17ce3a82deabd5d14cc8661f87961a19b7d4092f03981409db2b82e77bb981d8

Analysis

max time kernel
143s
max time network
138s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
22/01/2024, 15:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6fc4f43e5aef80d47ed4f445f0323d3f.exe
Size

807KB
MD5

6fc4f43e5aef80d47ed4f445f0323d3f
SHA1

a365bf9dce651b3a76bd9f4c5bad5f05d260a6dd
SHA256

17ce3a82deabd5d14cc8661f87961a19b7d4092f03981409db2b82e77bb981d8
SHA512

d0e71540d0f12471ad7b9c6958f28149851c317c8f9482b8320959e18d616bb89296433cd1ff5b1ddf9077766c9d3b1ab8b11c36fd69be4de88e88bac065c4d7
SSDEEP

12288:XaJry32rDYofCSi4CGcck+0yeo5RoPhjWTxpGtQtmBEkeT9n9l1NipoXPo/ux:XUG3qYD494yeqGSxpHN9PepoXQ/E

Score

7^/10

aspackv2 upx

Malware Config

Signatures

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000b000000012185-4.dat	aspack_v212_v242

Executes dropped EXE 3 IoCs

pid	Process
2720	NetMaMake.exe
2572	sys.exe
2592	wint.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000d0000000122ca-13.dat	upx
behavioral1/memory/2572-22-0x0000000013140000-0x000000001322D000-memory.dmp	upx
behavioral1/memory/2592-25-0x0000000013140000-0x000000001322D000-memory.dmp	upx
behavioral1/memory/2572-35-0x0000000013140000-0x000000001322D000-memory.dmp	upx
behavioral1/memory/2592-174-0x0000000013140000-0x000000001322D000-memory.dmp	upx

Drops file in System32 directory 43 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\desktop.ini	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ieonline.microsoft[1]	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C792A901-B939-11EE-B3A3-EEC5CD00071E}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoaming	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\DNTException\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C792A901-B939-11EE-B3A3-EEC5CD00071E}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{C792A90C-B939-11EE-B3A3-EEC5CD00071E}.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatCache\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[1].ico	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{C792A903-B939-11EE-B3A3-EEC5CD00071E}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\wint.exe	sys.exe
File created	C:\Windows\wint.DLL	wint.exe
File opened for modification	C:\Windows\NetMaMake.exe	6fc4f43e5aef80d47ed4f445f0323d3f.exe
File created	C:\Windows\sys.exe	6fc4f43e5aef80d47ed4f445f0323d3f.exe
File opened for modification	C:\Windows\sys.exe	6fc4f43e5aef80d47ed4f445f0323d3f.exe
File created	C:\Windows\wint.exe	sys.exe
File created	C:\Windows\NetMaMake.exe	6fc4f43e5aef80d47ed4f445f0323d3f.exe
File opened for modification	C:\Windows\wint.DLL	wint.exe
File opened for modification	C:\Windows\sys.exe	sys.exe
File created	C:\Windows\uninstal.bat	sys.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\DiscardLoadTimes = 60be8c8a464dda01	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\TopResultURLFallback = "http://www.bing.com/search?q={searchTerms}&src=IE-TopResult&FORM=IE11TR"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\LoadTimeArray = 00000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\62-e3-49-b5-e8-0f	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IE11SS&market={language}"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\MAO Settings	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\Check_Associations = "no"	wint.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Recovery	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Suggested Sites\MigrationTime = c035b58a464dda01	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Time = e8070100010016000f00140026009002	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Time = e8070100010016000f0014002000c902	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\62-e3-49-b5-e8-0f\WpadDecisionTime = 0070668c464dda01	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\Software\Microsoft\Internet Explorer	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}\VerCache = 0086a9a807ccca010086a9a807ccca01000000009093660000000e00e803991200000e000000991209040000	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Count = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Setup\HaveCreatedQuickLaunchItems = "1"	ie4uinit.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Setup\UrlHistoryMigrationTime = e043968a464dda01	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021494-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021494-0000-0000-C000-000000000046}\Enum\Implementing = 1c00000001000000e8070100010016000f00140028002d0000000000	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\F12	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\Flags = "512"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Blocked = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\Software\Microsoft\Internet Explorer	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2620	IEXPLORE.EXE
2620	IEXPLORE.EXE
2620	IEXPLORE.EXE
2620	IEXPLORE.EXE
2620	IEXPLORE.EXE
2620	IEXPLORE.EXE
2620	IEXPLORE.EXE
2620	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2620	IEXPLORE.EXE
2620	IEXPLORE.EXE
240	IEXPLORE.EXE
240	IEXPLORE.EXE
240	IEXPLORE.EXE
240	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 2720	3028	6fc4f43e5aef80d47ed4f445f0323d3f.exe	28
PID 3028 wrote to memory of 2720	3028	6fc4f43e5aef80d47ed4f445f0323d3f.exe	28
PID 3028 wrote to memory of 2720	3028	6fc4f43e5aef80d47ed4f445f0323d3f.exe	28
PID 3028 wrote to memory of 2720	3028	6fc4f43e5aef80d47ed4f445f0323d3f.exe	28
PID 3028 wrote to memory of 2572	3028	6fc4f43e5aef80d47ed4f445f0323d3f.exe	29
PID 3028 wrote to memory of 2572	3028	6fc4f43e5aef80d47ed4f445f0323d3f.exe	29
PID 3028 wrote to memory of 2572	3028	6fc4f43e5aef80d47ed4f445f0323d3f.exe	29
PID 3028 wrote to memory of 2572	3028	6fc4f43e5aef80d47ed4f445f0323d3f.exe	29
PID 2592 wrote to memory of 2620	2592	wint.exe	31
PID 2592 wrote to memory of 2620	2592	wint.exe	31
PID 2592 wrote to memory of 2620	2592	wint.exe	31
PID 2592 wrote to memory of 2620	2592	wint.exe	31
PID 2620 wrote to memory of 2584	2620	IEXPLORE.EXE	32
PID 2620 wrote to memory of 2584	2620	IEXPLORE.EXE	32
PID 2620 wrote to memory of 2584	2620	IEXPLORE.EXE	32
PID 2572 wrote to memory of 2616	2572	sys.exe	33
PID 2572 wrote to memory of 2616	2572	sys.exe	33
PID 2572 wrote to memory of 2616	2572	sys.exe	33
PID 2572 wrote to memory of 2616	2572	sys.exe	33
PID 2572 wrote to memory of 2616	2572	sys.exe	33
PID 2572 wrote to memory of 2616	2572	sys.exe	33
PID 2572 wrote to memory of 2616	2572	sys.exe	33
PID 2620 wrote to memory of 240	2620	IEXPLORE.EXE	35
PID 2620 wrote to memory of 240	2620	IEXPLORE.EXE	35
PID 2620 wrote to memory of 240	2620	IEXPLORE.EXE	35
PID 2620 wrote to memory of 240	2620	IEXPLORE.EXE	35
PID 2592 wrote to memory of 2620	2592	wint.exe	31

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\6fc4f43e5aef80d47ed4f445f0323d3f.exe
"C:\Users\Admin\AppData\Local\Temp\6fc4f43e5aef80d47ed4f445f0323d3f.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\NetMaMake.exe
  "C:\Windows\NetMaMake.exe"
  2⤵
  - Executes dropped EXE
  PID:2720
- C:\Windows\sys.exe
  "C:\Windows\sys.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\uninstal.bat
    3⤵
    PID:2616

C:\Windows\wint.exe
C:\Windows\wint.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2592
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Windows\System32\ie4uinit.exe
    "C:\Windows\System32\ie4uinit.exe" -ShowQLIcon
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    PID:2584
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2620 CREDAT:275457 /prefetch:2
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious use of SetWindowsHookEx
    PID:240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\NetMaMake.exe

Filesize
394KB

MD5
2bf5c3369e48ba19061d81f43150f9ef

SHA1
a3aa333d693c71c3e4d251caff81d32fe04baa63

SHA256
00cf5b249e91fd9bf6ae24f254a3ff3cfe54df62a201114329387c32bf7ed9b4

SHA512
8100ffadf626a94597192c5e69830eeb383cb9edd7c3c2487a964f6af73acaac3932e16ad0f829048a558417eba14ab3a7d4af3b5ac8182182a16d9a1c09b0a1

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
55af115279ff816d5794a308901e871d

SHA1
a296ce7e54b6a81313dbf0971593a1dffe07767f

SHA256
0a04e9506d0c075d96040d258be2560cd1fdb5d3ca77a97809e7473f84c4cb32

SHA512
f0a16738703041a7130eea17750ae478af7db86d97d0f3b8e95f00118c6bac04fe53b85a302f3125967b379bdb49328ee74f12fee7ef5ca37ac5ff419f76ea5f

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
67579023c72c06dd943a0b63e2f6a45d

SHA1
5d9b2a6fc6a8e847784cf0ea889f0a65845663fb

SHA256
72dcde963ffe9c34360f30015971503e3a3b825f673a46a5c3c898d2868c8072

SHA512
7988b56e9526253972700b3516e903e872520ed3e1f7e379a1a2d084d0e276709a546518600597ab7a123cad2fc2f6d371e4747d1fcad320459d433d82ab465b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0149d460530a4e1f8d796ab11efc1eb7

SHA1
7b3c6b45c3f33f2070ed51ec9d839e20ea4d5a91

SHA256
9ebac7659a37d9ac0c39c5997af8f3256cc443edfd90fcfad428b8ed6020eac9

SHA512
b1538023831dca6af433211062e5284fa5f521c8d1c57123f2b2b78cdaf8c1c72174812d20f87c3a1ebea4875e8986285b007a114548d104321e657744ab840a

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9186244f461bdd30f727e9be664cb01b

SHA1
3c4ee9ef47a49b66ba24e1d58d1c912542e5dcc9

SHA256
d02ee2236b352ccc7097d36c40d0aada350ac8ea78929a9a0a31e010840b7a42

SHA512
296b721d4f5d6c8ad65e4153f8a724d829a0e96f4f37734536d190d6cb2a93063746200f4adbeecb2f2f891e5dfc500192aa280cd618a3394b6aa29c3ecb0445

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d3655e6af89ab6179b8b7207765441e8

SHA1
7a3678029591fbc1e271954bd5ee0d7bb1e84b5a

SHA256
2a8f727fe56c11e7de9bfba8ab6d6a1b671f29fbefccebf46c0923ac43a3e8d5

SHA512
ebfe6d1ced5781b46ad4b07103c166d841188b11bb17dd5931b202843b39e6e71f1905b16374a6390c6890b3271d1df597ad6003fb9f858546a498adf5f03709

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a6ce5a85e7fb0cb39c1d71eb933712a3

SHA1
94edc42b72e469a2357fba866f89693874b0a113

SHA256
13074c03433cf9e7ce7cf618f5004d779a1a12469e91be8b5cb9af8b20a9ad7b

SHA512
fa60f2c7aa5e63925b4201b5eb1ccc836e42b9e2a04bf291b02e5d1b90dc907ddc11222d9884408c36ef9a98019f142fa3e286bd41f96700154c2711acafdf48

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3fab3f5a7f56b1d9d2a9cf42d146e1c2

SHA1
898c9093a957da56f343ac479e311f16b84f57c7

SHA256
13aa62a27ce5b5455fa6e1612137fa3771348a89b3da7ce471f077d49e056caf

SHA512
5c5186b6c246dc19c99fd12f2dcde2ee0c0f035c8f379907221d9eb8036f4aa884595faee0364d8c591287ddd73651c0ae6b216063e4bc1e179beaa85d19db85

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4cd433dd3f57b8d3c563120023c3c593

SHA1
92d1ec262e514c78fda9eddc2579716d0bb9a3d4

SHA256
00cefe3ebcb715ab6e6074bd8f480c4c7e0e5cc2d65864c3799761e1b3beb2a6

SHA512
d5ccb898d2f5898a8a927012495a1a3762ce2ff1be06a1d844eafce8c36f768f2c9c907e4c61a614c550e11f4e16d2ab1987d81b3555cfcaa33ea487c864de9b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d44d21b740b08fb20e726446b908704a

SHA1
1876699126c385d787e41372e5ab7c5c270673c4

SHA256
2a0b987f65fdebc63bc18d122b80112c80df5ee8161ac7285e842e0b9a64367d

SHA512
92ccf6fffac9e56cd6b83588e39a7d63ef26962df4459569d92291cb7bb9ca652f48da53d84dc174bad9b524c426ec08c7fbf2442ee412e56290175ed0d7ad0b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
af4b035704961c3b762c0fa51ee17f27

SHA1
0435cf82caf2fa6637c89a09815d97d864188fa9

SHA256
c2cf6add0f19dc90f21a0998f32b68b1d0d80de882eafcca0bda6a618992a720

SHA512
65897685e9a6901b2b4a37b9eedd37b8efc77fb81d652c19a9cef2dcd11f9cd0e893b68a0c56eea27ab5d0eafb9f7bcba75e2561f9c7abc517a4c46e5a9cfbe3

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
05ce4dda90b1abe1f8a3e35fb18660cd

SHA1
ec9472d860b50477b500caa910abe59fc56dd415

SHA256
0574a993bfe75bcf61108a489fc3fecf0079f70d7e610e9b01d5ae68bdddc70d

SHA512
ede119e6524fc21609dfd27a3cec4faa6a311bac67dc74c49ca0a04f059173d4c8a2d36bd5980c9a10f3f465f79bd2b23a94b58e418933cd78e5f9efaf223815

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9f7630e8ce9681103d4ce3456d150ea1

SHA1
f87dce593b1f0109cae2d3d26882ff780feee534

SHA256
7bde192f82fce673061348d229d851cd2adb94d928fb0548f2dabac8b95a7c2a

SHA512
33171d98edb0b384f6f661261fac47910d5b6d41cf4dc510eec4d2c6775e6a249a3cc903ab836a1273e5368f46fdcb86bf624d39d99687ec20a4a93864992c46

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
637ac233b1dfa075e06f7ab12dc35912

SHA1
eee90dd0eddafde82b2c9f2f4b99ef2b30e91cf5

SHA256
4e7c33c8b67636264f59651e28fc310a51ea57d06643d5ae3f57feecf25f83fb

SHA512
ff4ade88c192a35e111e19e338c1d45babc3fa0333e5a3d1fb1f49878388c92c8fb364d0d5d01f9b1390266b8c8b47f2b1f3d24d2f44f79b5125a7c9d67ac170

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
581d7f77ab552b4da87c5b00db212dc3

SHA1
f119cdd9705cde8bff3eb7c3a7c8765c44103b6c

SHA256
1f4bc9a7fa938a6933c7f8b27e2362fa3250aa09cd26c04b80df75799a24034e

SHA512
a9c74a937fb64092bcd9bfef13962305049b29871398d508bd3ee7af0b2a803bda27dafd290552782f6bf7a3ac149ea4e852f1f37810a9b6ae500dd8f2095c6e

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ec26a9b2d0a3d9b677ccc7d18d128ea6

SHA1
2ede7cf6f06c6764fce5b5372edf9e57b5a0d355

SHA256
dc3cc2b27b1484acbf00131f68a393dd95f23818931cf76c802283b8f595a75c

SHA512
e3ba2dfead8784384c20871bfd1e31b6f17e95bd03ed2e3468465afc3217c39763aefd56844ecc9317a35ba35077e4e0801c95ac7b327b3743046a86154cd69b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f54f16a349fe5a30f7104fc43508d85a

SHA1
542f68dfd0a4d579078ce208e38bb51b3b456821

SHA256
0df1307afeea89b8e2af11864ba8d10efa13a45324105fb1f3ee2af611761ec5

SHA512
420c702bb9d0bd6cf4d5f41e75e530c464266e92546f5ad97df91c8d5f3eded6f04c368b3f2be88f2228a3fd696cfe9d90c99a39c93b1894c1b50bb9854a374d

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
56b448c186e8b3fe6a6479c7ce1b9f43

SHA1
008b782ab236de5f0140818a7eba8e1d099d2426

SHA256
a566f7dfbc5501a45c8229f7f40050650e5b33d63c440d6d8c8034afb85ca320

SHA512
5400248ddf63539581f613875a5eb9781fa5f18733ddd3ecd5474bc0c7b6a8f9ece126af1be194110c299bcc0aaf89d4801388ccb2488c8ae5033edda148060b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
32f9c15a7c0ab3fd7cca720354d36167

SHA1
b98c7d9dd0e9c2197085a1006daae1e9fbb4e689

SHA256
2b64bb31b7a39f25efa3277c89d8874b7a246b972e8ed1903ccf063bdedbb58d

SHA512
5297e2fbe42e1160e28f98db0863e86bb1ecd48bbec41e75700764bc935a8bf9d250b60e6ecc5ba12d4e941686bcc227b61c71490cee7c71ce72909dd7eea686

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
234d83d3d77d9e3d9d546e91c61a0644

SHA1
208e43dac5aa8d5d2d5676cb843eba8d73a247d8

SHA256
daa8c4790a008d812498a34ce61e57b3708bbfa4c17bd4b8d2ff5a8af12e7774

SHA512
a618acb84e0b8f007d41edab7b49ffbaee6faa360287de727e6e2729c567a5091e01d3ecdd09aa46ca5281b3ed7cf1a3b2d37e7d66cbbb1aca61fa743bec4346

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ba7757bf02dfa047550df5997e844d7c

SHA1
40218c163333efacf9c82508247c668ad0b48740

SHA256
bc9e5bbb2cd186147e8d6ad7806c00fcc0ad14722b6973d4f2a7b350e413c931

SHA512
b24b218da8199afd6565d44793a71fbe338161011be3af64544bef71d29dfa21e823579b62ba341a92df3257cc2740b6e4300d51732466a5959120c70f6fe327

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
44e45d7ee34b2d73d9db9f37db42576c

SHA1
5e11fd0b73fb5ef4e1fc44a38a59b001c24ac130

SHA256
5e61353086ee94b7cd5a44b6bb288ebee355d07557d593937de3b1490a844fd2

SHA512
05c0a077cbb00bdeccf21c17d17f5b22e37fc0b4f46aeefe4ed5f568b68b3dc26475355b2a308c382edc53e996d750a9819b887fd05266c4a935f8cefdcaaa39

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
236B

MD5
11cede0563d1d61930e433cd638d6419

SHA1
366b26547292482b871404b33930cefca8810dbd

SHA256
e3ab045d746a0821cfb0c34aee9f98ce658caab2c99841464c68d49ab2cd85d9

SHA512
d9a4cdd3d3970d1f3812f7b5d21bb9ae1f1347d0ddfe079a1b5ef15ec1367778056b64b865b21dd52692134771655461760db75309c78dc6f372cc4d0ab7c752

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
129B

MD5
2578ef0db08f1e1e7578068186a1be0f

SHA1
87dca2f554fa51a98726f0a7a9ac0120be0c4572

SHA256
bdc63d9fd191114227a6e0ac32aaf4de85b91fc602fcb8555c0f3816ac8620b3

SHA512
b42be0e6f438362d107f0f3a7e4809753cf3491ab15145f9ffa4def413606243f4dfffc0449687bd1bb01c653e9339e26b97c286382743d14a2f0ed52e72f7ee

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini

Filesize
80B

MD5
3c106f431417240da12fd827323b7724

SHA1
2345cc77576f666b812b55ea7420b8d2c4d2a0b5

SHA256
e469ed17b4b54595b335dc51817a52b81fcf13aad7b7b994626f84ec097c5d57

SHA512
c7391b6b9c4e00494910303e8a6c4dca5a5fc0c461047ef95e3be1c8764928af344a29e2e7c92819174894b51ae0e69b5e11a9dc7cb093f984553d34d5e737bb

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\desktop.ini

Filesize
402B

MD5
881dfac93652edb0a8228029ba92d0f5

SHA1
5b317253a63fecb167bf07befa05c5ed09c4ccea

SHA256
a45e345556901cd98b9bf8700b2a263f1da2b2e53dbdf69b9e6cfab6e0bd3464

SHA512
592b24deb837d6b82c692da781b8a69d9fa20bbaa3041d6c651839e72f45ac075a86cb967ea2df08fa0635ae28d6064a900f5d15180b9037bb8ba02f9e8e1810

Download Submit
C:\Windows\Temp\Cab83D3.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\Tar83D8.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\Temp\Tar85A4.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Windows\Temp\www7916.tmp

Filesize
195B

MD5
a1fd5255ed62e10721ac426cd139aa83

SHA1
98a11bdd942bb66e9c829ae0685239212e966b9e

SHA256
d3b6eea852bacee54fbf4f3d77c6ec6d198bd59258968528a0231589f01b32f4

SHA512
51399b4eac1883f0e52279f6b9943d5a626de378105cadff2b3c17473edf0835d67437ae8e8d0e25e5d4b88f924fa3ac74d808123ec2b7f98eff1b248a1ab370

Download Submit
C:\Windows\sys.exe

Filesize
384KB

MD5
63e8d5647bfef8d259d1f5a3e4ff2401

SHA1
26e638f78477c6a31d3300ca2a33798cd4250381

SHA256
50bd38bfdcdc7ec22e4114b98ea58f9959da3dfbf7de8225daf3f31c37d071d9

SHA512
33ba664f5c1f80f288b9a2784becb3527a9e1d243e76005aec5af6a837cdfd986f494de5ed48750839bc0d5305e1f9c6f5f9af5762f91be54a4250c5cb803c83

Download Submit
C:\Windows\uninstal.bat

Filesize
86B

MD5
c99d301cfae80755f0ba2d2d4dc529c4

SHA1
9bd8a15d0e5fb4bcb1c484771d4004f7c6bcafbd

SHA256
7626c700fba71c9a1c79e19485dfba107ff2390ca8e464de7d1723892f50004b

SHA512
0dbe75c6bef02357971abf23fecf74d243a39810bb64021c447a7715260955f7c0cb004a7fc5cf41e8d9e29b7587b56f4c4d77da4fb41be99427c8dbd50f7071

Download Submit
memory/2572-22-0x0000000013140000-0x000000001322D000-memory.dmp

Filesize
948KB

Download
memory/2572-35-0x0000000013140000-0x000000001322D000-memory.dmp

Filesize
948KB

Download
memory/2592-25-0x0000000013140000-0x000000001322D000-memory.dmp

Filesize
948KB

Download
memory/2592-174-0x0000000013140000-0x000000001322D000-memory.dmp

Filesize
948KB

Download
memory/2720-728-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2720-727-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/2720-10-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/3028-21-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3028-16-0x0000000013140000-0x000000001322D000-memory.dmp

Filesize
948KB

Download
memory/3028-23-0x0000000013140000-0x000000001322D000-memory.dmp

Filesize
948KB

Download