cb3557a20c6c5dd7bd87a2e4082b8d9c409ab11d22b13fcc3d20684fef6f3e19

Analysis

max time kernel
143s
max time network
144s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
16/03/2024, 01:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
Size

276KB
MD5

ccbb5355b566c47ea3cc7acfd4b9fc8b
SHA1

0490fc88853a15155b599e4d38c96bc25c57f92d
SHA256

cb3557a20c6c5dd7bd87a2e4082b8d9c409ab11d22b13fcc3d20684fef6f3e19
SHA512

fc227b1a7868a4e141c5af8dc5943e28103f7b22bd42dc7e40f092e10e203aae87e5077a9fc4756a56f13842a10df3db38edc85300a00a62b3134c0342cefaa0
SSDEEP

3072:v15YY60+0cJB/JO08G/u15G15S15S15YY60+0cJB/JO08G/M:t5G5BHM5U54545G5BHM

Score

8^/10

upx

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\drivers\gm.dls	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File created	C:\WINDOWS\SysWOW64\drivers\gmreadme.txt	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File created	C:\WINDOWS\SysWOW64\drivers\wimmount.sys	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe

Manipulates Digital Signatures 1 IoCs

Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\wintrust.dll	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1956-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/1956-3-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/files/0x000100000000e664-8.dat	upx
behavioral1/memory/1956-121-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/1956-2144-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/1956-3213-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\avicap32.dll	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File created	C:\WINDOWS\SysWOW64\cryptbase.dll	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File created	C:\WINDOWS\SysWOW64\odpdx32.dll	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File created	C:\WINDOWS\SysWOW64\WiaExtensionHost64.dll	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File created	C:\WINDOWS\SysWOW64\cngaudit.dll	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File created	C:\WINDOWS\SysWOW64\iprop.dll	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File created	C:\WINDOWS\SysWOW64\KBDUGHR1.DLL	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File created	C:\WINDOWS\SysWOW64\netcfgx.dll	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File created	C:\WINDOWS\SysWOW64\PortableDeviceWMDRM.dll	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File created	C:\WINDOWS\SysWOW64\ACCTRES.dll	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File created	C:\WINDOWS\SysWOW64\rasctrs.dll	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File created	C:\WINDOWS\SysWOW64\scrnsave.scr	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File created	C:\WINDOWS\SysWOW64\vbajet32.dll	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File created	C:\WINDOWS\SysWOW64\comexp.msc	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File created	C:\WINDOWS\SysWOW64\dot3msm.dll	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File created	C:\WINDOWS\SysWOW64\icacls.exe	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File created	C:\WINDOWS\SysWOW64\C_28596.NLS	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File created	C:\WINDOWS\SysWOW64\KBDLT2.DLL	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File created	C:\WINDOWS\SysWOW64\mssign32.dll	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File created	C:\WINDOWS\SysWOW64\objsel.dll	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File created	C:\WINDOWS\SysWOW64\PhotoMetadataHandler.dll	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File created	C:\WINDOWS\SysWOW64\rasdiag.dll	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File created	C:\WINDOWS\SysWOW64\AtBroker.exe	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File created	C:\WINDOWS\SysWOW64\authui.dll	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File created	C:\WINDOWS\SysWOW64\KBDSG.DLL	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File created	C:\WINDOWS\SysWOW64\pidgenx.dll	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File created	C:\WINDOWS\SysWOW64\SystemPropertiesPerformance.exe	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File created	C:\WINDOWS\SysWOW64\uicom.dll	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File opened for modification	C:\WINDOWS\SysWOW64\mfcm110u.dll	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File created	C:\WINDOWS\SysWOW64\mswmdm.dll	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File created	C:\WINDOWS\SysWOW64\netid.dll	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File created	C:\WINDOWS\SysWOW64\nlmsprep.dll	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File created	C:\WINDOWS\SysWOW64\atl.dll	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File created	C:\WINDOWS\SysWOW64\C_20866.NLS	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File created	C:\WINDOWS\SysWOW64\joy.cpl	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File created	C:\WINDOWS\SysWOW64\KBDIT142.DLL	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File opened for modification	C:\WINDOWS\SysWOW64\korwbrkr.lex	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File created	C:\WINDOWS\SysWOW64\riched32.dll	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File created	C:\WINDOWS\SysWOW64\services.msc	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File created	C:\WINDOWS\SysWOW64\umdmxfrm.dll	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File created	C:\WINDOWS\SysWOW64\bitsperf.dll	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File opened for modification	C:\WINDOWS\SysWOW64\mfc140enu.dll	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File created	C:\WINDOWS\SysWOW64\mstsc.exe	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File created	C:\WINDOWS\SysWOW64\openfiles.exe	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File created	C:\WINDOWS\SysWOW64\fltMC.exe	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File created	C:\WINDOWS\SysWOW64\KBDINBE1.DLL	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File created	C:\WINDOWS\SysWOW64\RESAMPLEDMO.DLL	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File created	C:\WINDOWS\SysWOW64\rtm.dll	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File created	C:\WINDOWS\SysWOW64\wsmplpxy.dll	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File created	C:\WINDOWS\SysWOW64\cmdl32.exe	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File created	C:\WINDOWS\SysWOW64\connect.dll	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File created	C:\WINDOWS\SysWOW64\ds32gt.dll	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File created	C:\WINDOWS\SysWOW64\ipsecsnp.dll	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File created	C:\WINDOWS\SysWOW64\NlsLexicons081a.dll	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File created	C:\WINDOWS\SysWOW64\authfwcfg.dll	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File created	C:\WINDOWS\SysWOW64\C_1146.NLS	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File created	C:\WINDOWS\SysWOW64\iprtrmgr.dll	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File created	C:\WINDOWS\SysWOW64\MMDevAPI.dll	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File created	C:\WINDOWS\SysWOW64\mmsys.cpl	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File created	C:\WINDOWS\SysWOW64\d3d10_1core.dll	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File created	C:\WINDOWS\SysWOW64\f3ahvoas.dll	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File created	C:\WINDOWS\SysWOW64\KBDUSL.DLL	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File created	C:\WINDOWS\SysWOW64\iedkcs32.dll	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File created	C:\WINDOWS\SysWOW64\NlsData004e.dll	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe

Drops file in Windows directory 26 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\DtcInstall.log	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File created	C:\WINDOWS\notepad.exe	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File opened for modification	C:\WINDOWS\TSSysprep.log	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File opened for modification	C:\WINDOWS\WindowsUpdate.log	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File created	C:\WINDOWS\WMSysPr9.prx	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File created	C:\WINDOWS\twain_32.dll	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File opened for modification	C:\WINDOWS\win.ini	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File created	C:\WINDOWS\HelpPane.exe	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File opened for modification	C:\WINDOWS\msdfmap.ini	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File created	C:\WINDOWS\splwow64.exe	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File created	C:\WINDOWS\write.exe	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File created	C:\WINDOWS\bfsvc.exe	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File created	C:\WINDOWS\hh.exe	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File created	C:\WINDOWS\twain.dll	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File created	C:\WINDOWS\twunk_16.exe	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File created	C:\WINDOWS\twunk_32.exe	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File created	C:\WINDOWS\explorer.exe	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File opened for modification	C:\WINDOWS\setupact.log	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File opened for modification	C:\WINDOWS\Ultimate.xml	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File created	C:\WINDOWS\winhlp32.exe	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File opened for modification	C:\WINDOWS\system.ini	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File created	C:\WINDOWS\fveupdate.exe	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File created	C:\WINDOWS\mib.bin	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File opened for modification	C:\WINDOWS\PFRO.log	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File opened for modification	C:\WINDOWS\setuperr.log	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
File opened for modification	C:\WINDOWS\Starter.xml	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "100"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "255"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "233"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009b106788dea7af4d98683a8983feb7c600000000020000000000106600000001000020000000eca68cf6d6fa1934dc850949c047cc867da46ce46f439d1c08424e88a16122a8000000000e800000000200002000000038d8e29df2a593e744e9cc071cdc97e8ed4159cfbea4fd8c1fd3050b2026e0932000000049296f299fde5180f5ed2ac3d18f957f34f188f4b26ee664ed5bba46013b3c7440000000db8dee976117ca8e4c1dc2908d238e2e8d60c7706c1329eea2f2210075c626a0ec3b8aa4f1a58a4ec09bd4875aed1a48a5d15a3bd7cb3939e5eede2a2b4e441d	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009b106788dea7af4d98683a8983feb7c6000000000200000000001066000000010000200000003d78f16ddaaa5e5b1fca64c2be2dfe232bad76028b469c5ae9caad43bff3f6e6000000000e800000000200002000000067735614613e85606a96aa53959ea1cadd6dc649db2d47fc74c28ec8d21101a190000000c959e6dc4f351b0b047abc2fa969c509b99ef989058257ff4d0ba4773860058160ef1eccddafc95bb22eeea0b9c1709d5a22b9bc1a7727b2d0f7070f65cc95f6cd012cf4e30084391c7283dff21d69f1bd97bfc64a822ec1ee4decf21e197d216c0632883d4594aea974eaa6a55d438372edaf38c5702cd7d221b0547acab59472c44185f4c4acd93d06964e6bc33258400000004a17bdfcb28406528cb2ee3d5e37a9db89dac6f1b447d453365ee9b74663fd9ff63b90c9f0dfef6ee11e89ffd11176d543e18d9da7980b930c8dcf2fd5236262	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "8"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "118"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "118"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "233"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "290"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "290"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "290"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "8"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "118"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "100"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "416713614"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "8"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "255"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 5073b18e3f77da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "255"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "233"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "100"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B4B1B881-E332-11EE-8B6F-CA05972DBE1D} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1716	iexplore.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2108	IEXPLORE.EXE
Token: SeIncBasePriorityPrivilege	2108	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1716	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1716	iexplore.exe
1716	iexplore.exe
2108	IEXPLORE.EXE
2108	IEXPLORE.EXE
2108	IEXPLORE.EXE
2108	IEXPLORE.EXE
1404	IEXPLORE.EXE
1404	IEXPLORE.EXE
1404	IEXPLORE.EXE
1404	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 1716	1956	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe	30
PID 1956 wrote to memory of 1716	1956	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe	30
PID 1956 wrote to memory of 1716	1956	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe	30
PID 1956 wrote to memory of 1716	1956	ccbb5355b566c47ea3cc7acfd4b9fc8b.exe	30
PID 1716 wrote to memory of 2108	1716	iexplore.exe	32
PID 1716 wrote to memory of 2108	1716	iexplore.exe	32
PID 1716 wrote to memory of 2108	1716	iexplore.exe	32
PID 1716 wrote to memory of 2108	1716	iexplore.exe	32
PID 1716 wrote to memory of 1404	1716	iexplore.exe	34
PID 1716 wrote to memory of 1404	1716	iexplore.exe	34
PID 1716 wrote to memory of 1404	1716	iexplore.exe	34
PID 1716 wrote to memory of 1404	1716	iexplore.exe	34

C:\Users\Admin\AppData\Local\Temp\ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
"C:\Users\Admin\AppData\Local\Temp\ccbb5355b566c47ea3cc7acfd4b9fc8b.exe"
1⤵
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.freeav.com/
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1716 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2108
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1716 CREDAT:1192972 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A

Filesize
893B

MD5
d4ae187b4574036c2d76b6df8a8c1a30

SHA1
b06f409fa14bab33cbaf4a37811b8740b624d9e5

SHA256
a2ce3a0fa7d2a833d1801e01ec48e35b70d84f3467cc9f8fab370386e13879c7

SHA512
1f44a360e8bb8ada22bc5bfe001f1babb4e72005a46bc2a94c33c4bd149ff256cce6f35d65ca4f7fc2a5b9e15494155449830d2809c8cf218d0b9196ec646b0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
9214a0d0ad96e661c2fc230147976546

SHA1
6ee11b4b054d8021b391e8da5ecf02d89b443d38

SHA256
3d09f58a28fc010f887aaab43063a8a00056224e4b7e41250ffcd789036b855e

SHA512
5097508e7f1626712454a5eb58006477e2c1def1c082941e1bbaf01b6388a8c4e6eef05fc69a9897ebb0a0a409a275074def35b61acbe1933cee1618b496dc13

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3a34fcc82e5205fc627f1425ad5ba91b

SHA1
8afc8542f52a401204f0125dc01612f0d216ee7e

SHA256
c826a8af1ecfd7ba866cfb4edf7cdecdcf5549e685cd7520a87dbec7a92e7cdf

SHA512
8cea13e1f84d4e8b8d26b48c5c5e6d3ff880e650cbd2d89149efa81b7c027f1d1d2691ebfd75ed6c859e512a2fb11cb0c07bf11ba4011e73099dab3c00e29bbc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d3b496588538427eb730399f125ca0e6

SHA1
bb93e2cc02b204a335510d8fcd4b397527690bbb

SHA256
f150a6675f1dd8230774a7002848c5e1753cbd6f65020c8d5de0df5f9c2f03f7

SHA512
ec9810d28e4ff241f7937033569b76e2ffac487199ba8830bac95cb965c337622872cec91c7841ff81ef4225bb1fb61bb78178fd941752e495abec55ad17413a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c6eca2f6a86a74b937f7856a7aebc89c

SHA1
ca5982c8fdb5ce2ab1dd6647998f4bb920c1bbf9

SHA256
5f7d092dde2c50a1afadd243447c1f957d5b8a84dca2bb06c0cdce9ec1eebc2e

SHA512
cd59f04829d8ce29df7eb3204a212a5d6a8f0a1fb254571cf9d324c35eab0c15e59acd12dbffd69fcd42e31af33bb1e404f37c9f9872b2925739d531199553d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b79b39c844f3dfa877337c0aebe8a2b9

SHA1
765df7fce1d204089cefcf688087bccda845e924

SHA256
adc33e05c6d297644a2b1132153a8c56cf3ed9efee58b3726b6b72fba3798f6f

SHA512
7bac643d1296851e66d1ed85819326cf5ec33c52e18d80350ff78fa8fff4f9d224ed5fed1f8a231a20ec4a68dad7da389c23b4bbbd1e72f6840336ad884c3d93

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6570b9082980de7d958c3a3d3fd5258c

SHA1
a4c8f397f8560e911957618f450a33907aed2232

SHA256
55ab35541211e4a6169020a2917a0c9e708773826e729cd9829d234b29dcd220

SHA512
3ff682b4df8185643b67c9e2dc2199afb5c70e64dbcb35cb3ab41192112b38b9a9916af924d424f0aa398d7de05d506910cb1be9d630180d526ef96a9b86b44c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5ad06a0230fe34e93905939553ae3843

SHA1
01989a3a2fdd96255490d7001cada4f3e6f06fee

SHA256
c0806a8bdc62043004cc70418e74f5fb6f9fa01a06eb98ad6fc81833826919d4

SHA512
1f1a7ca3c5c5bb5ae7892e49f10f02449c2cc050277d85d8c2e070c67bfea7026e03a27cc4666a1273c6563d5eaddb6462ea5925457f4391a0019feed8156c9f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b2961ca38500a9c814e3b9895900995d

SHA1
d3def9e2ebf0b9d6e56c9f7f9efee8b1f4bd29d4

SHA256
057694e6888611f5a7c64757821f3eb0cd8172a37d6f929c47322ad5cf7550a2

SHA512
0c3b433fbae7aa1acbd606b249fe854f4e3bcc5f7d747cfb9f14953c80501fa7e3ffbd0ca99097da7c487e38030646cbc9ee53f6085fe596797c937f847394b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
93069e3b657d96ce77f91281d88e3785

SHA1
c175c9c380b8792b841ca83d8df8d107176e5b5b

SHA256
0747abb4e28fc5a3ad1fad3823ec073126f0cde1ed022470f8454fd33cc76d90

SHA512
2632ff6ee500c674ad95c2b7fa7e368dfaf1b5b8d4e7ade66ee76557c64a5aae0df60eb2a4f974ed3a6dabf55ef61099cfbd58671ea63b6e30d35d6bee0ec5f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e7f73458d809417014f5b644843082c4

SHA1
485a6891e406da36bc281a3dbcdd617293f88577

SHA256
b593bd3ee4975465c8082f5a4fb7ee9c6f749609da3da03585f8c5b8b75eac1a

SHA512
538d406b94af80c931ce9634c6bfa8ffcb9cb57a7131c7723862fd6a4d3c304b9fb68c21e68fd05463850394769096075c920d241ba90cb7513a0428452e5c39

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a36c54e37c0d4daa95f3e09594b4d89a

SHA1
c49efa0aa0beb42a73605e5e5786726f30f573ed

SHA256
5d8687db8831a9b5fe31be9ba0f7c03221b90a593b90aa7874e207cc2d6a521a

SHA512
80badfa960d086ba038f026222ebdae2e8a296f68ca113b7f2310de3906165efb5ca62d52ea7e00126bdaed911b51b5c60f319fa9cb9411708d353322e283e29

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1884fd3e8f3750f08727b99cbb45de57

SHA1
a73f1e37d5bbc8e851d007921f2cbdb43416f605

SHA256
ee61eb582e5deb6b1ab61132b545d8c52628511ce5639b7d796b3df610f152fb

SHA512
7c76b5f87150c30e96494740c4bcbf2518f4aec0db8d0a84a68458c6fa91fb723c52a4bb773d84a11dea8988f059906ae80aa551e4d19a40818c244dc5adb739

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
17f1adbbd22b7de5e9ff803e5e1bc9db

SHA1
807dd016f908ff05517094d4a0aa6c979936ad0a

SHA256
77068df3af139cde8a94b1b64b8c043f6f9419845c0a94493cec44a68581b2bd

SHA512
3f346e3b75f0ff4cec57e540f797ce5ad7d99f615147cbf769a71d1422412b44499963bebc38cbdc1f395a6660ad214fa8803d50a59e25c23413eb843b285248

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d96d79a547123b50f820f21c1896f435

SHA1
771b973b185185cfb039b1067f8dc6deba055dde

SHA256
636fb4b5c24549214a9f47726bf46f27c387357a437f8471605ca42e1190dfdb

SHA512
7b0eee0f562d735c167ea57ca2a40f46e3db19db26379e897639df263c3d073b4e73321e9f4d997678a00964a2b2ab7200cf8ecd016c3b9d98f3ebb8258580d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bbb561bc1ad374f98e4addea5458ad85

SHA1
b8582fa06c72394a944794c14735e3df661e19a7

SHA256
beedf7cb2bb98a60d577e6dca900188c4c2db0ca7af78228b203674c7ec33a7b

SHA512
b2e9834991bf8ae328570753014a34c92fbc36d20ddb18a5b063dd56af209655593864ea42821a59755b6fa0d0383cd5540d5f0b3834aa200fae4e80fa8adead

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
729489addffca361416229f7b57d5b2a

SHA1
282c3f95d7deb1c57b3b0ac64de53aee27f35438

SHA256
61bfe078a52c016c067ba813a43b1ee00aeaac19a77e0c0e787e25ecbf15376a

SHA512
27f25b4aebf6ef086ae684137764409f85054eb68feb64d37e5ab690951db6620140bbd7297d03e3029fdbf8ad47fca8591eb2849119b164a5befc99306e99a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
77fbc5473dc6faacb9793ae384b28c2e

SHA1
71f46b17982ffc9d7aeb9fc5b9eb9eb0fbfab785

SHA256
8141c940718dda810ee5a9f64be876f19b1518a354b64ce2cd5f5e363f662be6

SHA512
1ec6064f9581684aaec1f37ac75339307e0bfbb4327a8a933b4415eb7d2c52892793f0974568e21a3c0404b20a3dd554fd8a5afa5766db4f2c04a79592dd8c7b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8cc38e03edbdfe7a74bd938ec3401462

SHA1
70017ba9e8f7e4243445f7077aae09ad1c6c3738

SHA256
69ad7828415a8372c7b2683f6b84026cc0b9ebdd87bfc0db9bd1a7a7e44f4c25

SHA512
42fc2829928779b8ea2c72cc2ba3b32469d92c2ff0fd298fe90d50fa92757c520ee41d8d95fa63b6ed7fbfccfbb6d9d4cca234d4e68a0ed98415fa2b2b063e31

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
98a835d7465b5de192e693aca896c5dc

SHA1
be87f18d967439aa442f22b7d312e617583b6b76

SHA256
ca8b2a7c4dfc84bacb6b1d308443b1ba1eafc55b332e42e3eecbce2f1077ee3c

SHA512
4932d0e66c0a307b169bd0ab92c1090474e73479f122af5fca49fec53e9f090ff025a0bbfc5f35754a43a1187485b38b05ea38a65999ca2aad2830412ae7b088

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
db1a0a39ee7602f406e70784cee8d5e1

SHA1
b080160fd1729df805084bc5d59ef332d89bdd75

SHA256
016094d4b5f83a3560cef2ef7bbfffae14aeb16c0a1f087e5dbcb8d369447dad

SHA512
9d93c021974dedff4d934118f210de38ac8d048b0182f96c98e8cde48543c15d01d98368d42fec2256325a214184003a85c4635eee55885313d944a84fe4476b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0a15d240bb201fc9f50401ac9ff0b13d

SHA1
957b3d30153bbd1f5715d90a9c8bf5b198600471

SHA256
7496dd4fbc2ccb3c2f1bb6afee9f378bc01618651e7511605cfe5440abd22249

SHA512
1811e188630337878cce7b6d68571bb68cf4fd905ddcfe835bf52e031623aa5dad40d3f592eedd60265928486e60ad173b8e19daa0d01294cd1c25c726ac0bd2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e361deec18cac39f050c0b21ca70566d

SHA1
436f78c8099f36b9678cbd4f2ceeeb9af22fbb56

SHA256
7773bc3039b83226ef23a3ea67ed9d7ec6ea8d7187d56d88f3759a0e91e03657

SHA512
d90e24284ec9a912e28e1dce352586ad51113bd3014f9fe274f115a284dd379eca7b063283ac3d4cc6e81151b31edb425219791986dce61ebdc4c79998bae1b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9c7300af529988ab19e63e3b96341269

SHA1
f9bcb12b4a0a431ba014c78be0c88daaaf0a57a9

SHA256
dd067e36702087de29369d158c18c93b0aee717285be30faaba95455cc792637

SHA512
8e8e1f3636399bcf450285e512e388c1f6f317cd07814827f5f14f625114adb435373e0e8300a7bc12a1dabb58a63ed18c5cd85af6780bf1f6ce30d3f1c17813

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1edfacd6b72b579e61cf29fc62c64f90

SHA1
6820f57398f1acae0ad5af238bd482eac0dccf9e

SHA256
7b5361f9baf5518bdf8ad4ee25fd3f494111aa2402e075e3dd3bbe5b2073fbda

SHA512
6df8da7e735ef6ba65fd35c509169f86c2451fabc0698f48e4bd0ff2c2fce4b7a80f0311c0253c747796c0fe46fc5aad23f71a3f77743c79607c466bdea6880e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6edf5a9cdf1de2790dcfe7e2f9e973f4

SHA1
0a89ede8e75655bf009ab40f4284b7c8c28bd8c7

SHA256
c6d2fc8e634ae97664c39d3857b837a7ccfcf8711073a287fad8beab20e1e2c9

SHA512
60cd7050f2f9df08c56ab9d34284038145eceba3cc24738f90a1d0ca79f7383e380d7586cdaa759adc7fbbc7366776e40337b32f23e56657dbdc0ff47f5b4fc6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f0a93f1ffb8fb9c2636b49a39e8c9150

SHA1
79d15439db054056780f28011c9764303841737c

SHA256
f6f70c406c1517c017270085ad51b83ed631d9aeabab0cec85df4a0fa6003f4e

SHA512
bd4f13126a7e1aa94bfd9de554052676c08f8fb85a96fb047d9b84e8d5c2ca94f8c6efb32887da1079da779c696fe59a73805a5aae61eb4f9799ca4f34c66942

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d7c4a6c3e8d70605e9cade8e2b081de5

SHA1
1d5d5079697744c3909924e9784ba8ccd669b8aa

SHA256
0aa3c786f07c2b278b4d1aa6226217700efa62d3ec6fa7de4c9e59be4df822a8

SHA512
522cf1b4c4d0fc15f69eb2ecd899cc522a3fc8afccc775a05afdbbfb2192ebab7efa3defbb3554ee22c449adbb777af64129a042a1807c71ef51bff93e2e71c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
989c11c7871df10d4f12fcb517479dc7

SHA1
485a3db4ebdad4a8e3cc60bc25dec9c58807494a

SHA256
a6e11ccc59f0fc7f8159414cb9283097e7d152d3365d37f6a272718bc9e41546

SHA512
878007dd614f025c7b549fe659ae670c90e52d1a619a68629d990e49592ac9f1a7c045999a1ec88d49e44c87a024685a0abbb1b28e9387b0a17584bd12f81be7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
781825b84ed73012f80abb9e130595a9

SHA1
4ee8edac5bf54908cf4aafcad9d108506863a4ec

SHA256
7a3f368bf8705cda523a78ecb1dd87c0521340c1a48cb151593228cd679d8a62

SHA512
f13e88bd3a0b2e180f6c426ee1d75e731f1d665958b9c8bb64672b59a59d07a19efe00b1ddb1a7e8c23304e0c78a86df4d7c69bea090903fda6a4b7326262c2c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
df4e5a094427bc327938469b5f0b9a31

SHA1
adfcef9f340db15664571800770aa3d6efe27d20

SHA256
40ce7e343b50184978a0e1bcdb0616fb352ed27b5b2596c1805baebb11697bf6

SHA512
f65fe8fed04993759a3e281f7d3d58a3546ecb7206f90a0ff4979801cd23aa0afadbf3a127463ea70d4ab5f4fa4f43a4618779b0db03228079c95b59eba7383a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
91c9c7f69f92c0e583cc54cdde3fe76b

SHA1
f6650c7f61433d1d9340c385dd3975cbf225fac8

SHA256
a73b94273fc7564ee881baf6085668569838a0cdf8da3505384a776d42ab6f86

SHA512
f25ef03529c77ce8c5ee61d95ee160697160cfb9b745f385d43efcc13823bf7bbf11330d4563afc314322788db012eddf9efc95797dee2d6cb9cf6f9476d3dcd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
de503630b925e3855d67a4a45c2e5c20

SHA1
f9e5dbf8ae746a92ced582e8ae88417521562ada

SHA256
e38672eb0d4c44e49061c3c18ebabeaf48035de389876f32dafd4683369e3dc0

SHA512
c7976ca5d88095696d83c502bfd8a186e36794a7fc1c03a519ea07f27ea228580b4c3f6ec99172bffdb291022f290a9d472f6e855403a0574418b888f0966cc3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
41e622cadc41eebf4e5b0eee439cbd00

SHA1
764296f10107b46c4fed903cb6bbfaa43431e895

SHA256
a328fdd6b3c5a315c4f3e3fe66d3027fc0740a5e9ed253fe8a83ec8497db85b0

SHA512
fcc7e585c5f87846410a7d674eb3694f3ea67e59ab685ba6112dcf30af122561a63b19eba3ec1ea15a133355554f4af755f08bc0ec6fa3d3c5c9c40381364c75

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cb1a85d26169492dc946e3449ae30e85

SHA1
7385f83a14a67e15ab43a62e684132379227add9

SHA256
cf010e9a6886380f79bb99dab7b2c85cb3205edaafc2f6d1ca044b4904525f3f

SHA512
294d09b524e99a7ce3de07b835bf622e22fa2ac01122344ea3eeac9076385a2554ba1496c6117be8cea7f38eddc2d5dcfc2b76fd8f077390867dac39c9ca5147

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1d831d589a7ef11bd95c8298647022f5

SHA1
a58f6d565a61a66123d088af40306b1a1ab3d88b

SHA256
cce352ba5b92b61570d6377d922aca5d2aac527ecd714ca4782625a70a7b7b0d

SHA512
dae6eca8368904cf7b607771d478eee46a2d95b5696680690a18a895fbdaf577ac1ae06a1833ac46c5d3b84eb277ab5f0562bf0292dc725ff4ad540c6fc4c90c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
87dbc7742d80144700c6b25c834afba5

SHA1
dde4ad5896fb0ceeae123ea40d1cfcbc12bb970e

SHA256
398fe39b8241233c2644c2e45bb0c0132f78ba694db41fa9063ccb0f0e220c78

SHA512
a4ff126e599085d57dd07ee16ce623fbbc86f1210605599b8fc342591b99768218f9b3bcede0bdac2a7392e67fd7af0fe703f110d201b2cdd6364f7197ecfc2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a3175cca5acd19ba5042d43d4d6b949d

SHA1
e1f37f14291c0067b43f1fcbde2fc0ace2b437ad

SHA256
0dd2a0a4cf756e63668e74c178af6576617efc2398d7f23b825fb09a3183170b

SHA512
bd8f08da257478c20873309fa841074da13a97122fe0394821366e54dfb968b0fb3c5df1aa14a597245745441d7afc43a7afd04d3c26326f0de37d74e3d8b34f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b831d83722aa51c086e48b934267f77e

SHA1
fe9195be200155c0a27959dd1873579171db274e

SHA256
47b63f335af61ecd3ca9f772a88780e5385cf7ad99fb06a1a3ec9da720f1d4a7

SHA512
9245d519953b58f85f0a939409bb06a5acd0c5a6851eb1d1c0192f35148348e3284201dc14d63ed24bb1b1b7edea25513ef1039c14dd13db83fdad0d18a594ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
5b46af4effb00aeb3243fad1bafa2109

SHA1
6e2afbbd753be59449f22956ed3dfe9e5c3c57db

SHA256
0368fd381213d8d5119ec521df449e97d00862d84a4f0e76ea50aecb05c4611f

SHA512
acde30db40c5ae4bf5b708eba7347a8e685aaf5747f8fd9a225fa14eb635336cbfd453655683a4a391b973bd25089454cac499bb73c9595fa1793076c8ce76d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\CN3YOMPD\www.avira[1].xml

Filesize
13B

MD5
c1ddea3ef6bbef3e7060a1a9ad89e4c5

SHA1
35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

SHA256
b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

SHA512
6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\CN3YOMPD\www.avira[1].xml

Filesize
224B

MD5
339678439ec28b70c6f5f8812c50a708

SHA1
fc669836cb5600db423425357be27a5da4dc65db

SHA256
ec95850950f88de536ca52d62b7bf9143e9bc4bb8b81b2da17f667fe8c0d7297

SHA512
20a44d61fc8fd0b81ca37e80190655c62e9157c7a647251d7bdd0eb1a33c791505d767101cd14dbf94a7a74a184c45f70ba1705b777296d16389da9dfd0da1fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\CN3YOMPD\www.avira[1].xml

Filesize
437B

MD5
0fca9850f6c101310f1725eb983ad955

SHA1
6f6668d63aadc35879101257a1dad6366bd7e542

SHA256
4e34f03ab153f6556e8ac877417a534559922c8eae33e00a5f16d8142d107358

SHA512
f7a2ba5fcd4c817b730b23acf84a8a6af4efb845287c4200bbd3910eef1878f6c0c0d1f317066031a72ec170a210622a023c7be0ec64691fc815ae95e2f00c08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\CN3YOMPD\www.avira[1].xml

Filesize
575B

MD5
a1f7497179554f6f69f4f35daa7a4db8

SHA1
5b042b5c12441b371055a532d2caff6913dfb7d3

SHA256
d64da2f4327bd070078fd77667a9953ab022948d5e7ea00c8e21691709c652cc

SHA512
b336d13463f51c7b49c2f7389fb200b17b3c6e2090afc85d6e34e8fd4b4a6ccdd05f70a054d919631b037645689da19c95a5a476e4edf90820aa4d75f77c9d90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\92bocja\imagestore.dat

Filesize
1KB

MD5
390bc669846fac5ff4efc71b1e9367c1

SHA1
f24bfbbb6083a6e88c98ce5860a3037c7892e732

SHA256
05b300512899d0be3df98638c2f46bf7403d44a1208e4eb8f35f4fd30298dfb9

SHA512
27eed42afa571ca59617ae8fe7d542dc83924aa05e707ffe98ff995916572edeca193438e763c356a2f52a127bd9b871c7f7b9ea133d3009fccad5dc66a979c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OOWQLMJV\favicon-32x32[1].png

Filesize
1KB

MD5
13e4a579c3cfa586f665ecd794e0462c

SHA1
b629b7170f76734c495630191e665b6a88024268

SHA256
a961b4999fbb3ea58527df10b36cfd5c6ac7cf9fd12a0ecede32a8f7f48fec30

SHA512
813d424cb854ecda3bd1cb73e87af2e1072364e5e6345e2a7ff0c93cdac34628146786f1f5fbfa869b95d72ff0071414af13c4453545e76b3f627c1343cbdc8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD9A.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabEB8.tmp

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE79.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF1B.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\HMKU9U36.txt

Filesize
394B

MD5
b93a9df8663ee2d18b07c941b8517da1

SHA1
63578859cd156f0c95ce28d3123adb832f3f8556

SHA256
8f546a644e01f34b229f96cd389ca24465f0647a8cca2efb3f25c9831f1f33db

SHA512
4e8d8886f68cab073d6a97dceb0eb834f84bc8fb2a9feadbdb5e1e8301f4b857aedd69ddc9b7972dee74ad0ce50ce70ccfbee0239447674b05928ee86c211ead

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\M0NMTN6J.txt

Filesize
583B

MD5
155de0be71172152053c0e91159b22a9

SHA1
473c36501183edef45c92a1d8ba99d8adfc3066b

SHA256
b59136590a603eab5696776a86cf9bdb84813c5f80211f6507162b9c682ce7c3

SHA512
39337a2f671999a381b0312891ec9530029a8fb834a021c14d7718103ce939754516b094633f966bb75bcec4b4e753b8bef92d0ffb916918adad8bde7cc94972

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\OTQ43WAR.txt

Filesize
812B

MD5
b97dfde787f4b23041853f5d1be31721

SHA1
2759b7e17bc7eff4de2763f565ad82a0af0fb23a

SHA256
0e51492cc20c4ceff2f6ffe529048e2b85e5172b8c9b2454ef655389c2195810

SHA512
b6d135e3528baf996cf9f9114dfda446b772c129039aa56443f5a66af1acd811dda9c289b0268da160db085cc2c326a9af499bfe0036050638624ed3f3a3820f

Download Submit
C:\Windows\setuperr.log

Filesize
27KB

MD5
6709cee14d322da49f5791c2b3c90dd2

SHA1
1346825bb53b85819636ec74fd7069ee815e20f5

SHA256
737ed3cfe8cc4d0aed53c4b6f9694ed1a5e006faa13001b35bbdf5aac15fb5a1

SHA512
2cca984cc6475337d4d4446968ea98fa5fce53df40cde242422791c141e67cb8def54b5981bd4de31c313f1a7f5c7ff9a9564b6d487aef0348cabf5f9ea49454

Download Submit
memory/1956-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1956-121-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1956-3-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1956-2144-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1956-3213-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download