cff4ec8251196642821acb071b7d68bc93c05af9261d206a58c379ab922fd4ab

Analysis

max time kernel
157s
max time network
153s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05/03/2024, 16:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b524bcaa36d0e6bd719d96a27f9277e9.exe
Size

403KB
MD5

b524bcaa36d0e6bd719d96a27f9277e9
SHA1

3215d49449e2e044d1c6ced7c755b95f6115d864
SHA256

cff4ec8251196642821acb071b7d68bc93c05af9261d206a58c379ab922fd4ab
SHA512

b07e102ab181a2b2c2f7f44645886097f17512b7e593e371552976b52e39dc998c4e66c1ad80076e558207e19b56811a4cc17777ea4ef005017987d4d2351799
SSDEEP

6144:7jtNSS4VNERBnS5NF2idZecnl20lHRxp3gxncduD7yB9VCO6Sco4q8+dE6CqS:0mRB43F3Z4mxx6DqVTVOCS

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2992	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
684	winxp.exe

Drops file in System32 directory 59 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{7C2E2201-DB0D-11EE-9D93-569FD5A164C1}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6456DC81-DB0D-11EE-9D93-569FD5A164C1}.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{6B08BA80-DB0D-11EE-9D93-569FD5A164C1}.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{A5F06121-DB0D-11EE-9D93-569FD5A164C1}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\winxp.dll	winxp.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{6456DC83-DB0D-11EE-9D93-569FD5A164C1}.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{6456DC8D-DB0D-11EE-9D93-569FD5A164C1}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoaming	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\DNTException\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatCache\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ieonline.microsoft[1]	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{A5F06122-DB0D-11EE-9D93-569FD5A164C1}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File created	C:\Windows\SysWOW64\winxp.exe	b524bcaa36d0e6bd719d96a27f9277e9.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\winxp.exe	b524bcaa36d0e6bd719d96a27f9277e9.exe
File created	C:\Windows\SysWOW64\winxp.exe	winxp.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[2].ico	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{7C2E2202-DB0D-11EE-9D93-569FD5A164C1}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	IEXPLORE.EXE
File created	C:\Windows\SysWOW64\winxp.dll	winxp.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	ie4uinit.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\desktop.ini	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6456DC81-DB0D-11EE-9D93-569FD5A164C1}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{91153502-DB0D-11EE-9D93-569FD5A164C1}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[1].ico	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{91153501-DB0D-11EE-9D93-569FD5A164C1}.dat	IEXPLORE.EXE

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\F12	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Flags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\KnownProvidersUpgradeTime = 60192e2a1a6fda01	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}\VerCache = 0086a9a807ccca010086a9a807ccca01000000009093660000000e00e803991200000e000000991209040000	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Count = "5"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\User Preferences\88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a9bb189483377a479ab44f37afc2571e00000000020000000000106600000001000020000000d4661f8b081a185a2e158372314168f95d5d4c10fa3fce5fde5a4ce46c12a888000000000e800000000200002000000059639cc1a86c215cde31a774718751c2dc3417032b29604a6b244e70085baf075000000068fdb3e5ba5cc5f000d537ac8f0eeb9c682e505dabfe92ff6d14610be9c60d051fef02e1ca3a0d2a2046329506941250f0c45374ef489a6897c79ce3e4ac368d4e2b94eb74bd4bd8f54a1677c2675abf40000000cd2cf2bc0d323faff0fc0f7fa712e9d66e67723f3b7d6e935e053ccef58fe468aa26989c5a815ba6cd30662ee3b69bfd0ee5f5c26245f91ccd08b9e9d38ddaa2	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\LoadTimeArray = 000000001f00000002000000050000000000000006000000ffffffffffffffffffffffffffffffff	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Time = e80703000200050010001c001b009f02	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Count = "9"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Time = e80703000200050010001c002600d800	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Flags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\Flags = "1024"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Suggested Sites	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\SecuritySafe = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\MAO Settings	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Count = "9"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Feeds\SyncTask = "User_Feed_Synchronization-{B8627847-86E9-4B27-904C-D07240DEFC39}"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Count = "3"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "415817995"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Zones	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Count = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FFE9DE13-588E-471F-9A8A-FB41ABD04A7F}\WpadDecision = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021494-0000-0000-C000-000000000046}	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\Flags = "512"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\LoadTimeArray = 0000000000000000000000000600000001000000020000000000000002000000ffffffffffffffff	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Time = e80703000200050010001c002600d800	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\Software\Microsoft\Internet Explorer	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\LoadTimeArray = 02000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Count = "7"	IEXPLORE.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	684	winxp.exe
Token: SeDebugPrivilege	684	winxp.exe
Token: SeDebugPrivilege	684	winxp.exe
Token: SeDebugPrivilege	684	winxp.exe
Token: SeDebugPrivilege	684	winxp.exe

Suspicious use of FindShellTrayWindow 42 IoCs

pid	Process
2752	IEXPLORE.EXE
2752	IEXPLORE.EXE
2752	IEXPLORE.EXE
2752	IEXPLORE.EXE
2752	IEXPLORE.EXE
2752	IEXPLORE.EXE
2752	IEXPLORE.EXE
2752	IEXPLORE.EXE
2752	IEXPLORE.EXE
2752	IEXPLORE.EXE
2752	IEXPLORE.EXE
2752	IEXPLORE.EXE
2752	IEXPLORE.EXE
2752	IEXPLORE.EXE
2752	IEXPLORE.EXE
2752	IEXPLORE.EXE
2752	IEXPLORE.EXE
2752	IEXPLORE.EXE
2752	IEXPLORE.EXE
2752	IEXPLORE.EXE
2752	IEXPLORE.EXE
2752	IEXPLORE.EXE
2752	IEXPLORE.EXE
2752	IEXPLORE.EXE
2752	IEXPLORE.EXE
2752	IEXPLORE.EXE
2752	IEXPLORE.EXE
2752	IEXPLORE.EXE
2752	IEXPLORE.EXE
2752	IEXPLORE.EXE
2752	IEXPLORE.EXE
2752	IEXPLORE.EXE
2752	IEXPLORE.EXE
2752	IEXPLORE.EXE
2752	IEXPLORE.EXE
2752	IEXPLORE.EXE
2752	IEXPLORE.EXE
2752	IEXPLORE.EXE
2752	IEXPLORE.EXE
2752	IEXPLORE.EXE
2752	IEXPLORE.EXE
2752	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 28 IoCs

pid	Process
2752	IEXPLORE.EXE
2752	IEXPLORE.EXE
392	IEXPLORE.EXE
392	IEXPLORE.EXE
2752	IEXPLORE.EXE
2752	IEXPLORE.EXE
820	IEXPLORE.EXE
820	IEXPLORE.EXE
820	IEXPLORE.EXE
820	IEXPLORE.EXE
2752	IEXPLORE.EXE
2752	IEXPLORE.EXE
3020	IEXPLORE.EXE
3020	IEXPLORE.EXE
3020	IEXPLORE.EXE
3020	IEXPLORE.EXE
2752	IEXPLORE.EXE
2752	IEXPLORE.EXE
1496	IEXPLORE.EXE
1496	IEXPLORE.EXE
1496	IEXPLORE.EXE
1496	IEXPLORE.EXE
2752	IEXPLORE.EXE
2752	IEXPLORE.EXE
392	IEXPLORE.EXE
392	IEXPLORE.EXE
392	IEXPLORE.EXE
392	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 2992	2732	b524bcaa36d0e6bd719d96a27f9277e9.exe	29
PID 2732 wrote to memory of 2992	2732	b524bcaa36d0e6bd719d96a27f9277e9.exe	29
PID 2732 wrote to memory of 2992	2732	b524bcaa36d0e6bd719d96a27f9277e9.exe	29
PID 2732 wrote to memory of 2992	2732	b524bcaa36d0e6bd719d96a27f9277e9.exe	29
PID 684 wrote to memory of 2344	684	winxp.exe	31
PID 684 wrote to memory of 2344	684	winxp.exe	31
PID 684 wrote to memory of 2344	684	winxp.exe	31
PID 684 wrote to memory of 2344	684	winxp.exe	31
PID 2344 wrote to memory of 2752	2344	IEXPLORE.EXE	32
PID 2344 wrote to memory of 2752	2344	IEXPLORE.EXE	32
PID 2344 wrote to memory of 2752	2344	IEXPLORE.EXE	32
PID 2344 wrote to memory of 2752	2344	IEXPLORE.EXE	32
PID 2752 wrote to memory of 2228	2752	IEXPLORE.EXE	33
PID 2752 wrote to memory of 2228	2752	IEXPLORE.EXE	33
PID 2752 wrote to memory of 2228	2752	IEXPLORE.EXE	33
PID 2752 wrote to memory of 392	2752	IEXPLORE.EXE	34
PID 2752 wrote to memory of 392	2752	IEXPLORE.EXE	34
PID 2752 wrote to memory of 392	2752	IEXPLORE.EXE	34
PID 2752 wrote to memory of 392	2752	IEXPLORE.EXE	34
PID 684 wrote to memory of 2544	684	winxp.exe	35
PID 684 wrote to memory of 2544	684	winxp.exe	35
PID 684 wrote to memory of 2544	684	winxp.exe	35
PID 684 wrote to memory of 2544	684	winxp.exe	35
PID 2544 wrote to memory of 1556	2544	IEXPLORE.EXE	36
PID 2544 wrote to memory of 1556	2544	IEXPLORE.EXE	36
PID 2544 wrote to memory of 1556	2544	IEXPLORE.EXE	36
PID 2544 wrote to memory of 1556	2544	IEXPLORE.EXE	36
PID 2752 wrote to memory of 820	2752	IEXPLORE.EXE	37
PID 2752 wrote to memory of 820	2752	IEXPLORE.EXE	37
PID 2752 wrote to memory of 820	2752	IEXPLORE.EXE	37
PID 2752 wrote to memory of 820	2752	IEXPLORE.EXE	37
PID 684 wrote to memory of 2660	684	winxp.exe	40
PID 684 wrote to memory of 2660	684	winxp.exe	40
PID 684 wrote to memory of 2660	684	winxp.exe	40
PID 684 wrote to memory of 2660	684	winxp.exe	40
PID 2660 wrote to memory of 2516	2660	IEXPLORE.EXE	41
PID 2660 wrote to memory of 2516	2660	IEXPLORE.EXE	41
PID 2660 wrote to memory of 2516	2660	IEXPLORE.EXE	41
PID 2660 wrote to memory of 2516	2660	IEXPLORE.EXE	41
PID 2752 wrote to memory of 3020	2752	IEXPLORE.EXE	42
PID 2752 wrote to memory of 3020	2752	IEXPLORE.EXE	42
PID 2752 wrote to memory of 3020	2752	IEXPLORE.EXE	42
PID 2752 wrote to memory of 3020	2752	IEXPLORE.EXE	42
PID 684 wrote to memory of 2436	684	winxp.exe	43
PID 684 wrote to memory of 2436	684	winxp.exe	43
PID 684 wrote to memory of 2436	684	winxp.exe	43
PID 684 wrote to memory of 2436	684	winxp.exe	43
PID 2436 wrote to memory of 2888	2436	IEXPLORE.EXE	44
PID 2436 wrote to memory of 2888	2436	IEXPLORE.EXE	44
PID 2436 wrote to memory of 2888	2436	IEXPLORE.EXE	44
PID 2436 wrote to memory of 2888	2436	IEXPLORE.EXE	44
PID 2752 wrote to memory of 1496	2752	IEXPLORE.EXE	45
PID 2752 wrote to memory of 1496	2752	IEXPLORE.EXE	45
PID 2752 wrote to memory of 1496	2752	IEXPLORE.EXE	45
PID 2752 wrote to memory of 1496	2752	IEXPLORE.EXE	45
PID 684 wrote to memory of 2176	684	winxp.exe	46
PID 684 wrote to memory of 2176	684	winxp.exe	46
PID 684 wrote to memory of 2176	684	winxp.exe	46
PID 684 wrote to memory of 2176	684	winxp.exe	46
PID 2176 wrote to memory of 552	2176	IEXPLORE.EXE	47
PID 2176 wrote to memory of 552	2176	IEXPLORE.EXE	47
PID 2176 wrote to memory of 552	2176	IEXPLORE.EXE	47
PID 2176 wrote to memory of 552	2176	IEXPLORE.EXE	47

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\b524bcaa36d0e6bd719d96a27f9277e9.exe
"C:\Users\Admin\AppData\Local\Temp\b524bcaa36d0e6bd719d96a27f9277e9.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\\delmeexe.bat
  2⤵
  - Deletes itself
  PID:2992

C:\Windows\SysWOW64\winxp.exe
C:\Windows\SysWOW64\winxp.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:684
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" about:blank
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Windows\System32\ie4uinit.exe
      "C:\Windows\System32\ie4uinit.exe" -ShowQLIcon
      4⤵
      Drops file in System32 directory
      PID:2228
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2752 CREDAT:275457 /prefetch:2
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious use of SetWindowsHookEx
      PID:392
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2752 CREDAT:275469 /prefetch:2
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious use of SetWindowsHookEx
      PID:820
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2752 CREDAT:537610 /prefetch:2
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious use of SetWindowsHookEx
      PID:3020
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2752 CREDAT:603174 /prefetch:2
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious use of SetWindowsHookEx
      PID:1496
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" about:blank
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
    3⤵
    PID:1556
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" about:blank
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
    3⤵
    PID:2516
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" about:blank
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
    3⤵
    PID:2888
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" about:blank
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2176
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
    3⤵
    PID:552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\delmeexe.bat

Filesize
217B

MD5
f8c0907f6b5d738088f7c4288de5d410

SHA1
efe1b2ab9caf3af5fd3a899465822b2b173f07d6

SHA256
86b7a62f328e3741ddd8284ea812b589a0abc1bc8096a27c894c24f4f7b0835f

SHA512
27ab33ad5705476fbb73a6da03888082d293ee7bb6b2f88cb2421617331aec350a930df60c09aafd05b935c2a746d80651eabd8def5997b8ebe4c094edfb3929

Download Submit
C:\Windows\SysWOW64\winxp.exe

Filesize
403KB

MD5
b524bcaa36d0e6bd719d96a27f9277e9

SHA1
3215d49449e2e044d1c6ced7c755b95f6115d864

SHA256
cff4ec8251196642821acb071b7d68bc93c05af9261d206a58c379ab922fd4ab

SHA512
b07e102ab181a2b2c2f7f44645886097f17512b7e593e371552976b52e39dc998c4e66c1ad80076e558207e19b56811a4cc17777ea4ef005017987d4d2351799

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
c1cb6359c6492f2c27f62a349b2f5d28

SHA1
5e230e2f6d60d4a46a159928d8355922fe7efd1e

SHA256
8d399854b407a36acaadf31bbaad8a489dedbd117ab345bda23244b1bd394cfa

SHA512
d785eab846b2ff835c2d448c87091fbcea40c8f480c2aa024674ba9edd9f5ce70b4c5bc88a56aca8e8b90daa37dc4777d38a6e08137e386a4d6d74622b922639

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
6693d06f40f167f91146fdc586553cdf

SHA1
014bd99fc52930516389f1ff11168ff9505e0dc2

SHA256
e8f2a64dd3b09e65235beffa253ff7238dc4c10b5126a01e88c88e2060106ab8

SHA512
21b2e82bc834afc4997a1294870ebb3cb005479ffc76b4c3c0d5759d7fe8d3cad044ed6866fd40d331aa3c148b3c91275862dfe683e8df5eaf70e357e246957a

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
6bacb26ea43a7982b5e44ee6d12505da

SHA1
d939c9ce520988496446d6efac5f689e5c8e5300

SHA256
d1a24e548218e460b6be35ed6a2a651f8d624cf76717166c661d60a8febf3b8b

SHA512
5e7f19e8fd316a48a7592830ca92f5728e9284305ffcccfcf68429200cf587fd6890b0236798debf7d6ac4ba82db4f4bb7674ca21a5c68f9ae45978d3f577d77

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
b823a6bf42dcf3e48688808b9ab6329c

SHA1
bfa9928aa931db6b92c270ee0722c15ce989957f

SHA256
29ef34be395c0cbacab144ebb432205b1f9f5cbee69e6e71355cc9ea41207623

SHA512
0c0b03c3bef4469cc1095042728a2c7fda70ec094e709fc2830cd9d65938c23095d06017705b942919881d72af1a6de0378e52fc2da6fe64f47dcfad62f1062f

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
8bd49d941bdf716f08b46a951833512b

SHA1
413def1a10e74c443e2a7fafd712fafff67a4d3b

SHA256
0225006185ff93761ace6a84093ba131ff8d0bd17cf1ef58dd3ce57f99ff80fe

SHA512
17d5d0f461a4e02d059dda0705de6ec11c9e683fe42f26f4c280ebed15cbe155cb2c1696b17df0c9bce37a1c2021e4b1835d2ea8fb5422936b80a7870b6057e9

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
274bef99abe956fe5ed7bbe6ff6ce04a

SHA1
aea1faf0fb15956207b026f89960deb466aab948

SHA256
31b6b9632853e7c1e2412a175e8668cf32499547a5ff04c1f8237a0f4963d99b

SHA512
c41227317d1925ef6aecbe39ec7d86a7716fee8dcc1f35f5f287fcb1c7c81a196db591a06bb00b92388ad4d92f617cb419440bbdc0b0967814f6f505949dffa0

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
26bc389abebbf76636ec847125c0d427

SHA1
a4c45c8cf2543ed955bd4a8b20031817d1decdd3

SHA256
a71c23e85b3f2a0ec873cfbcc19605439dc1a21b65a2d6ec996bf1b56247117a

SHA512
b4cca4f89f60fdaff6219ef63c73830f4b7de51f8e75cf9afcceab15aafcf9a15ab86839dc74720d90d82b547cd822791b400b3a5ea088322c5a6b7438b36501

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
d82fd31a14ff36e350a6d86aef937cf2

SHA1
3f4266ddf632193618b34192de18ed842d737d51

SHA256
7dcd7204988bda244306d448cc89e992dbd4ebc7ba8ee80fbf0b884c6598e21a

SHA512
d3309beeb2b97439ced80bce954d024a89911e8beaa178562697b7ed4a4d5b51aa469af12135fac92533d846fda00aa57a7848455d9ae8b15b74d67e62fb4738

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
0356a6b5767f22f4f979577b654692e7

SHA1
1f7d9a155a367d061036357975523ff1bb72d618

SHA256
8c681cbe7606c669dc30f7b16ba0ab571182a95f39e1ce66e36702483b4b1fbd

SHA512
395684f6121cd27981177cf5b6e18971dc794644fabfce29293dbc80552378d3aafcf5091174e778937f0caf9e56d67fe5f1ef96812633873faadc4d7e325095

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
9a9b958465dab64c7ded5b78510a060d

SHA1
aaf93920a4bbc3cfe6bfba317dda6b1930aef848

SHA256
0ffa09bedc7b4df8fd132d310098f4ceb1814d28a90abf6d6a695ae06b84b4dc

SHA512
e6668f9f315ad0067de28f774f810a475e2abeb976e68e0225cde23ce7cb7b4c2f335d8cf07d2e7b76abb4e3cb3ecab1db02d87284c7935e561e56008f2fd754

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
538e293d555fac8cf5dc9dbdc8a77630

SHA1
9b0127a486a035f0f5070f41140273d40a123053

SHA256
721c6e6478c9ec0d1f8e4d62f516bd0ed0715851736a25f99f1e5c08f9fb414e

SHA512
ac752b80b50a378f81922122f66d33e3e0f50fb5fa9526aaa6d9fb4e12549ed53c17e5176d1a80107c9d7c059dfdd6d7ae13106c2e5f7ed34d008f63736c4049

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
16b74e789bb0aa01cbd4f584300fba66

SHA1
0682daeadec2ab46833b5284a8fbb0caaacf5076

SHA256
69ce21eaebf4fee3fff70eb0094fa8f67a03f72c33161363c83ca11e17d5cfea

SHA512
1a62694b3366ccd7e55db7ecbfc14d0b280224d440d23dfe45e5280f9880f792a2df9a8c74116edf64ee077c6c5b2418cb8f5358c44ae05182b5356a340a87dc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
e9b27e501b21a0f8cfbcd2f0c654a08b

SHA1
25263816c449f65b46e5c6873c40685eb747466b

SHA256
3f8e1a85c5136d5d09c2c01069a6641ad21cdf2b254bab24284b824e12ebcf4b

SHA512
c122beda75331e1bd9bb824eee152730faa5385f55b7ed222d9382dc294ebe528a0b5310c3b05aff58b62d787127da94823a68d43037d7e5e2de5d2540ebe1f1

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
129B

MD5
2578ef0db08f1e1e7578068186a1be0f

SHA1
87dca2f554fa51a98726f0a7a9ac0120be0c4572

SHA256
bdc63d9fd191114227a6e0ac32aaf4de85b91fc602fcb8555c0f3816ac8620b3

SHA512
b42be0e6f438362d107f0f3a7e4809753cf3491ab15145f9ffa4def413606243f4dfffc0449687bd1bb01c653e9339e26b97c286382743d14a2f0ed52e72f7ee

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
236B

MD5
11cede0563d1d61930e433cd638d6419

SHA1
366b26547292482b871404b33930cefca8810dbd

SHA256
e3ab045d746a0821cfb0c34aee9f98ce658caab2c99841464c68d49ab2cd85d9

SHA512
d9a4cdd3d3970d1f3812f7b5d21bb9ae1f1347d0ddfe079a1b5ef15ec1367778056b64b865b21dd52692134771655461760db75309c78dc6f372cc4d0ab7c752

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini

Filesize
80B

MD5
3c106f431417240da12fd827323b7724

SHA1
2345cc77576f666b812b55ea7420b8d2c4d2a0b5

SHA256
e469ed17b4b54595b335dc51817a52b81fcf13aad7b7b994626f84ec097c5d57

SHA512
c7391b6b9c4e00494910303e8a6c4dca5a5fc0c461047ef95e3be1c8764928af344a29e2e7c92819174894b51ae0e69b5e11a9dc7cb093f984553d34d5e737bb

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\desktop.ini

Filesize
402B

MD5
881dfac93652edb0a8228029ba92d0f5

SHA1
5b317253a63fecb167bf07befa05c5ed09c4ccea

SHA256
a45e345556901cd98b9bf8700b2a263f1da2b2e53dbdf69b9e6cfab6e0bd3464

SHA512
592b24deb837d6b82c692da781b8a69d9fa20bbaa3041d6c651839e72f45ac075a86cb967ea2df08fa0635ae28d6064a900f5d15180b9037bb8ba02f9e8e1810

Download Submit
C:\Windows\Temp\CabB3CA.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\TarB670.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Windows\Temp\wwwA6F9.tmp

Filesize
195B

MD5
a1fd5255ed62e10721ac426cd139aa83

SHA1
98a11bdd942bb66e9c829ae0685239212e966b9e

SHA256
d3b6eea852bacee54fbf4f3d77c6ec6d198bd59258968528a0231589f01b32f4

SHA512
51399b4eac1883f0e52279f6b9943d5a626de378105cadff2b3c17473edf0835d67437ae8e8d0e25e5d4b88f924fa3ac74d808123ec2b7f98eff1b248a1ab370

Download Submit
C:\Windows\Temp\wwwA70A.tmp

Filesize
216B

MD5
2ce792bc1394673282b741a25d6148a2

SHA1
5835c389ea0f0c1423fa26f98b84a875a11d19b1

SHA256
992031e95ad1e0f4305479e8d132c1ff14ed0eb913da33f23c576cd89f14fa48

SHA512
cdcc4d9967570018ec7dc3d825ff96b4817fecfbd424d30b74ba9ab6cc16cb035434f680b3d035f7959ceb0cc9e3c56f8dc78b06adb1dd2289930cc9acc87749

Download Submit
memory/684-742-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/684-937-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/684-1388-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/684-1546-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2732-26-0x00000000031C0000-0x00000000032C0000-memory.dmp

Filesize
1024KB

Download
memory/2732-59-0x00000000031C0000-0x00000000032C0000-memory.dmp

Filesize
1024KB

Download
memory/2732-57-0x00000000031C0000-0x00000000032C0000-memory.dmp

Filesize
1024KB

Download
memory/2732-56-0x00000000031C0000-0x00000000032C0000-memory.dmp

Filesize
1024KB

Download
memory/2732-55-0x00000000031C0000-0x00000000032C0000-memory.dmp

Filesize
1024KB

Download
memory/2732-54-0x00000000031C0000-0x00000000032C0000-memory.dmp

Filesize
1024KB

Download
memory/2732-53-0x00000000031C0000-0x00000000032C0000-memory.dmp

Filesize
1024KB

Download
memory/2732-52-0x00000000031C0000-0x00000000032C0000-memory.dmp

Filesize
1024KB

Download
memory/2732-51-0x00000000031C0000-0x00000000032C0000-memory.dmp

Filesize
1024KB

Download
memory/2732-50-0x00000000031C0000-0x00000000032C0000-memory.dmp

Filesize
1024KB

Download
memory/2732-49-0x00000000031C0000-0x00000000032C0000-memory.dmp

Filesize
1024KB

Download
memory/2732-48-0x00000000031C0000-0x00000000032C0000-memory.dmp

Filesize
1024KB

Download
memory/2732-47-0x00000000031C0000-0x00000000032C0000-memory.dmp

Filesize
1024KB

Download
memory/2732-46-0x00000000031C0000-0x00000000032C0000-memory.dmp

Filesize
1024KB

Download
memory/2732-45-0x00000000031C0000-0x00000000032C0000-memory.dmp

Filesize
1024KB

Download
memory/2732-44-0x00000000031C0000-0x00000000032C0000-memory.dmp

Filesize
1024KB

Download
memory/2732-43-0x00000000031C0000-0x00000000032C0000-memory.dmp

Filesize
1024KB

Download
memory/2732-42-0x00000000031C0000-0x00000000032C0000-memory.dmp

Filesize
1024KB

Download
memory/2732-41-0x00000000031C0000-0x00000000032C0000-memory.dmp

Filesize
1024KB

Download
memory/2732-40-0x00000000031C0000-0x00000000032C0000-memory.dmp

Filesize
1024KB

Download
memory/2732-39-0x00000000031C0000-0x00000000032C0000-memory.dmp

Filesize
1024KB

Download
memory/2732-38-0x00000000031C0000-0x00000000032C0000-memory.dmp

Filesize
1024KB

Download
memory/2732-37-0x00000000031C0000-0x00000000032C0000-memory.dmp

Filesize
1024KB

Download
memory/2732-36-0x00000000031C0000-0x00000000032C0000-memory.dmp

Filesize
1024KB

Download
memory/2732-35-0x00000000031C0000-0x00000000032C0000-memory.dmp

Filesize
1024KB

Download
memory/2732-34-0x00000000031C0000-0x00000000032C0000-memory.dmp

Filesize
1024KB

Download
memory/2732-33-0x00000000031C0000-0x00000000032C0000-memory.dmp

Filesize
1024KB

Download
memory/2732-32-0x00000000031C0000-0x00000000032C0000-memory.dmp

Filesize
1024KB

Download
memory/2732-31-0x00000000031C0000-0x00000000032C0000-memory.dmp

Filesize
1024KB

Download
memory/2732-30-0x00000000031C0000-0x00000000032C0000-memory.dmp

Filesize
1024KB

Download
memory/2732-29-0x00000000031C0000-0x00000000032C0000-memory.dmp

Filesize
1024KB

Download
memory/2732-28-0x00000000031C0000-0x00000000032C0000-memory.dmp

Filesize
1024KB

Download
memory/2732-27-0x00000000031C0000-0x00000000032C0000-memory.dmp

Filesize
1024KB

Download
memory/2732-58-0x00000000031C0000-0x00000000032C0000-memory.dmp

Filesize
1024KB

Download
memory/2732-60-0x00000000031C0000-0x00000000032C0000-memory.dmp

Filesize
1024KB

Download
memory/2732-113-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2732-61-0x00000000031C0000-0x00000000032C0000-memory.dmp

Filesize
1024KB

Download
memory/2732-62-0x00000000031C0000-0x00000000032C0000-memory.dmp

Filesize
1024KB

Download
memory/2732-63-0x00000000031C0000-0x00000000032C0000-memory.dmp

Filesize
1024KB

Download
memory/2732-64-0x00000000031C0000-0x00000000032C0000-memory.dmp

Filesize
1024KB

Download
memory/2732-65-0x00000000031C0000-0x00000000032C0000-memory.dmp

Filesize
1024KB

Download
memory/2732-2-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2732-25-0x00000000031C0000-0x00000000032C0000-memory.dmp

Filesize
1024KB

Download
memory/2732-22-0x00000000031C0000-0x00000000032C0000-memory.dmp

Filesize
1024KB

Download
memory/2732-23-0x00000000031C0000-0x00000000032C0000-memory.dmp

Filesize
1024KB

Download
memory/2732-24-0x00000000031C0000-0x00000000032C0000-memory.dmp

Filesize
1024KB

Download
memory/2732-21-0x00000000031C0000-0x00000000032C0000-memory.dmp

Filesize
1024KB

Download
memory/2732-20-0x00000000031C0000-0x00000000032C0000-memory.dmp

Filesize
1024KB

Download
memory/2732-19-0x00000000031C0000-0x00000000032C0000-memory.dmp

Filesize
1024KB

Download
memory/2732-16-0x00000000031C0000-0x00000000032C0000-memory.dmp

Filesize
1024KB

Download
memory/2732-17-0x00000000031C0000-0x00000000032C0000-memory.dmp

Filesize
1024KB

Download
memory/2732-18-0x00000000031C0000-0x00000000032C0000-memory.dmp

Filesize
1024KB

Download
memory/2732-15-0x00000000031C0000-0x00000000032C0000-memory.dmp

Filesize
1024KB

Download
memory/2732-13-0x00000000031C0000-0x00000000032C0000-memory.dmp

Filesize
1024KB

Download
memory/2732-14-0x00000000031C0000-0x00000000032C0000-memory.dmp

Filesize
1024KB

Download
memory/2732-12-0x00000000031C0000-0x00000000032C0000-memory.dmp

Filesize
1024KB

Download
memory/2732-11-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2732-10-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/2732-9-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/2732-8-0x00000000004F0000-0x00000000004F1000-memory.dmp

Filesize
4KB

Download
memory/2732-7-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2732-4-0x00000000004B0000-0x00000000004B1000-memory.dmp

Filesize
4KB

Download
memory/2732-5-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/2732-6-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2732-3-0x0000000000310000-0x0000000000364000-memory.dmp

Filesize
336KB

Download