345dcbd65c098bfb7011ee6b54563bc540f1749b1fcfbf9a7b759299be04d12a

Analysis

max time kernel
142s
max time network
130s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
02-09-2024 01:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
Size

140KB
MD5

e70f2cd3ecc01f5978be67c96c3a994e
SHA1

2f1e6ddaf066f6d9f9100041dd4a7bf2a16d02fe
SHA256

e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98
SHA512

4571f82fa212d11d971b547807781ba9f50261d9c88ec3736f6805ecacaf54b138681c2692e4c9f6b5d5d92f26ebcbc41aa7cc0acaef0f79299cf2a2033be92e
SSDEEP

1536:MEsyxfSBqE63VIf33YaV9r6C8b5f7rLk8YhJ/gnhSqHX4ixExm:MEsm6B56Of3RV9+C8b5vhSqHX4ixE

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\drivers\gm.dls	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\drivers\gmreadme.txt	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\drivers\wimmount.sys	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe

Manipulates Digital Signatures 1 IoCs

Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\wintrust.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\diskcopy.com	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\MigAutoPlay.exe	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\msvcrt20.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\scrrun.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\winrnr.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File opened for modification	C:\WINDOWS\SysWOW64\mfcm120u.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\secinit.exe	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\verclsid.exe	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\cleanmgr.exe	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\dmrc.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File opened for modification	C:\WINDOWS\SysWOW64\mfc100enu.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\deskperf.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\drttransport.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File opened for modification	C:\WINDOWS\SysWOW64\mfc140ita.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\PortableDeviceTypes.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\verifier.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\KBDDV.DLL	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\Mystify.scr	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\srchadmin.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\atmlib.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\chtbrkr.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\devobj.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\dmvdsitf.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\jscript.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\api-ms-win-eventing-provider-l1-1-0.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\mpr.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\osk.exe	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\provthrd.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\WsmTxt.xsl	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\lz32.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\msg711.acm	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\olepro32.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\stdole32.tlb	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\wdscore.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\sdbinst.exe	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\syncui.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\taskeng.exe	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\vbisurf.ax	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\DpiScaling.exe	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\KBDPL1.DLL	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\sqlsrv32.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\SystemPropertiesProtection.exe	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\sscore.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\d3d8.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\NAPSTAT.EXE	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\netcorehc.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\uxlibres.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\kbd103.DLL	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\sqlunirl.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\tsgqec.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\xcopy.exe	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File opened for modification	C:\WINDOWS\SysWOW64\msvcr110_clr0400.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\NlsData001b.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\vbscript.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\KBDBR.DLL	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\NlsLexicons004e.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\racpldlg.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\usk.rs	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\wer.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\bitsprx4.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\schedcli.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\WSManMigrationPlugin.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\fundisc.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\moricons.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe

Drops file in Windows directory 26 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\DtcInstall.log	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\hh.exe	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\twain.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\explorer.exe	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File opened for modification	C:\WINDOWS\system.ini	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\write.exe	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\bfsvc.exe	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\fveupdate.exe	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\HelpPane.exe	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\mib.bin	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File opened for modification	C:\WINDOWS\setuperr.log	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\winhlp32.exe	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\notepad.exe	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\splwow64.exe	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\twunk_16.exe	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File opened for modification	C:\WINDOWS\Starter.xml	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File opened for modification	C:\WINDOWS\msdfmap.ini	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File opened for modification	C:\WINDOWS\WindowsUpdate.log	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\WMSysPr9.prx	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File opened for modification	C:\WINDOWS\setupact.log	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File opened for modification	C:\WINDOWS\TSSysprep.log	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\twunk_32.exe	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File opened for modification	C:\WINDOWS\Ultimate.xml	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File opened for modification	C:\WINDOWS\PFRO.log	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\twain_32.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File opened for modification	C:\WINDOWS\win.ini	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 63 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "290"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{460E9581-68CD-11EF-9747-6AA0EDE5A32F} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e337bacba951544a9a832c52e69bfb00000000000200000000001066000000010000200000005d008ebf9ea4d14c85e429932f7476990676bb58eb856ddc5ca82c0a5b782255000000000e8000000002000020000000ee5691888e171ed9d251ea6bfb2017016010d20d5e237ee0ffefd31121f7362020000000163de90bc09be44cefcd3b8aed03a59bae05f1dcf75b357d153ddbc9eb999726400000007a6447b1c6f47f39cc85cf761a0933a35675844cfad8279c3d98408abc2632fc1058d6c6f565019f742770e4437f1ca40c5eca524edff00d50af00e1a4b8aa6f	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "100"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "100"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30d5dc1edafcda01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "431403500"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "8"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "8"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "255"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "255"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "290"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e337bacba951544a9a832c52e69bfb0000000000020000000000106600000001000020000000ba6dd712efba5e78e75d6bec63a4c5f8bf1ded12aefd2b0377956c61b0cb84cd000000000e8000000002000020000000feadbe24e0c9b8c992fa5fb9047718e8daa29d8b5ea647fd249f463b5b45183090000000d7f37d4ab0c741b4fa8dc96e797ca9dbc786231d95f6f2f0bc631f247a5b782f53e59a7c878f706c4c1c07570296ee44f68cb23c870dd5878090364318d931c436d883421cb92ad2c7572d5d111616073cfb8ce3969a4c71a62c1e04a7ce0aba611688648a23bd32fd46ba04f14e3565c9be93370c2a8b5f39ef54f2cbb33b6e43dc00936b96e4b3c3fa2c449292bbc8400000002ce4b65893ebb66c56b95388132ffedf5970636cdfc047b6f6f89dfddccc20dcbee808101d9af839ade1edebd86618d2205890b9bac7a754867a3321aa995b31	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "8"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "118"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "118"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "118"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "233"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "100"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "233"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "233"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "255"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "290"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1804	iexplore.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1668	IEXPLORE.EXE
Token: SeIncBasePriorityPrivilege	1668	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1804	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1804	iexplore.exe
1804	iexplore.exe
1668	IEXPLORE.EXE
1668	IEXPLORE.EXE
1668	IEXPLORE.EXE
1668	IEXPLORE.EXE
1580	IEXPLORE.EXE
1580	IEXPLORE.EXE
1580	IEXPLORE.EXE
1580	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 1804	2132	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe	31
PID 2132 wrote to memory of 1804	2132	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe	31
PID 2132 wrote to memory of 1804	2132	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe	31
PID 2132 wrote to memory of 1804	2132	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe	31
PID 1804 wrote to memory of 1668	1804	iexplore.exe	32
PID 1804 wrote to memory of 1668	1804	iexplore.exe	32
PID 1804 wrote to memory of 1668	1804	iexplore.exe	32
PID 1804 wrote to memory of 1668	1804	iexplore.exe	32
PID 1804 wrote to memory of 1580	1804	iexplore.exe	34
PID 1804 wrote to memory of 1580	1804	iexplore.exe	34
PID 1804 wrote to memory of 1580	1804	iexplore.exe	34
PID 1804 wrote to memory of 1580	1804	iexplore.exe	34

C:\Users\Admin\AppData\Local\Temp\e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
"C:\Users\Admin\AppData\Local\Temp\e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe"
1⤵
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.freeav.com/
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1804
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1804 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1668
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1804 CREDAT:865300 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
cc909daeeffd17f401dbf1e363a6e4f3

SHA1
5cfe654a10f4f3613d345cd2c834aa4dd603cd40

SHA256
f00d83b76acfcba79b7be547e637e729e48276d5d8a80179d6f4b581ee1b73e5

SHA512
ceb43d8e9ab4396433a0b3aea4f11e675aea031798b7f02ea9a899cfab5705340c34a882b841cc5ab8f0b6dbb08fd628707d6c5f30894b86473c375e0ea88ec8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b39e7f0da49e4d6b79d1c221bd2640a7

SHA1
68fdf3d22cbd2ca8edfe7cd73b6de9774ba76d93

SHA256
7f837820c8c8f51faf86b93f5b5766bb92c607d9abd928321b452ac3482cfb92

SHA512
5fa2bff575d63c01b4bd519c74eb505184d9670217004a4e21a0d7f6e7df2b771c4b53ba56a69a67bbbea8f2b971b57c51b3b54da3b09863bb974406d1bf9083

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d58e7757773c78bc83449cb2062a02f1

SHA1
935e858215d8e1bb80e779d36f29f68f63481e49

SHA256
5a8d93117db19064f2f99a563383469f1b72c9bde31f8f29ea83a30d5734e4ae

SHA512
da5d0e27c4f42beacbc6f5d9eaccd7d2d6bf8cf2ed9a1ac552f0dfec74dbfea1f8023185eb108fa388abbef8d0e00523e26ffb429dd205268f44f47a483d536d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8b1b8b2401ce6542c4197f356d694d77

SHA1
021a20cfa033dcd7c016ec1dd51e8c2d22fce0bf

SHA256
e83045cdc2928668ba42dd729a13b17f3ec8de84194c836fba8e45d174dc8ca8

SHA512
9d19dbc4c767d2ea870ec6ac75cb026b3de4342f581003ef9d4cad4ecb9bca572f8ad8f49671ad86d5bc16252d6c36b9632fa7e87f2861a442cd85fcbd043cf5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
42d73f59c5f44cd0e7d4039d9a2cf3eb

SHA1
c72c6558fc5da76db6e2744efdb5e1ffe1f3392c

SHA256
4b168c945c0e55ee4111d85c111849c0034ec90cbeb4534f9602a1e048798fb1

SHA512
05f7aef1ffbd851bcb38995a906e892f89bdbacb5c2d01339ad014f53d7916deb182a2b315a65128eb95a9b176c3badd316bbbe20f8799ff810bad88a548c653

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bcfdb0793d034dbf7d71d2d4ec313d84

SHA1
52d836801e195216e9bc66aa659c531d27ccd96c

SHA256
e100dc73dc67ff9f68e27e18b30464a3a0efc818ee1f5a7c9c442601252ebf14

SHA512
23d2a20adefe96086ab0f111d8d463732d47aa863a8550f0594357ad97c36c935730117580c88494673d3fed3700e7379841c2705c65039d94df64455a6fea01

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
96efdde59ca78cc7268091b07a7f8d65

SHA1
116ce79534e921c6dcd5fcaf6386d80a0b21c2b5

SHA256
1ad1c86037db30c1f80e53dec8c5c70b95958cc59de2a14514cd0ac967f83298

SHA512
abc1fb0c05f6c8a0715558cc9a7e734c1b7230dd4c6a691a2cd9f6326e9e8ab357faa177510b2295f733a2a43452ce1ca5095ca3de6ee743107384dfb522cd2a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cc2d31d180650139880bcf9fd5f78390

SHA1
b2930bfe4e35d5f78b667c1dad5e2fc4de8c092a

SHA256
931c69bbe4a65f4920c324396077f105f5bb0751ab09eacda5d9fc11b491933a

SHA512
f66b864c6e1c06ae0d685c2cf56468e27e33f063e3c8f2be2d7c06b3a9bf0c392b988b983a145b9d9a724d665669251cfa3cf11a2b91e189922d00e86f5261bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
07a8c072a089a6debfc9b7551c49f54c

SHA1
4317e7d5a1e3c2035af9eac77ce42d4ed753b409

SHA256
38b12d049af69191653ae7d0b48fc07f766583f1b41d5372473068f3065addd9

SHA512
263e3ecae52ac3afeb0a2de87dbb813d6a9286cd05ad4129cbbd09b5527ef662829680a27e8b7f121945a761f3af2da1a28dfe177327fa0048101f19c03b5004

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2ccf1e2f2724725975475ec12f058c97

SHA1
62fa9f79c819a4b2dfc1b2d93aecff595b6b8b48

SHA256
2645986b87ef43ffb67a9bfa7da2d026d7060a45a20f732439a28b099e94e2ee

SHA512
80025afce3c72564e6977722374ea66bf0ba48ca92e89208ac319773e24429f6d06b3cc80b13722eaed51d52a6ade07e6233df5ed541fff7fca24743548749ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e9aa894d18260c2b0adc1ab02c953a55

SHA1
6a2a6f5d424e69cfa8b77da66eb3cdfffa7cae2d

SHA256
b5bdc67d07e644b9054504d9b69012cea1882e0911adc671c0f0311ecb09be03

SHA512
ac49b9cd8b5b7fbaba770e701f55cf551f2e69f1d0553f6108465d9f4a2ff23cdbd3c781c1910cbce9dbe58c39ae57fc356fc302b329238652916f22dd699acc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ce59e8f96c56119b317611eb09b4ae79

SHA1
6e76771fcd1c6284cbc0ed53814859790584825e

SHA256
5450dcedf32a6cd4b76d2dd0f6191d5e36b425869b356e9cb7ba1e9e1d851add

SHA512
4c33efe154278e4de400a303aeced11fb23f36f22e6b40eec3cca8274e563f0024f539c6c4a9259372ba84145db05db27847498afb33cdae6d258ba394ed9dac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
268f91a0e62d368de12f9935e35ee4ce

SHA1
43fd4c1723e8bf0106f283427d72cbff3d98b16e

SHA256
3b921c9760b20c708e20cac95fc893d2ef2465e6fc5a1214196ba9eec8a10c3f

SHA512
2eba7d4b476ea410399d9efafe57d19ca4773889aecddad7af5edba79be96fc639bfe1c5b82a359ac1de974a5d3646646211cf43ab0312f23e436f4c76655bad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
238d4a0c287636ded55d71231edbb38f

SHA1
c61b77de573150c8f96c9ca1f27af15bbb96d97e

SHA256
364c363bec5c4d2834e2b6c1a21e6e246bcfda4dd8a01fe61e62072cb23e3285

SHA512
a1c5cc11bb246738d18dd53370748e69a9e0ef245dff7c2d1eae550e9b64ac8d5390c3b834dcd00ea86dc6fca4a842cbf8f066583351901b689862defadbac6e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
347423eb246f024219e334cb233c02d3

SHA1
42f4170f639f35166c643969a4f2a0e3d5ce9d6f

SHA256
9258e4c9c013655e77f0f9bffbd092192d8dd02d459677545657040646708d1c

SHA512
23bd6a9a12e4b20c87806e0d03f86cc7d32f9f79787865fff432cfd6eb06ece8d96018b7ac18210f4c291b995251190cc138ea57e02b955bc1eeb8eeb8f3592b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e51a7f219a7a9767ef54e441ee6d91e2

SHA1
029aef06f180b91d39d3a67de089bd3e95dd62b5

SHA256
a32e9cc5d498f435eb046f44ec65467c765df18a951cedb2c91342712518c11a

SHA512
c31b3e9e4acd569c9e9efa05798347f6569c3ad3879692bfb0db15ef4f615926661ec1a9a83ac90d4f6910805e269a92c4527497c835e866a3cf957ea395ca5d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dbebd7b51d89cf780ee357e41a8d16a7

SHA1
0044838343932b4c064aaea14883be8c03849f05

SHA256
1d7626a119d3c853ca010b6513c047b969724c4664d7300b7393dec455dcfd30

SHA512
a6324b796c933a3a0aa5dc6e6cd33350da13ff7562939044414c3cf6c035b246486b56474da5e058332518f84926a050c1371adf0330f11d64eb707f5da67703

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
14eb94fa6fd827d40f9e6308c7bae12d

SHA1
3364e08de8cb2072caa1c49b6c91b4bff1677500

SHA256
8420eb537bf4c47cc132afd23ddd3cd3a83f49525af3e0d4d509b6ff31b8ce1b

SHA512
ed3ee806caace2ef4ae296649d6f52b2babfdf4eec400cec929a85346767aab1362d0ef228223059365fba977fc8c3608a9c97df166373e04afc8e5ca306ebda

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d1e6c86028c0d539b5f25cc746a607c8

SHA1
67c9ce8410c844e16bfb61233d57b48839990193

SHA256
96d6df1de645da415263c613a6eb873dd199afce199be735fcd206303d16b8a1

SHA512
a054528b6c53d0c2a15f4a86e4813179fe68a860a05aeb7d2f8427ce10e8300e424331e0fb78d9d7940f4c136215234aad31fd0e5029025ac725dff9d1542d4a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
03e923381fd2c527845788b899d32e1b

SHA1
f1e0c1cc55d013e64e994c8694b25076b331b67a

SHA256
b304c7584f5db2964d750e04083d22b38b8428583f23072c124f1db01d5ce653

SHA512
ef2788beee6586f765c7fc6284b387aad9386f04a1f3f86ea1dd21b1b5680fc38b5603741ed5300a5d9580d4e1c14cc779723a5f863b007c831bc92609d954cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a9490f3917882e95274501a610e5c565

SHA1
c752e7796d44cde0f9597777552f0de9b93de990

SHA256
b187e67c520b4f21693d877ab521913bd2c6316110e7e11bfc9c68a4e55bdd4c

SHA512
9ef470f955425ace3358c0802ca81067cd4580ac2620f97135c5b0766e3ce00b84cbf99e0a18e208a9ffe222795ff2493f6c7b405308ddc112e800060b2e13e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0ab64a6578270df5035c58b7ddb0ba56

SHA1
a07ad492444a78796463e3fd891cd83ecfebfff4

SHA256
9b1559f670f10b0e4552249098aaa77eefc7a21d6dfd0092651bef0020d46c4a

SHA512
38a28c5fbd7342ef2455b0bb4a24721840f60606c8bbbd65e47266b93289be874a045dbf48ee39e78bf1b28e4f85e828c8c755bd11056c657b821f452ada1186

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
17b1d4025955e9f4dbd88a97b67578ec

SHA1
2839edb9db5efaf1b1f91dff54d32cc6b83341a1

SHA256
0f7f45d6810c6e6a2758a84b4718aa2a50e27bcbfa9779586dce4750adc72340

SHA512
ebec384459d2f707d0ce4f23adeb660b30f04807d5698efd671063dbec13a5124cb743715eea6e41c71bf969687c6814187b3b597e1a262a8ba77b463006bcbc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fc69dc42ec8b269b69c15a2ed47e04ad

SHA1
3dabaaec28c4626afa3ed4d31c7849867b1a866d

SHA256
70d2f5313540517a661daf83d7d88c4c1537bb1fa2779845cda33baeee9c3c1b

SHA512
8dde3218d51186b140684bbeaa527271c1214a9735ab305e04dfd5a327940927f84afb54bbf9521c2369737309b0826abbf7e6cb72adf78e6840fd8218eb6d27

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
26b727390f77be12371e0726d254531a

SHA1
0e9bcea84f303197157aff4ac093bc59d435ac74

SHA256
437ed60fa0e6e68092d30203f687943e85cd603c7430b076ea5f5ca2a0662199

SHA512
288e16ab94e0d1c8c59a56cd0f55c96b282527203b7da6e6af35b80979df58a2de5953cc00cddd4f647b17c0dd1d278e18838417d718c225767b28ebc173598a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7a28606296cb6363ed756d5779f65abd

SHA1
4e7110849d8b2a76eecd8e0e4254fea5b1dc9e8c

SHA256
f07251eff9377b5f43a1d5f691af8efc109885792b0e991319cb9310cf56bb89

SHA512
e2e5330038f1a1ea3bac604526f8bfc8639626227c71f82ab6932d058938d08484dafd5bf785da271e8c62e522ec9f1790bcfe28f0c65571769895a7c0123593

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1b2120066dc1d4158eab1351af1adce1

SHA1
a43a00042d416720f5c9f55f5175f4e3dc4a85a5

SHA256
d7b6e2661de3bb14d5f2f90192c94dcfbed5036e4c0a20f857f221a587f38f91

SHA512
4408da6d5c5150c7ce7fc69d3133f69ff2298470f19433793cbfbcf0826063f61fd01281c23ee88706eb922181bca8e511c8e056ab350fdac829e10af17cdc1b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1129b1be6799272912046aa11ef7b01c

SHA1
1bec9a9008b9b8f70c8d1684bcff38ce783518d7

SHA256
92cfb80540a0277c4c302f1c24019bd25468abed8aa2ca756741786bcc884933

SHA512
7470adb28c8a75067b7c79254d3f0d8a96098bb33da20dd30eaafcd2e561ca1c5685b43eb60a066579364f8d52444b03819b850ff22b9b9c4d77cc8f74b89874

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
32ecc6b165a99e7ebfcdc068a0db5737

SHA1
75bc1e594ad72eedad26e9ee2f52fa5591ec3a25

SHA256
3534bdbaa47254b87e632daa0c034bae0bd77d5042a4d028d8731ced18715775

SHA512
dfacb1a6344ade0206f4ce02d0d2dfcc5465a0d19eeb68a281a191edded676a494134ffa745c3dd3972f7d3014f2558648b8f845f761a8a7492f675549829a3a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dbd478586776841f711b84b009e1d542

SHA1
b1c0cea4068a4261bd5e3ba3ec4a72aece27b013

SHA256
ef5cb4bd7e01b1b31e8c73d7fcd5a708bc068af5064abc9a8f896ea38697d196

SHA512
abe08f7bf3d557878efd149db1f1cfa37b322e74ad580c2c142e5a2b27f60b541033e73a4f3d64ebd2a0bdd855a29a5d3a3d08e658f726a1ab0cc99b0cde2078

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
506f52494a41eab140fe86bb4ffd7d29

SHA1
3cdf85fe5300657a82e8b52e0a23404aab90023f

SHA256
b1b87f6215df58ac2f63f4a39b08b749fab8c2a18bec740c1920942fd528f6ae

SHA512
7d5837900dc63ad9f01c7fdcbf07e9f50d4f53dc571cf0ee39ed255256e19d922328997a9f1fc10aeadd79261d9f07cbbc72db81f9a5c216878e9c059a2a128c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\TDGQ2P2V\www.avira[1].xml

Filesize
223B

MD5
d099b0d6cd297ac0ac8f90ff0a1e2951

SHA1
7d1ef32a2ce1b6a0556562e8615b9e9a4fa2510b

SHA256
c008f5aba0f8368c1458ad4e3ed508680413ccf8d1e40c649069d191488511ac

SHA512
9deebd85f618bf9f91a654dd51b43d0ce00fc84a4846ef0fa311090ef076f12c7e5f624faa2aad5161c6a4cecd3dec1e91f93f5f786e7419c67fc18b74ed49ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\TDGQ2P2V\www.avira[1].xml

Filesize
436B

MD5
7ace117f5446b85f5a8e998f90c65cb7

SHA1
10754000a7192035f31bc44aa501874445057757

SHA256
033f586bda876f64ad95887243744221e207b657f2d709a0b16cfae592210f51

SHA512
7e57bc50d41b726696d27b23f3f68d92fec6c31d5990b79dd0a9d0685f83c67bf20760a637651c9c8255c4b22c70ebe2ea51d6e45381b3a65a37223800a73f0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\TDGQ2P2V\www.avira[1].xml

Filesize
573B

MD5
7857c225fcc0bf9bbda1039cc150e361

SHA1
9d288d398932c0181f65133f27d50e76884e1979

SHA256
e60d027b6117f14677e28bee2d1690613d46a883372acbbc7a7cd31ba1bc38aa

SHA512
c9eaf3746e68eedbd3f53ad1f489b0a12863ff5e5d0d77b387682d3ac8a3dfad3efb24c0fc036a2955ff13975a3aa33cd0e38d7a0bf7b401c433d2b5471d1200

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\ivwlua0\imagestore.dat

Filesize
1KB

MD5
815788cd9e329ccabe6ebe0846ca669c

SHA1
18484c4279d703c6187d3b57429994ec2aaf4fa0

SHA256
c13cc39ab3438556045e4b71c1e60115fad220078f09baf9914d4d70262ee5ca

SHA512
d3da7cfd619d170d13835d0363ed4ceb370f20d414c8fe786c9b84c0518aa88742a2f78612b4aff0197bfb9787f26819b2d4a15206687d50edd36c5bc8044737

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0E1IWGZ4\favicon-32x32[1].png

Filesize
1KB

MD5
13e4a579c3cfa586f665ecd794e0462c

SHA1
b629b7170f76734c495630191e665b6a88024268

SHA256
a961b4999fbb3ea58527df10b36cfd5c6ac7cf9fd12a0ecede32a8f7f48fec30

SHA512
813d424cb854ecda3bd1cb73e87af2e1072364e5e6345e2a7ff0c93cdac34628146786f1f5fbfa869b95d72ff0071414af13c4453545e76b3f627c1343cbdc8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA71A.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA72D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\DO2CMC8Q.txt

Filesize
577B

MD5
4bafd03381c42d78d5a3a4c63dadaa4a

SHA1
2cd02737168cf609cfc1b20740aa6c9c536f369f

SHA256
fec32e1e9635996cc0820056c256ed22ce7e63730f10cb89500ec340c7c51034

SHA512
492e8e6681a96e3b8a26f934391922b24529078f51ec58b873e968cb2267025c6bb6373c5a845bcf97ca42a948b123bdf25b062a243f7338dd09165396cf13bc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\LO75J7HB.txt

Filesize
637B

MD5
5467e59e411c5960d9edaee454a95f50

SHA1
0fd33192adc7b38c27bae989e2e3cbd845eb788e

SHA256
22fd39b8de2f400c4b7bfe981b1a009d891c455d9c51b47f80ecaada07a71336

SHA512
f589105c5799fbaea474d60bde9f07c60cb13c4f46c9dadefe4453a561ce056fc632864feb1894b054a60f4c134e3f0b4d4515978a4bf1d0d80077187ee93547

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\NFF1T2MA.txt

Filesize
390B

MD5
ead68c6e65fc4a031cd605419a4dca73

SHA1
85881e14e45225a62fe977c14d1c90c237148325

SHA256
43af302ea91da731e7c6b42c2b7b6226f3690628756341c41b272be857956a38

SHA512
196fb2fcbfa3fc9142b55ba7628774a79ed8f62d4e1c0199f67269fcd1b451dced06d9676b28cb50ec447d200e622b5009756552f5b9228344d87a18028040a2

Download Submit
C:\Windows\setuperr.log

Filesize
27KB

MD5
7b28d30df7839fa467cf854a8c241a34

SHA1
93649a3b72b556ce1f0a28d42435d54287a0163e

SHA256
8bc0df3abcb2700e9c4e1716e29b6bad7466786265bf3f440b806d1fc26d1454

SHA512
d2a4d09d52acf5a15733f5d35a80c89f8ee32771108fc73f59e40d5e2e01c16124612d8fd8c03d499fdcd35da740ef7f5d7ee853745fa1e17f10fe4093d85bf5

Download Submit
memory/2132-121-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2132-2596-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2132-3-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download