aceb8665dabb2f978310bc369bcac837bc19c7422d059fd485d50bb2c42

SHA512
b657c28f2159a283214b8ad103492f467e79bbd6465385bde9f15e5c3712433e7d77bf08b5637c2d4dcd7c2fa85fe4704ce0cf4096af4097861762fe10f5a00f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\5yN0yH9.exe
Filesize
1.4MB

MD5
7716b93dd7ba52aa0b3ee552e55a1daa

SHA1
df4492fe62dad68715cbd78e3035036d226a58b4

SHA256
e1c5c701d6dcd8ad0c0a3dcaa66affbc6862ee52a926b4b0a528c9b06d3fef8e

SHA512
0dfda57af65a2f5f361738a69586011d5ff18f6904672aba7840acbcf4f9b121a7dfbe4cc34b472dd0f22d136d779a1e94cd20e26b2b5c937e15efb620481779

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\5yN0yH9.exe
Filesize
256KB

MD5
dbab82e524d4ad4f560e1ffff5e72371

SHA1
fc98ac95a00c9524195a27004c1d8c8cc94a7763

SHA256
3e864835579603f1535e742bf8d91d83fa8aaab0f4cdd4cb4ffe19c53ae15bb5

SHA512
2bbee37ab8a2d11ccaeb927006a88f8102fdd4f455a14e60a8576eb051b92404842b730075294c1d55557e09a72f30e64951f881a4bc56ec4245bf053537b1e0

Download Submit
\Users\Admin\AppData\Local\Temp\tempAVSYr1XEOyk5eho\sqlite3.dll
Filesize
791KB

MD5
0fe0a178f711b623a8897e4b0bb040d1

SHA1
01ea412aeab3d331f825d93d7ee1f5fa6d3c46e6

SHA256
0c7cd52abdb6eb3e556d81caac398a127495e4a251ef600e6505a81385a1982d

SHA512
6c53c489c4464b9dc9a5dd31c48bb4afa65f7d6df9cc71e705cea2074ebd5e249cad4894eac6f6b308b3574633bc6e1706dfc5fda5f46c27f1e37d21e65fbc54

Download Submit
memory/1760-235-0x000000006E0C0000-0x000000006E66B000-memory.dmp

Filesize
5.7MB

Download
memory/1760-185-0x0000000002700000-0x0000000002740000-memory.dmp

Filesize
256KB

Download
memory/1760-180-0x000000006E0C0000-0x000000006E66B000-memory.dmp

Filesize
5.7MB

Download
memory/2196-33-0x0000000002700000-0x0000000002B5E000-memory.dmp

Filesize
4.4MB

Download
memory/2536-965-0x0000000001660000-0x0000000001ABE000-memory.dmp

Filesize
4.4MB

Download
memory/2536-1012-0x0000000001200000-0x000000000165E000-memory.dmp

Filesize
4.4MB

Download
memory/2536-1015-0x0000000000620000-0x0000000000630000-memory.dmp

Filesize
64KB

Download
memory/2536-1022-0x0000000001200000-0x000000000165E000-memory.dmp

Filesize
4.4MB

Download
memory/2536-37-0x0000000001200000-0x000000000165E000-memory.dmp

Filesize
4.4MB

Download
memory/2536-964-0x0000000001200000-0x000000000165E000-memory.dmp

Filesize
4.4MB

Download
memory/2536-963-0x0000000001200000-0x000000000165E000-memory.dmp

Filesize
4.4MB

Download
memory/2536-38-0x0000000001660000-0x0000000001ABE000-memory.dmp

Filesize
4.4MB

Download
memory/2536-41-0x0000000001200000-0x000000000165E000-memory.dmp

Filesize
4.4MB

Download
memory/2536-404-0x0000000001200000-0x000000000165E000-memory.dmp

Filesize
4.4MB

Download
memory/2536-261-0x0000000000620000-0x0000000000630000-memory.dmp

Filesize
64KB

Download