884d7714277f2e439843f54b9f9fcba098bc45f1a4b101dfc0f2e6cd983968e8

Analysis

max time kernel
140s
max time network
146s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
14/02/2024, 17:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9c41cc8495aba84f1a17f15a760cc955.exe
Size

104KB
MD5

9c41cc8495aba84f1a17f15a760cc955
SHA1

f0c4512e71cb1d1d77ab1e99815148e20ae08163
SHA256

884d7714277f2e439843f54b9f9fcba098bc45f1a4b101dfc0f2e6cd983968e8
SHA512

3070875bcc0c8be4977fbf440ecf473365378a1f4fb2e662adba68c252e342354b66c6c09fbdde1165850fcaef80ee17ed66ad64cd6f4b1eb61f6195afd834a2
SSDEEP

3072:KVidQr0UZqnnSTqPu6V4aGCWRZX0bhp0vcsjsr8gWt8C1dCuf9MJEb+o:Xr9O+o

Score

8^/10

upx

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\drivers\gm.dls	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\drivers\gmreadme.txt	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\drivers\wimmount.sys	9c41cc8495aba84f1a17f15a760cc955.exe

Manipulates Digital Signatures 1 IoCs

Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\wintrust.dll	9c41cc8495aba84f1a17f15a760cc955.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1612-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/1612-3-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/files/0x000100000000e664-8.dat	upx
behavioral1/memory/1612-100-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/1612-101-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/1612-123-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/1612-359-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/1612-2196-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\neth.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\wlaninst.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\api-ms-win-core-file-l2-1-0.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\C_950.NLS	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\msctfp.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\msscript.ocx	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\tbs.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\mcicda.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\Mpeg2Data.ax	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\dsound.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\dwmapi.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\msrd3x40.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\netcfgx.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\tracerpt.exe	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\charmap.exe	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\dpnet.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\setx.exe	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\shrpubw.exe	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\spwmp.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\vssapi.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\Wldap32.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\d3dramp.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\KBDCZ.DLL	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\services.msc	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\shlwapi.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\urlmon.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\utildll.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\FirewallControlPanel.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\KBDA3.DLL	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\security.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\SyncHost.exe	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\C_1144.NLS	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\KernelBase.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\vsstrace.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\NlsData0007.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\riched20.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\amxread.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\kbdax2.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\loadperf.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\netcenter.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\icmp.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\KBDGKL.DLL	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\NdfEventView.xml	9c41cc8495aba84f1a17f15a760cc955.exe
File opened for modification	C:\WINDOWS\SysWOW64\ticrf.rat	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\actxprxy.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\colorui.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\odbccr32.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\runas.exe	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\replace.exe	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\werdiagcontroller.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\dplayx.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\mswmdm.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\stclient.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\UIRibbon.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\L2SecHC.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\rpcrt4.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\NapiNSP.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\slmgr.vbs	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\compstui.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\msftedit.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\ir41_qc.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\msfeeds.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\adprovider.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\SysWOW64\cttunesvr.exe	9c41cc8495aba84f1a17f15a760cc955.exe

Drops file in Windows directory 26 IoCs

description	ioc	Process
File created	C:\WINDOWS\notepad.exe	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\twain.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\twain_32.dll	9c41cc8495aba84f1a17f15a760cc955.exe
File opened for modification	C:\WINDOWS\WindowsUpdate.log	9c41cc8495aba84f1a17f15a760cc955.exe
File opened for modification	C:\WINDOWS\PFRO.log	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\splwow64.exe	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\WMSysPr9.prx	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\write.exe	9c41cc8495aba84f1a17f15a760cc955.exe
File opened for modification	C:\WINDOWS\DtcInstall.log	9c41cc8495aba84f1a17f15a760cc955.exe
File opened for modification	C:\WINDOWS\msdfmap.ini	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\twunk_16.exe	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\twunk_32.exe	9c41cc8495aba84f1a17f15a760cc955.exe
File opened for modification	C:\WINDOWS\Ultimate.xml	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\bfsvc.exe	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\explorer.exe	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\hh.exe	9c41cc8495aba84f1a17f15a760cc955.exe
File opened for modification	C:\WINDOWS\Starter.xml	9c41cc8495aba84f1a17f15a760cc955.exe
File opened for modification	C:\WINDOWS\system.ini	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\HelpPane.exe	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\mib.bin	9c41cc8495aba84f1a17f15a760cc955.exe
File opened for modification	C:\WINDOWS\setuperr.log	9c41cc8495aba84f1a17f15a760cc955.exe
File opened for modification	C:\WINDOWS\win.ini	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\winhlp32.exe	9c41cc8495aba84f1a17f15a760cc955.exe
File created	C:\WINDOWS\fveupdate.exe	9c41cc8495aba84f1a17f15a760cc955.exe
File opened for modification	C:\WINDOWS\setupact.log	9c41cc8495aba84f1a17f15a760cc955.exe
File opened for modification	C:\WINDOWS\TSSysprep.log	9c41cc8495aba84f1a17f15a760cc955.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 60 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "122"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "8"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "233"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002213d23592f6d648a137f9bf65c22cfa00000000020000000000106600000001000020000000e45920c34fdf9a91d5a76e2528ce1292b9e850dd411cbb0bb514631e0e046f73000000000e8000000002000020000000af4c5b5c625ecc4256b821086c52bf517b6ae67a1d1ba6b4e74a296d20acc8f42000000036e393aca8eb043683b5ea815beee5e0171660cda9c9169be9c763b4ffc101e44000000042604fdb53eeb45679e265d62bf663ae5709bbf9281cda652c648b11f71185866f15de5dce4df5abb92a3def6b6a4a6d6c284349c29f6fc4b2b9bad2e84d6276	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{77BCF561-CB5F-11EE-979B-76D8C56D161B} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "100"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "100"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "118"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "100"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "8"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "8"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "233"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "122"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "118"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "233"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002213d23592f6d648a137f9bf65c22cfa000000000200000000001066000000010000200000001579b7498b94706defa6e26ef2c9b4447a450bc2f1e93db20601b2c4cac759f2000000000e80000000020000200000004376cfd13327951cdfc48fc85cb93141cd09fb20ab86e9ece702cfa0fe3cb5d490000000effbff269ec47381a287f3e8faf311e94808ffe7fcbf235148c0cc66ce9478687ec7ddeafc432f37fcb96e79da826795905f25d894175eece452ae28b84da9c319a97c447536fadc5321cf649447487fd0d03bd17eaec3df6229f791da0de63a3b93b0cb0076655b87fac8b8f63f889e5fa4eeb8441e4f8474684a4a233ae062b9084662bd6564dc12a01bc78e96bde440000000830f076aa1ac1f06e1006a40cdc1b5c2d122d1df5a79fdb2e5cbf8a81ace2f0d136a0294b93c1a1c01cc108a14bb50389364808a48e825acc59dfd56b36f4d6d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "122"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "118"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80ef5b506c5fda01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "414094006"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2688	iexplore.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2516	IEXPLORE.EXE
Token: SeIncBasePriorityPrivilege	2516	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2688	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2688	iexplore.exe
2688	iexplore.exe
2516	IEXPLORE.EXE
2516	IEXPLORE.EXE
2516	IEXPLORE.EXE
2516	IEXPLORE.EXE
1568	IEXPLORE.EXE
1568	IEXPLORE.EXE
1568	IEXPLORE.EXE
1568	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 2688	1612	9c41cc8495aba84f1a17f15a760cc955.exe	30
PID 1612 wrote to memory of 2688	1612	9c41cc8495aba84f1a17f15a760cc955.exe	30
PID 1612 wrote to memory of 2688	1612	9c41cc8495aba84f1a17f15a760cc955.exe	30
PID 1612 wrote to memory of 2688	1612	9c41cc8495aba84f1a17f15a760cc955.exe	30
PID 2688 wrote to memory of 2516	2688	iexplore.exe	32
PID 2688 wrote to memory of 2516	2688	iexplore.exe	32
PID 2688 wrote to memory of 2516	2688	iexplore.exe	32
PID 2688 wrote to memory of 2516	2688	iexplore.exe	32
PID 2688 wrote to memory of 1568	2688	iexplore.exe	34
PID 2688 wrote to memory of 1568	2688	iexplore.exe	34
PID 2688 wrote to memory of 1568	2688	iexplore.exe	34
PID 2688 wrote to memory of 1568	2688	iexplore.exe	34

C:\Users\Admin\AppData\Local\Temp\9c41cc8495aba84f1a17f15a760cc955.exe
"C:\Users\Admin\AppData\Local\Temp\9c41cc8495aba84f1a17f15a760cc955.exe"
1⤵
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.freeav.com/
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2688 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2516
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2688 CREDAT:1520660 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
e79e9c9b8ea107d1a1dc4be4f89d86d8

SHA1
b2bcd43e104952c0a612439d17b4d6e417cc566b

SHA256
ed7ad5a9c33ca7957f1710e9c27337600f1c7ca2fad4c957144c54a343f23e79

SHA512
6abc7ab07a54505b3d1c1d18958f31ba1f333725ffbe4514e96f782a553e98c0a56bf2ddaec4d74af04dbf5353ab83a0a2a3fdd7be740db8d54fa2ae3c229ce7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
109c03e3b44933ab9df8101eb6962069

SHA1
4f4d5c235cd9eb9c0f3b7f8acb5e45404d3cd9ca

SHA256
5d94bd2c2daaf8849b33da49f090ad86d1fbe00dd9799c95fab2ebbb968c8026

SHA512
3576f50a2c05d7b043d646da8a0a5622648a4ac4115aff42f3f00dc3045b2ccd8383718c1e5500aeb46ea73fcfb9ae62282776f447a40d686002d5cf1f441908

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f44b580c81467d4f66fbae74d6691cb1

SHA1
8a2e60fb735c0ac7d0f9d99111bc82d27ab3c211

SHA256
45b3158a73defe193a1e7a931e3e9305ef27f5bbe8e1bf920395337721a9d7ff

SHA512
341f5373c4616d38f100f5ad8e75b5cbdd18e41eccd7080d0ccab4d55c584f41ab377ff34993987cda92baa7eb5a18f2a7642f76cafb8ce11b83d1aadb2c0005

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
69d8a126a54e98b91329e24570b477ee

SHA1
32bced4ccc08af34afe75aff9283f941decd0773

SHA256
66849371e24b946afe34f5c9d8efdf52353f6d3daa8ff66c3a849f483642adf8

SHA512
6d8949d0076d82259b998076d0658d19040a45e5d8770d611410f3091a4d580c55ab256784bd11f9a0230ef3c60ddfd4cbb6cf57baa7eecae22245ec3690dcb3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2f21d9145dfa4074a6f49d5656eb87b8

SHA1
b047a0db4cc9a2ed4181a52b6a7a8c8628c74d2e

SHA256
14d2b0d27b5b2bff2e43e7b39f0daa5fed81f52df4715941d373071850e12651

SHA512
c25d8ba7997dae846f1f1d661e4aa7ed9925665529b2d60c349968fffa00d43e40c4f73222dff5a2605019796728796b3616bdf77e55ca4f15002df06c254f94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0f803bdf87811e18b72bfe7cfbf326a9

SHA1
23938d9d3d5c52d8b34799f0884ae300a09f216e

SHA256
81c5d2aff141bafd869386fff35130b4a8bbdd7697522327e5e6974a5287ba35

SHA512
642510e6649f69e6aed40105682b2b6f97d2410e72b70e8776b7659c0258a6e73c71f9780fa9f0e9ac33ae3604146b5f7c6fb5f999b37f787e0a2ef1723549b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4b2643633fe7bb7f6ddb9e88386d141b

SHA1
a393449b08e643489cdb18e4f46adece6911865b

SHA256
64445243bab0bc5047218390d06284c21802414c74959fdf6a157c423b46eafd

SHA512
a46bdce2bf7cae7ee79a046a3774f3929cd27b9e161971bd7a1d038c293f3db709db235d1fea6423931e009281d5902b982ab8429574e104e7a45de120402e56

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
66fddd065729c9cd4e650bf6e4220288

SHA1
a4884a611c7642baef93121a9638fac89a3f1e9a

SHA256
22b5f822e8a3c53486f23257a6018171a47a95eb41349e4e3c8f2483ffed50a1

SHA512
95f4ecfe7c1fbad11f7515efa0e2a5f3aa14525a40200a97a8f3ecf2e0fb89d3f6cfdc83c92760a950bc36da5e062f657333235536f186385534e2e0a21872eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b9317589d5125e9fa0f5011e4fbf97e4

SHA1
07277077d7aaf96fa634d0ec1a66b9d3ff8130e3

SHA256
d81682fed826f41f67f20c807bd2c2f631fd12e7f996752dec13d774702b6a3d

SHA512
5c039ba4450759bf590aa70056bc35cba146faa8250c46cf34660ddb5cacaa64a26fddb54e4f3a8fe2730b5e8a425b71ac2e973a6c1ccb2a468bc3b3c2a1f50c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7798c837d03d7b9673f98e1c71675dc6

SHA1
9192ba4093ee1f040d9919c0320938abc93d23eb

SHA256
0d80bb18c239f148dc028068731178bec9b2d07e27d457adaa0f0a968678d3a3

SHA512
c5ee84e11dec782c1e06ea39f0e9493ebc86d5514933fdd98ec4ba10537584be5e12b7a1df1ede70cf0404d70025ba199e5123863c90ecd61e4fdc50f12657fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
98707b15daf383d03116b7e14b1f7fe5

SHA1
5963f3ee4ff0a733eb6d45535ffd58019949fb6f

SHA256
8d21311eea7dd4cc42db87b838a69160824b872d378292c95b27cf64ca81bc4a

SHA512
dd446e21b52d4bf87c5751660940e49a3b6a07daa737a24c17d59c92cb6c2a7f87b7b9974278a7a4648d5d502ca7638e70103d45fee404b93c4e352100e0e198

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b9218f6a2955d2d065ef94644aeedbb4

SHA1
10d1db4bbbaa743ee6bd4c925b01525ddeff49cc

SHA256
5f56e1766b46d6a124ecd2d39e2a16d64ff3ef9524629c650d90836051c8fcdd

SHA512
01cad36819886acdd2e0c5b82479c806022e775a4d15e3fffb01adf86b1ef1ff1edc1e58547496f3dab8109a3a398d7ebe76a2f63437f9faf4f8b2b9b2d7710e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6f1e087b1696e13ea762018a6a43ec7c

SHA1
8a00df8d72799324d0f39e869dee0e93e12d0064

SHA256
f70a8867b7d21a8dd92aba69b85306846632e2768ae773877c4c58b1caecb6dd

SHA512
74fdae0c2216abf2ae3d23e80b170c6bdd021575c6282329b3f7ea253dc32f701af76223404412f05eaecf35cb730b45f8faf9aa0733f75effe8c4d24ae22ad3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
04930c9fa802cccb13ac8feba9fe12e7

SHA1
0ab9e2559f39eeb26ec5f8ccc390442458cf0ae3

SHA256
a982f4ff1a050782a54efe2a7a8ef36b774b34e4df3e3d0c9e68bedd8e9f75c4

SHA512
30f35b2b16b625f313007871fc08df1ca8983953eb47a378277b6ff768f2392b913684966e3a5230012d052693f2cf9191ab16c83ecbfe6a924d6b38d83d9886

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3fdf479a4e1fa7ec46b026baf8b6ff61

SHA1
56a1702d708805753abedc71c175a13c6cff5320

SHA256
413ceeec02d16b468e5fc75f9cfc02b79aa7ecf3cc2e07a64feb6e096dba9478

SHA512
0d56c74b9591c61a217ce1f5bf9154c56e628b2c2a19fc5e2a137b775657aa5420197d306b262d33df175ef0c5bed2add61c735f35713c06d9179d81c0264cb7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
692a9a154b8af465309aa7dc67847391

SHA1
f4bfb4682bbed0975c1832b15157f4e1f1fc041f

SHA256
ff018332c4a8a11f943c84f1755a1db1c20179a5313409c59efea53e7708c404

SHA512
af4cc70d74f5c1f8aee507a14c59cf4dce2b7579f5de7cdbb07c8d76533e750e543e10a38b08e36d84e50650c9d9ea3f4bae05a04336bf92c73817bb5d95d699

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
20f5c5585854ebe05489ca75e206c968

SHA1
c1d6619c2e72dfc0ec512577e15ea8e50ac404f6

SHA256
6f2b40732720291027fb5850a765eb3c54d2a1249a56b3aff19c5786106b286c

SHA512
7a038f7937f799f75baeadffc67bb0ae251c30b3ba028466f62016b7583ea0cd99dedbb8cbe9d45f9d8b56529a9ebef8b5caa863de1e00fe22bad70735bfb861

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f60139da40822ad1b30a7cef8f1b5f49

SHA1
53c6926ff8ffaa7c63ea4bcfbf7d792d43ef89e5

SHA256
efd0b5a7fb82a5825e7b6f5b15a93c9d02538c6be72705c73a95eb022c840045

SHA512
0ca6d55b6045f078e22b8bb70356c67fbfe398d348fbd797d99aade0f4705206fa4d1fcc1a7f982fcc2fcaf6435e6b99ea23382dcf3762b0a74d5f265f15fa01

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
54b409f6b80c7cd584a5ff7ebfece7ff

SHA1
db7c526e913de2ea3d850d0a3062ea0f9afc9acf

SHA256
3faf6cb711fbbc2fcf15a67cdc8fb249b59f04cae69ad79c8801746a40da344c

SHA512
934bcd9e61a427fa392ca15e3a3a02a6282877fbb99b86007a015045a07d61d6ca838293c36c3c275e6fdae5fba1e0283c5030f1502f940118cb55d54de12f79

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
23d170ea0042e86af256b1c6c7c7aa5f

SHA1
4c2e139d9d02e3c7502b17994a27e5357c67e7a0

SHA256
a8d06ee8a06311256716763b2f0c6f1161843b5237607a5804caa90df348c447

SHA512
9f600215d4814a161fde8957c2b395304ecfe3e7be3f91bd52b8520cbebb962d05b83f88c143e9f277a81a847c71b8e1254f97e7cc1ba94e0ef5c62c04731021

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
47bd6e8ea0089a1810fc9c461c3c61f3

SHA1
88af17198a6cc010005243af3cd71f8a5bcb80a4

SHA256
f57c5580f3e8d7b56ebd6b648b5f4fb9470339a7c5832f1ab827de3a2c1bde3b

SHA512
379f7bef9e4543975242a624cb8ed362d1048573d6f4ff7b84cfe5656511ff23ad03a212deabeca48b0accb85ded4db0df0efeef8b1ac52551af1743f974599b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
77ebe60f8a95776c6a54ba11dbec8279

SHA1
c4fbdbdcfcce3473a17951cc34e43521afb66cdd

SHA256
73d29143cd73ab2a6d24517823ef6f062e58dc6f8cf72e0ab538b27809294125

SHA512
3d5af653506270864d77da9d7ba4fc1031931778be8ec971fdf87819e45a57dca700fb3cc2ae9eed18bd95d8baa6e37cae70c5a241f92810ae5013aff44e069b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
97449b5b0f6300c65a551aadc5e83da9

SHA1
5ee0b843e3f966269b632b66f05e4c15ccc06e63

SHA256
1f0ed51aae0297421358b5425decadfe565382ef4c925a17760b42cf10a911bd

SHA512
c2205fe3b29698cefb92cc3852ed8de7bf24368caeaf38c4d8ac5e120c8452b0e402c7c2b3acad70875ba681d1c25003041e4802a7b7d14fee714b8b49b24279

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
162dbe1eb2a96a95a9874e6b168d7d2a

SHA1
2ec650f78164ba3bb4cf63e54e054bdfb88fb3d3

SHA256
29014472971bf09f1ea49bd59b7ddca2b56ccedd9d7327e9abae0ddd7b528de9

SHA512
7586aae0a7ccbe22759e6e905ea06fe754dcb2a26201859ae0bd98880bd11283ac8373ae64462f62ee5f1b7d45daf2ffd778f4fea552c083f7db1b8f65bacf37

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
525f82b04c845cb1b5644278231bb948

SHA1
ed5482498b495e924d5583c3b46def94208c7039

SHA256
52c5592321a074ceca757d6a4bb592b8432ee296e638f9cecfa750a4e85432a4

SHA512
345bb4c843c09ef0a564611c45f1acb825b72d92c1f745d92c75660466618d076877d9fee003482ebdf1bbb050addcff24b15d4e6a4b28f92de313b7877020fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c8a4e0520f7c7a231694bbbb9dd6dd5c

SHA1
b490503a32dc798b969c0239dd422c6640c1a6e0

SHA256
8751b5e9f686c21bc68e7928e2e82b4f8e9671b705a6326221ff9e9ca971c1d9

SHA512
e6abc75b4fd5f7095f8956aafcaac1ffc7518e6bfc68babef39551e9edee37de50e83944c15c83796bb2a1e524a60a680366024f35aba44fc69f7cadf26e7aeb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
56c837106eaf62ef1bb617e0a24af69c

SHA1
4224f8efb0d182d4627d265ba315234d6578bbb7

SHA256
4365a2116c347d1a4c3b51a575a089fb73d318cb3b3d3d2d17fc8c386057a657

SHA512
c193eaad16f6a868b9d5b24646eb42fdbc4a777bb49609a13be0030d00032b68854725b7dad02419ae539a1342ade69a6021c6ec94f8a08ea07eed1f02765683

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5903a66bedc96b82a35f988a558d2406

SHA1
ae41cc6c98d2d1f3b6d9e5a2e0d850b79b3a93fc

SHA256
7754bbd97ca70ac630053f337b47cf6becae126939a74a5df2870294628118f5

SHA512
5c87e0f9bda5559b63b0571392959c518277d0714fa38ac18274fb674a1ac1e0a0277459f9bc8a541835d137482abb56c985136c7bb17d16798aa28fe6437ecf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
013a6d92c6cb119b2b13bb40cfded5b7

SHA1
e1e79a703a3e1cd9a2eed308e27304150c6160f6

SHA256
edccd53ca2c25c1105a72ec01a2a78830d3da8fc6ba1e33797b87fa4a8ac226b

SHA512
054ef96fa46531384f47f0ac63876bcef12f5bbae6096d7b0e6dac6fec7a459cb480460d16b1ed6e6e25286361daf4c0ee7774883565a2933c94a778696d1518

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
70724347afd34e6c920fbdebba994fb9

SHA1
ede6a755aafd0d14ccd116c3274a6589ed028565

SHA256
10baf90b8df7056613fb0976e63647d5e244e6e569007b1d0c0b2874db6c2563

SHA512
f941f402d5bdae5d2ed97fb7355f9d5469413086fc049e2cea719d19c1eee5cb93368e0ae643a84e7b1430deb5d94efe5eb2bb76b3365ba68551d3e463e6f9c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9cca64961508f1ddbe5ce873308f0632

SHA1
12fe0754234c2f5bb5591f9978e949c2f56ced31

SHA256
fac974601a6acacff4e74b2879fdb77cc9f88bad5025d45c0394f743846fae0a

SHA512
72ef9a42312dc8e6d5a079724ae5792845c0ffd28323da82299ecaabdf9f1fd8aaf70b81a9584a512ecf25e5fb42568010d63365b318845b7830b96c84826b80

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c400ee2deb5331209dee01d3c60fe5ac

SHA1
8870f9acd2d995a5702f89fc415183344ef9d09c

SHA256
da90da820be4c844e0c2cc250b01c8f69245b1e2515484c1ee1755c8b90dc9a1

SHA512
05bca496b4bf552fc039e8884832c01bd3d375c9aeb47fbce723516ecb752124260f57bc2c99b88e7fedb6830b23ca2f88363b60e1ad7c4946f85d744dd819e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4b5bb597242f17145b09198d76e6b529

SHA1
bbcae7cd698c30cfe6d6c8a7bd8aec5644e1787e

SHA256
73b90962f86de657db6bfda9439f7e9fb7712d52e01350ae4aea0517ef4733cb

SHA512
d634d09cefcac44f1769e6fbc8f9a147c6ce15cd8639a343b92b0228865cb4fd55a70ea301a47fd3f63616b8d7985f5e85d71d2c8cceda35ca71037771473d88

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b0195040b87a68b63b5bc0e363f46d83

SHA1
313964cd5fbeb4ce46fa9e1e62692068c6834867

SHA256
85cd65b2e8dfac9d2491c1fa19fb0033df4963dc90498f978186145534e63dca

SHA512
d33a6478707a78ed8d2aaefad19f7c998b9135ea7bbb34afa913754e3e5a0cc49d799ba17bf57716a549269dbc5d8769abd6cce89c7aff77e88a48e43fffed99

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
10a15be3b740b878a553ff9a00db0e0f

SHA1
c183a2c23b8c988097b8e18244c93bbba8735d89

SHA256
2de195f7ad5ae5236f3c0df37cbfac2b67e51e25ed4b4c928a29d96008d85b2a

SHA512
23dbd4c0af42e4e9c343b20837fbf7edc0de3379c99ed2a1b01106f99b5d6f297ee2d3a7e529445b17bc618ce670ade12a4bbff05326b57bb4b6cd996ff900ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3b409564f324262a742b642040d0482a

SHA1
0e1af54d7dbd480307718fa821a8721ec98443e7

SHA256
eb97ec115d9f44ea7ef5e9b67e35754435467ae0921f8d21db6cdbcee847a940

SHA512
8e223a84d6c3d746ada787e0509eb8d3a89628031555eafa474b89a6eb875dd38a1968e4e5a08e823c9ab48191ae9714813775b7ce26264b4fe976a8cc779148

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1b7f4c13c08fe5ff2b787b56e56b18cc

SHA1
776721f40d0a885f4df191997bc62f70cb92c140

SHA256
2d4e5b7f1864c3784bcffb21fee5c10a8c3417a03e18c9fd35e0642b3f5e46d1

SHA512
359f2d729ddc2c1b7546be452ef55587781b54ea3d3ce86fc3198ea5c7d51cedbfd659f3b8430034897ee06fd0a4fc456545c03929ed4fe62f2f7c4c02a60f4e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3d7addd15b73f0167c490a8e4ce7da44

SHA1
aa59b017138e5ecea6bb2c388e0b5ea40abf3651

SHA256
523519ecb3ea89b827d3ee9fe2b17a843fbdd6e3f19ec2b67f5221c7a590c0f1

SHA512
55d5208f5b3f7d891c9e97a87afbb4435544332ae991feaa7f2cb68ef8350b45b73a5c82e6d8c7254fd0fb1766386c7dd3e9de3156d77d32159c7935a216efd3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9e47d54e429c712a41b5da55ef5b656b

SHA1
3c760f553a63cfee7e1b706ec154cf14dd7219b4

SHA256
d4a2d6604d364d7cda1197edfaab07032a9a1edf7daf799d8a14cdf5f646d93b

SHA512
b41d09ebc64e6fd7c1ca69cd7db275771cc5a48887554e5f11a06f61f764af01bc24c75293bf87686fe95d6bdbc2423c6887d0f0184d69ac6f56ab0e2ac786b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ce923122b76c1cde42224e1bcdd4e9b7

SHA1
538cc181f4c43489572295a6ea9f3c7bdd940fa2

SHA256
91650703de27f863ae291c81fcbc6bf53eea816bd8c30d669264b29759d85759

SHA512
35fd1115cd2768e771d6e90199a1cb2314cac25c982127845ab9aa3a09ed4cfdaaa989d2392b6017ec0a89a890a7e87ebaa785d35f4ca2cbb8c08a5958661f03

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
3a51cfedbfeb971b13ed5667e4542c04

SHA1
485d5814f17cbbeb258b7811a2f9e89a6e4e00bc

SHA256
4be37361044aa7dcc61af46d05890886242b90863a15535c39de6f785f409e94

SHA512
6f3444f605c3d7a23302f5e4f0473f002032859a8c94862aa8cda7917669894e62b5ee8683e363ebabf0e9e9a22de486652cb64d5b48d414de8988f454ae6f93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\CNVTJATR\www.avira[1].xml

Filesize
437B

MD5
228b35bc2faf7586abf971adab37e7e4

SHA1
a787b2c2099e4c6626f49b307c19b3a3545543d1

SHA256
2a32c730ad329dd2eec8c0afdfa0fac611549ddf41d753439b73e5d40c4e5d12

SHA512
3b7f6904cbfb8a397fd37983c8b781f64d8fcb0e03cfd24c2d6cd4130d8f0167e47dfd1986491d6485de67d86f947de421b24d632aa0563d63724bf590da796e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\CNVTJATR\www.avira[1].xml

Filesize
224B

MD5
ae5add3f415226fd8069d82994d569af

SHA1
b7576ac54bd05d72e5ed5e938715a017d36b21fc

SHA256
ecea0281f17e84707df24c8652ef25c0146eb758696234aec240a0e844e425e6

SHA512
a52441333f61163436bfacf44e0b6045a8d1f7aa1232771e35ebeb3b3afd81d72bfb262cc986509975b42a18ba50b2966091e8322e06ccb9c4ab6425d3717b97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\t83hqs9\imagestore.dat

Filesize
1KB

MD5
b4c21fb86abb16bb9ee5f3a7104e2628

SHA1
1ef6d0890920642ac31147b44e08600b927c71bd

SHA256
a9f710bb1ddbf08d65ef3f968e38aca1eb4321bbe5becb00e26c1f0ed70e3bc0

SHA512
91368ef6f13d3b0b6e1eebab74bdb90dec6956530df4fc4a9bb199a20247edf82dddd8bcaaecdf5a518dc269e647d595d6c5fe1b7930b7ff8e97a71780103195

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4R90HQQX\favicon-32x32[1].png

Filesize
1KB

MD5
13e4a579c3cfa586f665ecd794e0462c

SHA1
b629b7170f76734c495630191e665b6a88024268

SHA256
a961b4999fbb3ea58527df10b36cfd5c6ac7cf9fd12a0ecede32a8f7f48fec30

SHA512
813d424cb854ecda3bd1cb73e87af2e1072364e5e6345e2a7ff0c93cdac34628146786f1f5fbfa869b95d72ff0071414af13c4453545e76b3f627c1343cbdc8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6911.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar69A1.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\C3MFE9DS.txt

Filesize
921B

MD5
386f470610dc1ac6e902e0e7c1003984

SHA1
7eafed4a6be40c6fc8aed18942a767ff2be6805b

SHA256
03091b1aad10eae89ab2e39b7358703f384a316bd5067f592724af22ee27aa66

SHA512
05f51132a7a7a81bf87563161cef6e8451d4da298aaf968988ecade3eb6380b7fb63abdaa2e2cefad22cc3bfed2cd2f3e9739515df0eff35f62a0d5bcc963c7b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\P6N1RBC4.txt

Filesize
583B

MD5
574b769ee595afdfb6a134a94fe49cda

SHA1
d61f281b6356bba3a06c7b3bf9b05d34d2de4a76

SHA256
8059c5e36087219fca80899a602c43675d04c9166d2717dc3e62fb2ede444169

SHA512
9ee350f3a7dbd62c11386daa20330eb29a6e40502d934deb82e772a5bdc85a2393d070ba66280c0097d7e0d193e7c3f13357fd17fb15cd3fe166fe69c0d9ca7a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\SI8R8QZ9.txt

Filesize
394B

MD5
3f12cb9731ac0c78417695f817b33046

SHA1
f910075451acbf7a646e4ed3791d0e229ffa151e

SHA256
10c8d1a647ef554f1fe8008c459f9fad6415c01af09083667b4304ffb6494bde

SHA512
b31c16ef8a9b5f9e3a983c63e9cc5d1434f54f42a8771f8bd757dfe940181aa79b8a6c85acac7f90947ef72717de1f9ac201f5a741d28d31e64833004cbc2c35

Download Submit
C:\Windows\setuperr.log

Filesize
27KB

MD5
8b00554d9f1a62d826f9be7951138a06

SHA1
30c5a48d72a8f7dc2828ff51b874cea5542673e1

SHA256
031a730bba9c57ad88759d92b1cc4cc4c0f257c9e2a4d863dfc2dbed5fa36881

SHA512
5c5a9a7170eb193672ba980bd5c91634eaa4fc2e76389c060b1363ce98dbbb1960c01f3bec95741923a7d9be833dd68dd9d24589411594a1a2b36c563c1beabb

Download Submit
memory/1612-2196-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1612-359-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1612-123-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1612-101-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1612-100-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1612-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1612-3-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download