56657d0660933b2dcef3dfd048fca62cbbb2fb3d36658c13da26dcd0980c756a

Analysis

max time kernel
141s
max time network
128s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
03/02/2024, 19:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
Size

34KB
MD5

8d1b0d9a04ed0ec29703abe2cb29e3e7
SHA1

d07f0fac7361c54d4de1d42809524c0d66a077ae
SHA256

56657d0660933b2dcef3dfd048fca62cbbb2fb3d36658c13da26dcd0980c756a
SHA512

6e8a49883d4c753ec9fb2bf573fec6bd810af6723799a09717c0a6e4ecc2cd165b2c601f008e2004e4942a4159a22f0dec81e12f8084494126cad2003860cd14
SSDEEP

384:GBXUFh1yvN/uMmxDMm/QQgQAAwIIQQgQcF:MXUs1ZmxDMm/QQgQAAwIIQQgQcF

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\drivers\gm.dls	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File created	C:\WINDOWS\SysWOW64\drivers\gmreadme.txt	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File created	C:\WINDOWS\SysWOW64\drivers\wimmount.sys	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe

Manipulates Digital Signatures 1 IoCs

Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\wintrust.dll	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\C_437.NLS	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File created	C:\WINDOWS\SysWOW64\msjet40.dll	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File created	C:\WINDOWS\SysWOW64\msswch.dll	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File created	C:\WINDOWS\SysWOW64\msxbde40.dll	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File created	C:\WINDOWS\SysWOW64\nddeapi.dll	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File created	C:\WINDOWS\SysWOW64\schedcli.dll	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File created	C:\WINDOWS\SysWOW64\cmdkey.exe	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File created	C:\WINDOWS\SysWOW64\C_10006.NLS	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File created	C:\WINDOWS\SysWOW64\d3d10warp.dll	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File created	C:\WINDOWS\SysWOW64\devmgr.dll	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File created	C:\WINDOWS\SysWOW64\migisol.dll	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File created	C:\WINDOWS\SysWOW64\MsraLegacy.tlb	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File created	C:\WINDOWS\SysWOW64\perfctrs.dll	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File created	C:\WINDOWS\SysWOW64\ubpm.dll	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File created	C:\WINDOWS\SysWOW64\vbscript.dll	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File created	C:\WINDOWS\SysWOW64\advpack.dll	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File created	C:\WINDOWS\SysWOW64\pid.dll	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File created	C:\WINDOWS\SysWOW64\ksproxy.ax	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File created	C:\WINDOWS\SysWOW64\CPFilters.dll	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File created	C:\WINDOWS\SysWOW64\dnscmmc.dll	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File created	C:\WINDOWS\SysWOW64\msiltcfg.dll	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File created	C:\WINDOWS\SysWOW64\dxtmsft.dll	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File created	C:\WINDOWS\SysWOW64\KBDUSX.DLL	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File created	C:\WINDOWS\SysWOW64\msjetoledb40.dll	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File created	C:\WINDOWS\SysWOW64\msmpeg2adec.dll	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File created	C:\WINDOWS\SysWOW64\oleaccrc.dll	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File created	C:\WINDOWS\SysWOW64\TRAPI.dll	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File created	C:\WINDOWS\SysWOW64\dmvdsitf.dll	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File opened for modification	C:\WINDOWS\SysWOW64\msvcp110.dll	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File created	C:\WINDOWS\SysWOW64\riched20.dll	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File created	C:\WINDOWS\SysWOW64\accessibilitycpl.dll	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File created	C:\WINDOWS\SysWOW64\framedyn.dll	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File created	C:\WINDOWS\SysWOW64\NlsLexicons0011.dll	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File created	C:\WINDOWS\SysWOW64\QAGENT.DLL	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File created	C:\WINDOWS\SysWOW64\d3dim.dll	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File created	C:\WINDOWS\SysWOW64\dmcompos.dll	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File created	C:\WINDOWS\SysWOW64\inseng.dll	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File created	C:\WINDOWS\SysWOW64\mssphtb.dll	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File created	C:\WINDOWS\SysWOW64\scrptadm.dll	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File created	C:\WINDOWS\SysWOW64\SecEdit.exe	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File created	C:\WINDOWS\SysWOW64\WMSPDMOD.DLL	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File created	C:\WINDOWS\SysWOW64\blackbox.dll	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File created	C:\WINDOWS\SysWOW64\chtbrkr.dll	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File created	C:\WINDOWS\SysWOW64\ipsmsnap.dll	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File opened for modification	C:\WINDOWS\SysWOW64\noise.kor	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File created	C:\WINDOWS\SysWOW64\WSHTCPIP.DLL	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File created	C:\WINDOWS\SysWOW64\dialer.exe	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File created	C:\WINDOWS\SysWOW64\gcdef.dll	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File created	C:\WINDOWS\SysWOW64\hdwwiz.cpl	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File created	C:\WINDOWS\SysWOW64\linkinfo.dll	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File created	C:\WINDOWS\SysWOW64\PSHED.DLL	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File created	C:\WINDOWS\SysWOW64\dispex.dll	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File created	C:\WINDOWS\SysWOW64\msvfw32.dll	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File created	C:\WINDOWS\SysWOW64\tzutil.exe	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File created	C:\WINDOWS\SysWOW64\mfc42.dll	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File created	C:\WINDOWS\SysWOW64\msfeedsbs.dll	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File created	C:\WINDOWS\SysWOW64\uexfat.dll	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File created	C:\WINDOWS\SysWOW64\wevtapi.dll	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File created	C:\WINDOWS\SysWOW64\C_28592.NLS	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File created	C:\WINDOWS\SysWOW64\C_932.NLS	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File created	C:\WINDOWS\SysWOW64\pots.dll	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File created	C:\WINDOWS\SysWOW64\sdohlp.dll	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File opened for modification	C:\WINDOWS\SysWOW64\msvcr110_clr0400.dll	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File created	C:\WINDOWS\SysWOW64\adsldpc.dll	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe

Drops file in Windows directory 26 IoCs

description	ioc	Process
File created	C:\WINDOWS\hh.exe	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File created	C:\WINDOWS\write.exe	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File created	C:\WINDOWS\WMSysPr9.prx	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File created	C:\WINDOWS\mib.bin	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File opened for modification	C:\WINDOWS\setupact.log	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File opened for modification	C:\WINDOWS\setuperr.log	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File opened for modification	C:\WINDOWS\TSSysprep.log	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File opened for modification	C:\WINDOWS\DtcInstall.log	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File created	C:\WINDOWS\twain.dll	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File created	C:\WINDOWS\twain_32.dll	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File created	C:\WINDOWS\twunk_32.exe	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File created	C:\WINDOWS\fveupdate.exe	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File created	C:\WINDOWS\HelpPane.exe	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File opened for modification	C:\WINDOWS\win.ini	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File opened for modification	C:\WINDOWS\WindowsUpdate.log	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File created	C:\WINDOWS\bfsvc.exe	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File opened for modification	C:\WINDOWS\PFRO.log	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File opened for modification	C:\WINDOWS\Starter.xml	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File opened for modification	C:\WINDOWS\Ultimate.xml	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File created	C:\WINDOWS\explorer.exe	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File created	C:\WINDOWS\splwow64.exe	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File opened for modification	C:\WINDOWS\system.ini	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File created	C:\WINDOWS\twunk_16.exe	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File opened for modification	C:\WINDOWS\msdfmap.ini	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File created	C:\WINDOWS\notepad.exe	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
File created	C:\WINDOWS\winhlp32.exe	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 63 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "100"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000566b58630fb3a044b91770fce5e9b2d600000000020000000000106600000001000020000000382d81d6f65cf0c4cac181c0f8695c540b790ea09aec3cc9532522a8cf3a6ae3000000000e8000000002000020000000d225cd4e0bb75f762ba4605fb3b91d93319d9300322aa99ab4cfd8d8cd9680e69000000020f6e40264cb1281716efa78f6b512d38233a2f55bbe37dd50cab8d055bc78a7b6b03daa9f944e6296767d6161e75cd98356c917d25764dea374dbb233b21fbc6a86ad66dd6578e9ab9610bb8c2a7133b381eb2518b84cb6eba82c4f8f2ae84eefca4af017e71a45bfad6a0b97e37abceb6045d05448bce815b1c06e0db52e922b45e7dbd192e44437b84c077366de13400000008897d3ee3f3a8781f61a8debfb11c3fcdbf390fcb8817ff66dc00d9863651686b85f51272f8ae10501e21f617c634f0011bc7f0e441934da45f9cfb97e938b03	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "255"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "8"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "100"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "290"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1B1816A1-C2C7-11EE-A80E-FA7D6BB1EAA3} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "233"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "290"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "8"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "255"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a04877f3d356da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "233"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "413148957"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "290"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "118"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "255"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "118"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "233"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "8"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "100"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "118"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000566b58630fb3a044b91770fce5e9b2d600000000020000000000106600000001000020000000b6b1b779fbe3b81ee69d6647ebda43f826f8565167b8c73a27838e4bef3a8d60000000000e800000000200002000000093e3daaaeb42d781a06afdcad8ab413f864d5d91e59c8395529508fe368eaa5320000000700e73555fb5d294b6c0046b65b34d67cc186194b55b295749314a388eb8b31040000000215287af0ce750736f5fda9711c705945b9ee30397fe0944e7f41089dea75281b21e2171f5266911609a1a3e8bfded6670d72d8c646de1706591c1fd88c50893	iexplore.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1720	iexplore.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2432	IEXPLORE.EXE
Token: SeIncBasePriorityPrivilege	2432	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1720	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1720	iexplore.exe
1720	iexplore.exe
2432	IEXPLORE.EXE
2432	IEXPLORE.EXE
2432	IEXPLORE.EXE
2432	IEXPLORE.EXE
2592	IEXPLORE.EXE
2592	IEXPLORE.EXE
2592	IEXPLORE.EXE
2592	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 624 wrote to memory of 1720	624	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe	30
PID 624 wrote to memory of 1720	624	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe	30
PID 624 wrote to memory of 1720	624	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe	30
PID 624 wrote to memory of 1720	624	8d1b0d9a04ed0ec29703abe2cb29e3e7.exe	30
PID 1720 wrote to memory of 2432	1720	iexplore.exe	32
PID 1720 wrote to memory of 2432	1720	iexplore.exe	32
PID 1720 wrote to memory of 2432	1720	iexplore.exe	32
PID 1720 wrote to memory of 2432	1720	iexplore.exe	32
PID 1720 wrote to memory of 2592	1720	iexplore.exe	34
PID 1720 wrote to memory of 2592	1720	iexplore.exe	34
PID 1720 wrote to memory of 2592	1720	iexplore.exe	34
PID 1720 wrote to memory of 2592	1720	iexplore.exe	34

C:\Users\Admin\AppData\Local\Temp\8d1b0d9a04ed0ec29703abe2cb29e3e7.exe
"C:\Users\Admin\AppData\Local\Temp\8d1b0d9a04ed0ec29703abe2cb29e3e7.exe"
1⤵
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:624
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.freeav.com/
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1720 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2432
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1720 CREDAT:1520662 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
c8c4ce9887105f263f11d8587d15ca79

SHA1
e7f5d096770c4ef8226554b8f05898e55d9cc341

SHA256
be171e984ef0f67b3bdbd169c437423ddde539b673f9c5469315c9a359d3f4a2

SHA512
7c6d910b1307421312f28a20a1cfd67e310732889f232c8e6d919e4cb4906fb47ba312208ed03e730af7b512ebac1975264d42c85e2364146eb571d3821c02fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9411c354abeb6083883f5e167fe4112d

SHA1
f2dd738a5e11e5263de54f2f70e52eb29a277ba5

SHA256
4b2a6257811f4af40582669d3046c96916c50e33185e7f0db3980e66eea58fb8

SHA512
20e2e14e8628e3f0252532ec8c65b1e45c05759a1a3303e4f2b2b6c4a76e5304d29ef22bdf03235fa768663be2d64e46f7c817d8c5dfeed1f7a5e79d6a06b94d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d1ca720891baee0b9c4c1386e148de64

SHA1
1efa6044209c55355e2a22e1c02242e3d1016fff

SHA256
5bb637df8ac5cda01fddc71f226b88e364346ab664e111309bffa86bd67224a6

SHA512
4ea6d1b97c0b46ab86c96a4498123e6d82494adc4de405d0211a612edf6916ec30886db467d633ef2cc68687752fe7e12ce4b687c2b7e7b98378923b08f3b0d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a9a1d5aabf6e975162301e646a530afa

SHA1
e66306e23188859fea65b23592fe539556a25f69

SHA256
35b5eb178cf92ad5024e680e145e4fc7dcbc8a59da282f7851086efaa324cfcf

SHA512
73aa896f4a02cd03f0717a8f24842fadf1676fd2f6cd491ee128418a470fdb131c7d878e675ac6978f64352ff84a293d675357a6035aaf025252e3d073484fe2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
15ec279014a27e1c9ef63bb2f5c3fee2

SHA1
9f21ac3f79bbe8a30cbe1043d3f25277df3df33c

SHA256
bd012c35530ba6f79e7f1f76fc3f911e9425db1df93b291f88c7b2bd28cdfd58

SHA512
93ac85a055129b826cf332e8747243f5ecdb29605ca32ba8bb3ecc43886e1bd1f81cc537e9605469f68a1990a99be51b7dc5be492925e2deb87397307ea2824b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3b7a81cbdfce572ed576082509490f89

SHA1
3fc6d26479299615aca199626ee3f8d046892eea

SHA256
d3faec1e89cc7a91e1cb22188b763fbf1293e908627d2410b9dbe752d64894e7

SHA512
43e9c93334c9627ed3e26999d39f2e08f6d76b31e12fb2e9ba137034da5a8eabb6afe562a2635265a7194fe1f4e89911e7fc40f71e474017fcfafbd7a360eb8d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9725377a01a93d6a93c5106be292c556

SHA1
2aaf60eeeb3cb1e1f2943c4887cdb8f8507204e7

SHA256
76464cccb85f833a116367736fbe8475ba36fe4942325bf01fff036bda431aaa

SHA512
d1c986aba627b7cc49752b51829f07c3fdf2877a3529f256dd7749934c0722da74d6e52368edb28ec953936979bd4cabddc11803e0e948152080ef6710f04e2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
58ce1b75ccd312fb36ed245cb2946c21

SHA1
3af54a07a5187f41f808c5a70ab85c97ccc8551e

SHA256
d8fcf90583d4403902511c5ea028f7212eecfce813800e1742027755e0d6534d

SHA512
ecabdc41fb508a060236b090757aa318e71f7c8daf547266838e5bab4ffcf94a0086e50e5496318def6faa0db01feb6bc32bdcb991fbcb8bfc1e59d18ff76783

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5b6583c6d04c584514a821e66edf0a39

SHA1
f5bb3ddd6687fad01d4560479c96af052f991bfa

SHA256
32fc26ec5765992cc8fe079d7f2a5013613b6e038d1e7c9d311236aec40261f6

SHA512
c1b4845a70c2847d61b02b61068c1ac6f18e4c6b74178fe3242568b97c40a3a5633b2b6430dc8f891dd76dbe013ec6de043b3faf5c6d8befd92f9470bedbbc1b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fbb4d32414409245dcba238722a60829

SHA1
7f321ff3a41bd12465b89139250c3a93d3a5fdfe

SHA256
aa88808009cd0ace26369e338cf9b8b40ac715e04adf470a42ee14242b0ad86e

SHA512
fc318adee52a2952bd910e3c6bfb9b5452c5d568a822a18de677c593642e48776bc35d9a8065f4bff7b6f484c71039f83da3a255273f2a5772e667d34a71ebd0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cca4bd03e917f3dd24878f25dcac6d4a

SHA1
a8bc04ccd1fc7a86a52328c162efe3593694c08a

SHA256
83d5be9db3dd5b0a4114bd608f136153d7b08eee435d803142822fac89d8a274

SHA512
8efed0cd18fd97af41f07f14c31094d61441fdb2812f7f98320f40a5edda2c749b075c057fdc9e8fb764ac00bfadd8a30f73a6e99ffe08f538103e11f6e174f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cdf60dd1ec6acbf8504aad76da3dd34d

SHA1
6bdea8d8bb422f416603848bcb3d452fcd472a56

SHA256
f2977f182ceb938a8dacfa222ee7cf9bb3e402425e661db0badfecd106aa85ad

SHA512
b701e9f95e49295f4dc2ec7e13d45b128d8121168a194fc7b2da6eadad1273ecd9112fa2457b86074707c4c914e3b5b2f50c362c7aa0e134e8a96c964c51eb5a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
75fb2d7177e7a028faaee4215a97df14

SHA1
aab7ddc797459a3653eb627ff074668f82903e7a

SHA256
396ca0a599056cb400015bdad691ab7bf8a61e14b9532c559f0bb8bb15084fed

SHA512
a1da420fae386fdc0b985826e998ab7b3f544ec7d669cde254008ca64773f78033115d321d937b66df3fb6ac33878b77aae1e92c581c9ab5e8cfe47f1eb3da5a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3951742e4bb3b2b036ef6e27440cf5a1

SHA1
dc0162100b448503b5fba0524032daf35bfa5f58

SHA256
1bb3815634bcd0d2e069b8cd3d884b908447ab38d5cbad589ae04dd270421d64

SHA512
ca56ee4360d63317d11979b032162807b9b7bd70805336d315a59d330594dc0ffce8f18bb1cf8dd14bdaa0dba3cb869b48e9487bedafdcd98ed06c63eb6101ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9c24923beea3ca3187a0750e0d0f4e66

SHA1
c4fba3820d32673f71e75f4e36a8fcbe6d3f6b59

SHA256
29900f7fd6aef268696e0450eb5dfab4fca1915c0b1cb0207a83ea97f3d8f313

SHA512
dd8674da51e1d782d31ec1d27e517393e5f3d1a4f64b509236c992ae6de7486df4b40d41e8f139be8586be2a1af4f9d07fcab95cac7404c61ba833171ed9e390

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d5f4f6d231757e2afefeabd73d80d312

SHA1
9befbc1062b92627f5574961a6c5b54b9da5f121

SHA256
da1bab71733272a5fb17e932f6b716802f4201578c7737aef7e2cbc406dc48ec

SHA512
0acb9d419aca0a61b9957206e774440a5d421e9364cd620eb14abe87595cd175167c08ef3c9959a4d54cd4809217deadd5f048fc5bada1e2b1061ca0f857803e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
13a53647500fea8955bfcb9df28ec340

SHA1
f3f7a6507f76b5588095fb928d7da7897c1b34cd

SHA256
1ff44f892522acfa1880b6bf96036619ac1e086d4792e46e2bb2610daddc6b1b

SHA512
2979f1c90dd110ca3df9a6a6ff943b0704d6bab1c44c827bae6cb685e79138c96587d51db6a9015e51aeb8212da76a21d3cadd42ddcbb0227c5f337cb7538433

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
318851ae05a58b9a19606544497079bb

SHA1
5a098e6d5264a3bee9166f68bcc1c266bb671934

SHA256
8e153ea5bc6443c181c7005a278c8294185eca21ade68dc22c01d5b9b93db93c

SHA512
aff38237a3bc42bd5b8b828855573ea93d762896839f5e4fff0eeada889740c37018bd34e812b0df84518e0c91cd843b1efe5c2e8f8f069ff02fa7dc6f671e80

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ac476c6c6e043d467c0dc048830de486

SHA1
a929ce15ca0fea6dc6028afc4223f97444f9c9a6

SHA256
251258ceed1c8b064e7a3d9f529d08f2e1179a351bf65172bb9f847eb65e513c

SHA512
36278ee5348a0b3ff733061ad3850ad9289b9c93fa57defe028a64bc4823b389cf5857449a2149ea35cd9c8feb50ad3654d20d1ea4cadfe59fe6bd509a0a42bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c1652c1daa2f547c663122fb983672f4

SHA1
6b8bec60e78470a87e9b2b120e4c40e36abde96b

SHA256
bc71c245fa313a6b86ab36a973e399743c755c6cc4881581cd2f2d26e9e33817

SHA512
d5ec9958f2d8c7d280b6862a02ec60f3f6244c6b85b62b69c32b62e63e775c9a3daa4cb48aee9545caf092f5f14374810061bd2c1c9f924eaf1ab394f54976c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
348304dc3ecd6e44f8661d9ebac25d76

SHA1
3fb458265692fe9cc77919020f50f454df7ba71b

SHA256
baafd440463612e669b6a8b0b771a7416fef55b601df5af095ecfa715259f619

SHA512
244ade6b6a2aa9809100e331a8eae9a00bbe310492eb71ba9c1e82f223c0f8cc42f879f45533439529ac8ee6f3c23cebcf570b6ae47e056fb5a32e31b3a2bd39

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
732dab95bb4b4be0b9f733db450c6ee0

SHA1
402e20f9c0aa9d7efaf4edbd00453a7f025aef15

SHA256
3f4c71921d5b07bb153cad06c065bc5de35851918b8606b173d8855f51917aa7

SHA512
dddd08cc5a8116e6cdddca461293a156df8acaf67d98ec69b300d528455ca32a50781710403cffb30373fbc2e737d4c8755d88d6362356b262a2697464a7d715

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3e18b2d07f38d0f1652f9f22234ef70d

SHA1
2c82a3fb7a6194fa2a6b52a84997730af7fd43b9

SHA256
9710d222f4626deab37826b0fc57a215912ea474f8511293d3afb0f1cf6f4ec7

SHA512
f2016baf6ed34082aa75fda5c1c545451f1a92e4dbe558d3e685d253a6b2b82fffefa3f96b44a25f26ce73df8b08e2560dbf3ff46530e21220b95193ea642141

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f9f3fc72c1995d13b5f8143ebd89ff96

SHA1
77871f485c7d1e768e039b4c426d44283172c252

SHA256
828e6fad1e90a8b244457ec91308b7a7589e2f75482d0e1486bcb80c3ed8ef16

SHA512
2d969ecb8cb0e4840677c25980cac7079f02391a3f6fceb9ef26e27184520cef328c925161b34f380ddd70b9ff808e95d5cc09bdce2fa4d188a6ebd95b2b54f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
08bddbe4e344607ecc3147b33975a185

SHA1
56a238b12e264354bdf315d46ca45d681be4ed61

SHA256
8fc10cd923cd2b0daafcc04ae32106d5ba9ecd2dbeab7f66062cc901178df81f

SHA512
83204b4658124ce3f8e87ec4c987ea8db9ef62fab5f469d5043d44f8251a74b3e7b3e4c20ba904e0d4130e5f20f2960bce8ffce79b6fe91336fa5fd4ca382345

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3af011507382ac018c4ff86f157fd595

SHA1
6150a854ebec9fcb25377e6672720de1f10f6baa

SHA256
d395fe42bbb9ae7ffa4e9072a2949c9a91cd8b8726da8924226aed838991c423

SHA512
70420969c4e3ff961b7532bc79daaa0d5f997efd3fe0c5e1d70d39a10c5d348df0554229061f36150ecffb9c28bbea5bf59b8b0e78980d60a4d8887b5e556ebd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cf8bbf2d4dbd5e51ba2745d73df1735b

SHA1
747c3f07b2c4e2a8879e131b592abefb631c8dd2

SHA256
b8a835c17d7c6b46a61c0458c27573e3051eb5b3a9825cb05f09060456aacf3d

SHA512
65861cab48b95b8b0f22027d41798f40897bf9f01d8fd24efe8e358c64b2580869ba94f9b25a272731272a07237edfc4658dd690727408c28ee231b9abca711f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
78bce1e6a9d5b5373e1931ff27490435

SHA1
edf48129349c1015c6c95f5b868354b208daff40

SHA256
ef038b5fddf4336bad6e5da34853ed13570e2f2f3023b39be1d9918dd35f98fe

SHA512
9473736f5a432f8f55e60227eb17f4e23ec80a28cb43f8c3fea0ac64fd12f794742d27393a591fe64a2e9600028a3810aaa7371e09557d29f7dd887b65ac9577

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
473decc6627eaf56c73c5afbeef52cae

SHA1
3504f3e9ef39a3597f7abd346afe0d37560d2fcf

SHA256
fbd0c33497dc1d37c486d98701824dfd3fcdbb8f2158031ef2d95953a522142c

SHA512
918421376ebe0e2888ff815134b78ca83df20645f44471ed395921b1e1edde6584ff6b937d9753c15f49cd0cca977e7eebc84ebeaf8600ae887b18a4ecd9455d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b9dc61b3609262dea44165785992595f

SHA1
5bffdb5a56cd0236c9c662f1e532a6c10cb6f359

SHA256
600f54b0632ee4c8b9006dd77e5dc5614fb5388e5fe4ad401b96eafc9e7adcd6

SHA512
ac6e3c5737d125c2800d2deb69742eeaf812fff06a42dab1c5b2e3470563482abc905a4c0c02949592908c03d0a85f368f420a1a1daad4437bf689eb2c47717d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
074c8750ed6c9a3bf964e12abc6e3c98

SHA1
92f9db22903c83f5f5a17a08ea678a9af691f681

SHA256
090ff30356b03fd3e19183ac9b28bce801849b91fb2574795e6e29a73062fcd0

SHA512
7c4a42dfb49eb2d2c2cc5c3687e10f6978501e51d4e0b118d56b83b818679dd32abfeb80ae1aae7248f6b220b1677b0974fb512b3665575e3ce3659ba9535341

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8a3ff84caff64faa0e3bbc98614b2a36

SHA1
fc3895e2fee53b9731bd63cfe9132165d7932361

SHA256
71f0691443b999042cc5d629a53f3dcd3903b906dbdb1f4f1dc4d9133ba00fc5

SHA512
7a727a2309186b7ba2e2310aa5dabd30fd3b818e38f8f7b93800e6e3cf8ab45ddec871c035968472255896351b5d9cc0a3d24af8f45aa9c50cbf57f551554157

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2b2809d9526a7fa2c304c37be369d21d

SHA1
c82c48b0579d4abf5ab9316667aa3ea4f39e7c04

SHA256
4e917544e8ae04435d1d250cccf96c21e86772653897a0d4baca249ab9a1aece

SHA512
543757c0777066d2e6dd4380a4cf7ca1c62e30a527d73bf6dc93a01a071cd1583881debc70200dad1943c06a08cb9298245c8e659a1862b1b8677b5e32b234e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4ff9878d0c550e127d1f54a6b4ad6cb8

SHA1
d26dd1e02a36e3f5e5882544eb1fd8271702442e

SHA256
e232632fcdcdec87089ded175b4752fd84c2ac4f90ac6ec5dbc3ee02af2f39be

SHA512
5d1d4284bd93c08b8bf62ab9bf9bc1f919827af23aa77f3d966826054a90762ada4cb50c228288beb124a817e7af490d3a08eecc76706075df08fa7a802f3f50

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9fa77e71a3d052f8790ab3994771ed5f

SHA1
7f7155ce9c3fe5ef3ac91fa3eba63070854b5af6

SHA256
c4b6399478a36799ab90eccf01f55b22c146b8aa1f2657282da01c6c54921cb3

SHA512
21616947e0944079b5d29cbff317aeb8400a99357b17b9b29478f55ecac9cd24c8c7e5dd4c9c1f4a16f54ef27435360bf36ef0bc0e2dbc9074ea3e16cd20eeb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f263a6326309befdb3223316731b001b

SHA1
f16a1d08ceb4379e7654a31f37314ea367c893e9

SHA256
9975b83355bcf166408cf32f198a934e17432d6991c5d2625078ee5128360a31

SHA512
54d0977b921906ed8964eebec9764a10e8fdd33010633848b3e77da5a382b47cd00ed26aa7e52d7fb267649886e76aac25c87d8cc8aa5e23c8a081460f65c68b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ecd9f308c67f5e61d12a75b4f9714e46

SHA1
e949df139be05b2a9fdd04d3ce34d38c8c4b2d0e

SHA256
255969289d9103983be028e79e7acff4381e1a9a58b27817dae2835e6b860e3d

SHA512
c110c661636545de360a1b454cd2ab8b7ae3f09ac168b25952dfebe8b3fae36d0c2ca3217311a11ef1bc3aad74c8611ef8d102e2a13ba901a2b9456c14bf56ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
afdfc686fc9c4a02b61dbfa6322ee4ee

SHA1
4a208822a1687cdef17f5007c63d1072fdb11540

SHA256
7951de191d3021a12eb6422fab254a34a44218c8a9ecccfd4bd084db045f6abc

SHA512
ecbf50eae216c1e8be25a4e5deeb8e6acccc09fc61d3e3abb87ae795c0e25ef458437f785f37c8fe5a6851b53ade35fc4d38d66fa5b08cd8efd5927b769263bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2e756dccdd9a6ced3cdb53f4708f5d0a

SHA1
9ce6d4f40ec357973392735bbd453a82d7d3e16e

SHA256
ab41830001020a1623a80d720cd54117aae8467bd22e0c3b4e79acf47dcc393d

SHA512
49f967ff4e05a04af173277372edf358f48237c5640782680049208eb03f936c2252418a8e7d9a54f722827919bc4d5acb1d1c2f4d0c58cf961959d7d9dae159

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
359083b1727c658034a911ad449d3785

SHA1
8e17d1dee4bff9c96b1beb4ba5c5cac936df1397

SHA256
575c8a3c61077cc9d1b251e89f7504541565c329cfe8043a8f59cc670094b949

SHA512
b5705f8ce75ff54fab220f84b9c8f0eede7235d1e1928131b41c62d89fa3a7c855d5e10cf279fc0773f6b27e30da4446fdd65d781f710480a267d5d0c98e0eaa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
1161714bf91d2a7a96ae80d759fe8628

SHA1
d86e5fe36ca7239b88f9dbcef9fa6bc9ccaab688

SHA256
8d0f7240f67732788336590a5329b574fbbb4512441568be5d430a4a06af958f

SHA512
59c8d0b37ac0e387b674fb3e79586b984fde8a2d9ac50a30c4b1325b87d286c4883601af0a5012426eada24d4dec84ac4a5ffc95bb4f88a1e25f56d53a4c7a4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\OHDD6UN0\www.avira[1].xml

Filesize
224B

MD5
73fd2ae71277d554a6d9b2a3251e9154

SHA1
0667af7453fd4764c92b0a2d2a5cc84d1af52fd5

SHA256
c8c461ba27f43b74fcc2f727b381d4f3b63cc4a35e39ca50ab43942819a02a07

SHA512
4e8adddd17bde775ce09f741e17b06541b9b886d375811a6c4d383947a634a839215dae86ca72ee1e711b500fed1eafcd1b8b8624bd9049969a48b9140f6d36e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\OHDD6UN0\www.avira[1].xml

Filesize
437B

MD5
732298acbca546e109f0dc37798b042f

SHA1
5d5712c5ad6aff396c5b70bece87ab3b247d0243

SHA256
453dcdd630243a7024333f6af3c0f390e0aa2c100fa7bf4e382e01e067a02c12

SHA512
f44a5874e58f8977aad33a51b1d525d5da016f8b8377499558da0ec6a60a3b8eb12700646f39d869a031de94bb5c5f17de208f308f02dc6f31182fcf357357af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\OHDD6UN0\www.avira[1].xml

Filesize
575B

MD5
d245680cbe35284ca2b9a43ccf312830

SHA1
68a95be36c1e9ada58aaaebcd7529b11673d7ac0

SHA256
2642234cadd56a81ddbe9d6f5b661ce69c117f7d79afff2bfa30776d8a07ee70

SHA512
05f07875341436de70e01a3668df841a555ffff1edd42ae2eb6b45ffb4aed0333443e976ac69bb191f479c98e01d647d2eca9712054d0f5a975159981898c455

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\b5orqwt\imagestore.dat

Filesize
1KB

MD5
e0a4651a337388a0f0a7f7a3aaab0ea8

SHA1
e65f1f2a864f1bc415be86572722effb81ca2cb1

SHA256
edc11b0399ee3a1ad76fe801874815fdd1767f140e4746de32903454a08cc115

SHA512
74fe1f5f88c6bf217bfd464b80d78c68ed53ed11f2c0f5994d5ba0221d06e3a890f50963bf02c7596f36d7b7c56c2cf2fa3c2ec1079aed7d599505cfc2f2b5d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LFTKP12M\favicon-32x32[1].png

Filesize
1KB

MD5
13e4a579c3cfa586f665ecd794e0462c

SHA1
b629b7170f76734c495630191e665b6a88024268

SHA256
a961b4999fbb3ea58527df10b36cfd5c6ac7cf9fd12a0ecede32a8f7f48fec30

SHA512
813d424cb854ecda3bd1cb73e87af2e1072364e5e6345e2a7ff0c93cdac34628146786f1f5fbfa869b95d72ff0071414af13c4453545e76b3f627c1343cbdc8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab60.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar524.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\44XKDMCY.txt

Filesize
924B

MD5
7413509d004699a0cb276a8e3edd686b

SHA1
3470eb4e99e6a230753bb171046bc8a6fa1a0804

SHA256
f383ab0b25d1e7b39e587172b4ee77f36e7b7aec813fcb54a39571055e21cb62

SHA512
704cf001eb621359de59a0a8ade20cd0c3aed92c164c1b0d0eca69b93379552b4daa69151b979439e0a6c3d7d9ba8606458cd75758cd92763a26221106c6ffb6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\A5WFA4G2.txt

Filesize
392B

MD5
04b7a4de2b397681895de7e16074128e

SHA1
55e091329e4d555eb773f913c9e72723b4acd3a0

SHA256
f327267c6e9e50ed3cbb00b663978af5ded8fd7f65a2ed4a29e63fd651ce6aff

SHA512
224d4fe28ad3540fc8447c62829c75613e94382a306b1538d72d76bc414ff98ee7704330bf45a37149e10ee83e796b703009b680f148e6535cf50d7e428de873

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\M7I2DA5Y.txt

Filesize
580B

MD5
c7596fce21aa9feffd5acf1f1216e1c7

SHA1
b7635e1a5aa105fc61a6b2e5de85fbb96a6d4b62

SHA256
31888523104c93a76137a817cc30d2105a8923e03bc89004d2f7188805d4ebc4

SHA512
6a32a6d98d5a459a78b5cc18d8b789a091f1b97c6f34afa7601290c06e139672c4588d560d81997789e9eb08182ef8d02b961d9f97fa19ee06136ecd21dc886e

Download Submit
C:\Windows\setuperr.log

Filesize
27KB

MD5
4224d0ffae860c2a4966d67b82c5b603

SHA1
77a4bb36d4e50c4d7760cec3cbd7d17102a6666f

SHA256
3b2521c8662bf22fce9f5e193ba280ba1d045cfd2ba1374d9d6547664e20691f

SHA512
ee06ae8993c4dc9691edfd0608bdfff51078679fa6b7765d0563d4a5342ca8463240da0b4ad0e90036358301b1c63efa33fa1f7dc4b1cc86d084ad8312c944e1

Download Submit
memory/624-1946-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/624-3-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/624-121-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download