70cee93222529492a9dfdbaeda4bdc9e12a4f5485ca24e1bf9436a3a776c19a8

Analysis

max time kernel
144s
max time network
149s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
03/09/2024, 01:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d2f28457b579e784425560c3f625e5aa910976fb4ac9816edd8e4e7e8acad34c.exe
Size

224KB
MD5

f7ca1ca80dc9ad507ac644cfdbe26284
SHA1

765e10af33bd1c6695631c92bfc56d3dcd24650b
SHA256

d2f28457b579e784425560c3f625e5aa910976fb4ac9816edd8e4e7e8acad34c
SHA512

e4a1794f458d5c2da29ad92e034841846c9c0a2348f48f1e0f192e4e88ad1fb4440fc906e6562b3994bcf49ff0d81a05c6cf0df0f03a4ef035f4ec62b376eeb3
SSDEEP

3072:iWnP3b7gzx+f7vmT86iTCLypaGU95GzJ0bd9frUG3ETYCv2wiMbz6dgv5zsN:RnfIz66eQypaGU957J9T8vjiR6+

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
2292	wmpscfgs.exe
2168	wmpscfgs.exe
3032	wmpscfgs.exe
2128	wmpscfgs.exe
1624	wmpscfgs.exe

Loads dropped DLL 6 IoCs

pid	Process
2416	d2f28457b579e784425560c3f625e5aa910976fb4ac9816edd8e4e7e8acad34c.exe
2416	d2f28457b579e784425560c3f625e5aa910976fb4ac9816edd8e4e7e8acad34c.exe
2416	d2f28457b579e784425560c3f625e5aa910976fb4ac9816edd8e4e7e8acad34c.exe
2416	d2f28457b579e784425560c3f625e5aa910976fb4ac9816edd8e4e7e8acad34c.exe
2292	wmpscfgs.exe
2292	wmpscfgs.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe_Reader = "c:\\users\\admin\\appdata\\local\\temp\\\\wmpscfgs.exe"	d2f28457b579e784425560c3f625e5aa910976fb4ac9816edd8e4e7e8acad34c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe_Reader = "c:\\users\\admin\\appdata\\local\\temp\\\\wmpscfgs.exe"	wmpscfgs.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	iexplore.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatCache\Low	iexplore.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\SQI5FWDY.txt	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\QH2FKC1T.txt	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Y25RRXY2.txt	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ieonline.microsoft[1]	rundll32.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\dupe[1].php	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~	rundll32.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	rundll32.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	iexplore.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\DNTException\Low	iexplore.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\bSzRCAhPY[1].js	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[1].ico	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~	rundll32.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk	ie4uinit.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X88KKGAA.htm	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ieonline.microsoft[1]	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~	rundll32.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	rundll32.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{436BABD1-6998-11EF-BC3E-6A951C293183}.dat	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	rundll32.exe
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\desktop.ini	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low	iexplore.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Y25RRXY2.txt	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	rundll32.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT	rundll32.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	rundll32.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\Low	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{436BABD3-6998-11EF-BC3E-6A951C293183}.dat	iexplore.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\SQI5FWDY.txt	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{436BABD1-6998-11EF-BC3E-6A951C293183}.dat	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ieonline.microsoft[1]	rundll32.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low	iexplore.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\dupe[1].htm	IEXPLORE.EXE
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\QH2FKC1T.txt	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoaming	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~	rundll32.exe

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	\??\c:\program files (x86)\adobe\acrotray.exe	d2f28457b579e784425560c3f625e5aa910976fb4ac9816edd8e4e7e8acad34c.exe
File created	C:\Program Files (x86)\259616005.dat	wmpscfgs.exe
File created	C:\Program Files (x86)\259616021.dat	wmpscfgs.exe
File created	\??\c:\program files (x86)\microsoft office\office14\bcssync.exe	wmpscfgs.exe
File opened for modification	\??\c:\program files (x86)\adobe\acrotray .exe	wmpscfgs.exe
File created	C:\Program Files (x86)\259705051.dat	wmpscfgs.exe
File created	\??\c:\program files (x86)\microsoft office\office14\bcssync.exe	d2f28457b579e784425560c3f625e5aa910976fb4ac9816edd8e4e7e8acad34c.exe
File created	\??\c:\program files (x86)\adobe\acrotray .exe	d2f28457b579e784425560c3f625e5aa910976fb4ac9816edd8e4e7e8acad34c.exe
File created	\??\c:\program files (x86)\internet explorer\wmpscfgs.exe	d2f28457b579e784425560c3f625e5aa910976fb4ac9816edd8e4e7e8acad34c.exe
File opened for modification	\??\c:\program files (x86)\adobe\acrotray.exe	wmpscfgs.exe
File created	\??\c:\program files (x86)\internet explorer\wmpscfgs.exe	wmpscfgs.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d2f28457b579e784425560c3f625e5aa910976fb4ac9816edd8e4e7e8acad34c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpscfgs.exe

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0E5AE4B1-6998-11EF-BC3E-6A951C293183} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "431490594"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecca440099c424d92937bb9b1db2c92000000000200000000001066000000010000200000000f87896e969b4e4594f46d3e819e662e518adb550bf0bb7764fb1d6d57b620f1000000000e8000000002000020000000c1168ab35797113c31a5edb9a20aed9a7aabae20f6649b733d73e80c1c7fc8e9200000009fee231cefd9e1db69f0075a75f46c9469c6e8cac4dbabc65b9e8a4e07137a98400000007a5a9f5357bb0335057342e3c430263d9ecebee1a2825e57b8fa632c5a8f56792c4c784015b7f821df1697551180eee76ae8aae717ea74e7ad39bed552ef3c31	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecca440099c424d92937bb9b1db2c9200000000020000000000106600000001000020000000d9deea9608c1195a98c0648a2fbb4291c932f4fa57c1c6157fbb207307827f55000000000e8000000002000020000000825c68ca90762eff3ffab456677209252d06cc69c333397c6f45c77d5b2eb79f90000000c6012968ab6d3ecb15ad783e53241a0c9a0039ffe6448b030720ca7d6ccc12704e65e577705fc3cf6126b05af9bcb15c456282022c34ddf083f2cf2434a11382b0855d26c23c735ff4b951d2dddc2c149a51113f8c086cb1f2852fe10ee9912fb8ca94cf15c186381de88723f8103123351dc8b34f7d2baead4c81a8dbcbe6aea7340cc81b1401b247b017aa26ddb92a40000000712f65dfccded0ba2d2b69b4720c1ca71510c75c217bc9e615045866f14bc84d23350bf5700e4ab4ccb245bd0c3b2c9facc255230adbca483e7002882491bfac	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 6076c3d2a4fdda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\MAO Settings\DiscardLoadTimes = 70bcee05a5fdda01	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{436BABD1-6998-11EF-BC3E-6A951C293183} = "0"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}\Enum\Implementing = 1c00000001000000e8070900020003000200000014007b0100000000	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\NavTimeArray = 000000002e0a0000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D0CEFFF8-4D4F-4D28-98E6-6B4E840D0C23}\0a-36-2a-82-da-07	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D0CEFFF8-4D4F-4D28-98E6-6B4E840D0C23}\WpadDecision = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-36-2a-82-da-07\WpadDecisionReason = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE11SR"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Passport	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\Flags = "1024"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Setup	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\LinksBar\LinksFolderMigrate = 9082c908a5fdda01	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main\WindowsSearch	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D0CEFFF8-4D4F-4D28-98E6-6B4E840D0C23}\WpadDecisionTime = 30668307a5fdda01	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-732 = "Finds and displays information and Web sites on the Internet."	ie4uinit.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Count = "1"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Setup	ie4uinit.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Type = "3"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\F12	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Time = e807090002000300020000001100a500	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main\WindowsSearch	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	wmpscfgs.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	rundll32.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2416	d2f28457b579e784425560c3f625e5aa910976fb4ac9816edd8e4e7e8acad34c.exe
2292	wmpscfgs.exe
2292	wmpscfgs.exe
2168	wmpscfgs.exe
2168	wmpscfgs.exe
2128	wmpscfgs.exe
3032	wmpscfgs.exe
1624	wmpscfgs.exe
1624	wmpscfgs.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2416	d2f28457b579e784425560c3f625e5aa910976fb4ac9816edd8e4e7e8acad34c.exe
Token: SeDebugPrivilege	2292	wmpscfgs.exe
Token: SeDebugPrivilege	2168	wmpscfgs.exe
Token: SeDebugPrivilege	2128	wmpscfgs.exe
Token: SeDebugPrivilege	3032	wmpscfgs.exe
Token: SeDebugPrivilege	1624	wmpscfgs.exe

Suspicious use of FindShellTrayWindow 13 IoCs

pid	Process
2908	iexplore.exe
2908	iexplore.exe
2908	iexplore.exe
2908	iexplore.exe
2964	iexplore.exe
2964	iexplore.exe
2964	iexplore.exe
2964	iexplore.exe
2964	iexplore.exe
2964	iexplore.exe
2964	iexplore.exe
2964	iexplore.exe
2964	iexplore.exe

Suspicious use of SetWindowsHookEx 20 IoCs

pid	Process
2908	iexplore.exe
2908	iexplore.exe
1168	IEXPLORE.EXE
1168	IEXPLORE.EXE
2908	iexplore.exe
2908	iexplore.exe
2804	IEXPLORE.EXE
2804	IEXPLORE.EXE
2908	iexplore.exe
2908	iexplore.exe
1168	IEXPLORE.EXE
1168	IEXPLORE.EXE
2908	iexplore.exe
2908	iexplore.exe
2804	IEXPLORE.EXE
2804	IEXPLORE.EXE
2964	iexplore.exe
2964	iexplore.exe
1600	IEXPLORE.EXE
1600	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 2292	2416	d2f28457b579e784425560c3f625e5aa910976fb4ac9816edd8e4e7e8acad34c.exe	29
PID 2416 wrote to memory of 2292	2416	d2f28457b579e784425560c3f625e5aa910976fb4ac9816edd8e4e7e8acad34c.exe	29
PID 2416 wrote to memory of 2292	2416	d2f28457b579e784425560c3f625e5aa910976fb4ac9816edd8e4e7e8acad34c.exe	29
PID 2416 wrote to memory of 2292	2416	d2f28457b579e784425560c3f625e5aa910976fb4ac9816edd8e4e7e8acad34c.exe	29
PID 2416 wrote to memory of 2168	2416	d2f28457b579e784425560c3f625e5aa910976fb4ac9816edd8e4e7e8acad34c.exe	30
PID 2416 wrote to memory of 2168	2416	d2f28457b579e784425560c3f625e5aa910976fb4ac9816edd8e4e7e8acad34c.exe	30
PID 2416 wrote to memory of 2168	2416	d2f28457b579e784425560c3f625e5aa910976fb4ac9816edd8e4e7e8acad34c.exe	30
PID 2416 wrote to memory of 2168	2416	d2f28457b579e784425560c3f625e5aa910976fb4ac9816edd8e4e7e8acad34c.exe	30
PID 2908 wrote to memory of 1168	2908	iexplore.exe	32
PID 2908 wrote to memory of 1168	2908	iexplore.exe	32
PID 2908 wrote to memory of 1168	2908	iexplore.exe	32
PID 2908 wrote to memory of 1168	2908	iexplore.exe	32
PID 2292 wrote to memory of 3032	2292	wmpscfgs.exe	33
PID 2292 wrote to memory of 3032	2292	wmpscfgs.exe	33
PID 2292 wrote to memory of 3032	2292	wmpscfgs.exe	33
PID 2292 wrote to memory of 3032	2292	wmpscfgs.exe	33
PID 2292 wrote to memory of 2128	2292	wmpscfgs.exe	34
PID 2292 wrote to memory of 2128	2292	wmpscfgs.exe	34
PID 2292 wrote to memory of 2128	2292	wmpscfgs.exe	34
PID 2292 wrote to memory of 2128	2292	wmpscfgs.exe	34
PID 2908 wrote to memory of 2804	2908	iexplore.exe	35
PID 2908 wrote to memory of 2804	2908	iexplore.exe	35
PID 2908 wrote to memory of 2804	2908	iexplore.exe	35
PID 2908 wrote to memory of 2804	2908	iexplore.exe	35
PID 2316 wrote to memory of 1624	2316	taskeng.exe	38
PID 2316 wrote to memory of 1624	2316	taskeng.exe	38
PID 2316 wrote to memory of 1624	2316	taskeng.exe	38
PID 2316 wrote to memory of 1624	2316	taskeng.exe	38
PID 2964 wrote to memory of 2064	2964	iexplore.exe	40
PID 2964 wrote to memory of 2064	2964	iexplore.exe	40
PID 2964 wrote to memory of 2064	2964	iexplore.exe	40
PID 2964 wrote to memory of 1600	2964	iexplore.exe	41
PID 2964 wrote to memory of 1600	2964	iexplore.exe	41
PID 2964 wrote to memory of 1600	2964	iexplore.exe	41
PID 2964 wrote to memory of 1600	2964	iexplore.exe	41
PID 2964 wrote to memory of 1512	2964	iexplore.exe	42
PID 2964 wrote to memory of 1512	2964	iexplore.exe	42
PID 2964 wrote to memory of 1512	2964	iexplore.exe	42
PID 2964 wrote to memory of 2720	2964	iexplore.exe	43
PID 2964 wrote to memory of 2720	2964	iexplore.exe	43
PID 2964 wrote to memory of 2720	2964	iexplore.exe	43
PID 2964 wrote to memory of 2832	2964	iexplore.exe	44
PID 2964 wrote to memory of 2832	2964	iexplore.exe	44
PID 2964 wrote to memory of 2832	2964	iexplore.exe	44

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\d2f28457b579e784425560c3f625e5aa910976fb4ac9816edd8e4e7e8acad34c.exe
"C:\Users\Admin\AppData\Local\Temp\d2f28457b579e784425560c3f625e5aa910976fb4ac9816edd8e4e7e8acad34c.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2416
- \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe
  c:\users\admin\appdata\local\temp\\wmpscfgs.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2292
- - \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe
    c:\users\admin\appdata\local\temp\\wmpscfgs.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3032
- - C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
    C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2128
- C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
  C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2168

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2908 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1168
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2908 CREDAT:472077 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2804

C:\Windows\system32\taskeng.exe
taskeng.exe {214F91F5-6AC7-479F-8D05-B75C465A3C35} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2316
- \??\c:\program files (x86)\internet explorer\wmpscfgs.exe
  "c:\program files (x86)\internet explorer\wmpscfgs.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1624

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Windows\System32\ie4uinit.exe
  "C:\Windows\System32\ie4uinit.exe" -ShowQLIcon
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:2064
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2964 CREDAT:275457 /prefetch:2
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:1600
- C:\Windows\system32\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:264 WinX:0 WinY:0 IEFrame:0000000000000000
  2⤵
  PID:1512
- C:\Windows\system32\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:65800 WinX:0 WinY:0 IEFrame:0000000000000000
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:2720
- C:\Windows\system32\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:65800 WinX:0 WinY:0 IEFrame:0000000000000000
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\259705051.dat

Filesize
4B

MD5
4352d88a78aa39750bf70cd6f27bcaa5

SHA1
3c585604e87f855973731fea83e21fab9392d2fc

SHA256
67abdd721024f0ff4e0b3f4c2fc13bc5bad42d0b7851d456d88d203d15aaa450

SHA512
edf92e3d4f80fc47d948ea2f17b9bfc742d34e2e785a7a4927f3e261e8bd9d400b648bff2123b8396d24fb28f5869979e08d58b4b5d156e640344a2c0a54675d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
637855478a0399d8d70983a0e278de43

SHA1
9a5fae718bdc1b943801991c5477a2ff7bc0aaf1

SHA256
6f0c69182a9b7aefb5c1415592546a8ae26df423b4aa971cfa711824b83357d8

SHA512
d530353e7c8e0d70d102bb8ed20f2658e804ebe3ba9586d2492e2fc6c872062bf6fd9c64378b8fc901768f76cdda293e4cdd3467d5b341386cf6fd7ffe4e568a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
03b1fded96d09e295f75e36c4d78455f

SHA1
ee9c95c4058612d6af3f6b2f84934f9cb332dd75

SHA256
1bc9c58ac9146b9a546d78c29876ea1aeadd45f26a3f3b84ddec62eed9cbb340

SHA512
466a992dad05fd3b555d8df5e77f8a895322486740b2506a16a85028fe797b879aeeea45477bf3cdb7e49e2f7eb345df66149b660593ee8d032b58879e136a35

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bcdb11eb78653c1899dfab6f0351ee91

SHA1
30315063c56c9bdcb154ec3e33f945874b63a4a7

SHA256
d73f136ee9d6bc321628669f938eb01fa0b33087a6007d20f2055fe4fb2dd9b7

SHA512
e270658930fb44b54f72ec66514dd83edbc7830eb482c1ae416f8234ee591f4a42a8643635c2c60febe448b7fe2ea6801d487300bd02a6ab3fd8915000e158fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a465b83623b98b5eb291f1735166bd17

SHA1
391864546264182471d63d60f176da34de7ecf69

SHA256
bc398312d3746abef449d18acccae31662a4ee01dd3fc5301f71f4fa1f2e058f

SHA512
9a9430236601defec79f46b02f7b7de57665c19b82cf6ac83d430b81abc65f2643b331b5ddded876e3df055f4a157162bd8895b18f3f7f0ee5c91c313d1e5ad4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0f864b307861d5b1d8a32a6d14f08397

SHA1
533bc486a22300ab952d6d2ab509c0c1f201d11c

SHA256
0dc8b2a3397616c72430b75dc0d220a3ecade3096abf1aab5e8984c00cd44178

SHA512
70f441f0259c7b03198886d0b3fdc4bc7232c5245af7dfaa003b5a4263e93fe4bf1bbae493eaa013697bb2fdff9eba9b6626d7c6bbaa410cc6a96eb7580b409f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ec43f2648e6c490eb08e3e5ab85c2625

SHA1
6d1f88622427862a5d0416616f8eb416aea092fd

SHA256
fb045d1fce71dd07b68241baa05cc26055c47dd3a95bfceeaeaf5f0a6c4f8a40

SHA512
4a47552d64e2caafd363cb961ce9706683a85e389f538504f92a0851fb962f9789dda065122be47ced95ce82b3720b0e2eb00d4bc700c5603c42c39b86cfb921

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ce21a35114745f7f10f3caf864434e50

SHA1
ac3546e347b4d4a5e1b0a9ec136eee7cf3a2cdcb

SHA256
adf275381a7e14eb85d69dec9c0de5bcf5baa6a46a218dbe3b7d6118d1e382a8

SHA512
05de11edb19b438b3191ac8eff9779c2eea4941a0b298962e5b97c27d31d2cc56d5ab55816021d0906ee2b2c5ddff344bd1ee6295b25ed7d1ab2ee9133d1e179

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7a8d6e98e4c0bca910218aee849cde77

SHA1
1340c5e1ab3dc0621b23d1369fe29489048d58ec

SHA256
18db42fba13b74108653f4368d96c76dbd5aaec7d758a660d79130a1e193ee73

SHA512
4dd6e92ece930672d959bf9dfbdc48ec8b11fe3df938f6de738f10c91b3e53f17eb7a48e6fbd1c2b0346bc1b5fcd9a0a2694b9f44ae832443a20acdc0dc07876

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d4fe8c06872e6fa865dddf69339fdf45

SHA1
34cc9becfec4f875e3a5008c37096b49e131c489

SHA256
363ad6ef373b90930994837e8489925b07c8c3ca4bb68b3294239d81209957c6

SHA512
c61060b88b58915b40a6d547b7541f2e26b5df0c04bff7539703068451614b4a48daf68207de53e0b0bf2d14e795f51f1e6b3f3353185bc034cf42cc4eef5db3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
de4eaf9d734e7cd40b3fc6530d842b8b

SHA1
1bf68001bdc40d2fc4d6d74c0678c1450e8dde33

SHA256
0f326e442e9572bcba48ec9bbc92c4b1532c4ce5743f0a670311be85938e3ee0

SHA512
0342ee0cefe716c2112081e1b87901d5f0ccb9fe9a74007e675bf7e81bbf22be33cbe876558cd7acb5df5fc102099631dd7b562cd7741912a9eacd3bca3ed76f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3c4e2bcc2932ba864bf14bdf8b36bc63

SHA1
3557cda1afa383081cba1c8ff2eca8fa507f7d20

SHA256
4a31f4a6c6c149f38777a63cd7c999175fbd6f3f93fc1994e78cd85d6a8bef51

SHA512
346fbfcb39100f0cea95f10c4359671b1f6ea4eb453be29c4906919c7f6127800a56f0c6f2d9d0d1f7775be733d3f18c1da6a183ac2469e90e11f54f4f706dba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bf056e525e6be16615274e1912626970

SHA1
f17636829fc3559dac6cfa3b03849520b42ebc1f

SHA256
d9cf4f90aae05646b53b66e8199ef36c35054667f6e6f2415e16fd10f08957f4

SHA512
30fa6895c161b646ac012c635514ca81582f0458a12fb6f06a4b6dba3f1b085b6a45219eefd1a2f27a52ab459b4a245daa0a926b57c599cab3f1a61889bde4c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e374f72d8ce374ec448e5d70164eeccd

SHA1
dc5fb3b070699a38984570720d6e7eeedf0adcb1

SHA256
021fc6c0953660fb0aeb503f2792f2eabfcacd15d3ba31387ad47e48c7974dd4

SHA512
31bf8d3723f88141868631d65c8e16fa72403bd1a06a9ffec7e72e54bfb408196edb91aee9c94e50dccd1d998bb3781c41550a989ae7354d0578000f59b9c784

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
00a97deb4f8b3f1592255328614eaa47

SHA1
322cff705c3fd12d7881e5f0338159b5d638cd04

SHA256
c70b114d4ef94306273e74182d61fadb0ed9f75b4a592b47e965bd42ef9021a9

SHA512
a4f75b7ae370766491afa7861ceee4afe8795b85426fe8381ed3cfb09726531e44e58d1107b33114b0990fbaf072f493278d3f674a4fde8f94188e2ac3200fdf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1f3dc868c3e58f7aaa7f7874966d5dee

SHA1
0f1a17b347708058b74f2118fb1b4b6635f98784

SHA256
c38887ebdda20eea98848cb01385e8c20416d76567aa97d392575f6dbc5ae023

SHA512
2bf319f83a0dae7c4bfec281d87316edc29a16319d8792c770336b7dbe4d240f83aba3029d04196710988c2601e352ca251906fa360202c7482e89a4d65faa8d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
97159da7c355e09b63621a61236ec233

SHA1
1a00b87bd95103c12753f9ede7f67bab72114aef

SHA256
dd1d072278206d5e2e2e600ee3277e0ac43d7e406b6df9bef51f3ca059f8cdb7

SHA512
ab1f913d9de20aa6f21ab3a4c75b492c696158ca37ab0cbf0178958185417ad21bfee33b74e11d2d772e6626f4dbda17b32bff9d17832836149429c9854bb206

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d6206798dd56dd2af24e5f943febf76f

SHA1
8a6ebfc7bbbaaef96af6fa6f1f1b66fa25ca2298

SHA256
47a0f27729fabd485ec9d7e14ed6ba216fa8b095bfe3486cf06f5c993f0923c4

SHA512
9e859bd4a907d07981ec29f200a2a0999d5abdd8e789eb6f4a720121a113a423e04f75a418d44399e3efa199be264100f1d0c7640c401122fbaa2610fbdb90ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9b0bff12b2fc71086f7fb17806244b21

SHA1
c21f27befcbb45d82d7aba1ceae50b86f8301e87

SHA256
16c1b303b69e67895e2a8808563a570e0cde63c3584d2f81d7ea9084d56b41c2

SHA512
3b6319b645212bf0a90404a90cc1d8092a9430e29b61675da6b21ccab18f54735be2ba9e5b150c26ff893133e09722a41c51d28e998ac9ec4594c2477cd07906

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0340971aaca848820c567cba2aaaf576

SHA1
6d6f06b87f8c29740a18b4d5482b8343ae6e97a8

SHA256
88a8777b0921a3d21e2d7ff475b423832ab14857b75d6ad8035d1c3d1fd6aaf6

SHA512
2e167049773cc11ff934fe58f6e86e3a70b53d8cd371fafbc174ea13f268b922546dd9c7c77a92110d93782635fefa78544e595434d8d0bb2d73f43ea67b2e4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R4VBOHSO\bbOMWbwJd[1].js

Filesize
33KB

MD5
e2ec36d427fa4a992d76c0ee5e8dfd4d

SHA1
47ec4ace4851c6c3a4fe23ad2c842885f6d973f2

SHA256
36488e81afcbc4d7018b8764c18032b10be21aa45521c9671fde0cc77f70b2d8

SHA512
d1ae29d19f65ce74b9b480c82b87315634ec2e96d199f5feb423918af9ad6e24c8b436e03904d452f71562f04c42acbb250256eed73bcd592a79c08911c74976

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab897C.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar89EE.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmpscfgs.exe

Filesize
226KB

MD5
a69889da5edf538d1a584534045a1b5b

SHA1
451ee0a6a6187d73344c467cdc664c3b7899adf1

SHA256
66092ecdcec5a6d7774af8246a9a1fb84ff44fc1c5b441efa79ab9ab2ca1a4e6

SHA512
a13a3e95b4d2dc4fbb989f3703008f26b461729972a381e9d486aee0bd3246a14f7bbcb12a3492c04bb83ffd2f6272aea81c1e50165daf3f7cfe8ef6bb62731f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\CY981UM6.txt

Filesize
107B

MD5
d469b014531d59426c1ed1ed733a204b

SHA1
a47d98ab082b2234535485729d3229eb67859352

SHA256
a14eaf8d98dc3936e1131c14125e21d9e64cd1eb169fed687263bff8abbedae2

SHA512
b8258b9ff0ceff1c1c0040f26fbcb1fb0e1cf29cd22be1461086c11997204651d7f365ed80c7fb2e41ad66cbae39afaad5a5da20dd92a3afad6397fae8201c83

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\H0IZMZ7V.txt

Filesize
123B

MD5
fdb3680513caed16229b87879908c41a

SHA1
35166bfb7588ef37954e4be2c2d1445b7c9c9512

SHA256
6220e2d67f5944c839831e4ee9ca0c193d0dbea1c89fe2473c2feb0f2208ad24

SHA512
ee4a865f4bbb0c82d424757d0581f98aa83c285e927589d90fda8b4d9f55e31176ea72e6d23a55542986a08e4ae39f64f8eb13f5029e1805c967d6515bbbce79

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
0ff5f32007fa64166ea1369d15741b36

SHA1
316c80cb332ce92479770b15868a0ff394eb5a43

SHA256
ddb7f0c34846f8167c0041efb409b8332bb0c9efe285649920914eeff741c503

SHA512
933bd32f6d2d7331f130b41671adae844d09404c483cf0827ba54a935daa9c0d5d886deda2ab82f5b22b4889226cf17c2986f5a3058e7a319901d278cfb2778b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
36cf65d52420beb973926f451ab8e731

SHA1
04137cbc8e8e9dfcfb3af77c982f6e39ccb60e0e

SHA256
3c3245b3084c4357db62e04185fd454cdc259e2f56dcda391091c60bc049b5a5

SHA512
a3225be5ae5a2fb1fbeacddfad8ea14952cfa3b1f9168648d5d73a9cfbd5632752c508a1909c1ba3433dc0bc649bfb29e8acab1baedd36048bf2719923f0c442

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
97e97dd8f4e5c82ff3f99ee630b9d798

SHA1
689cf74ab8b370eb9c11524f8125a292015a7157

SHA256
859adb5d1b7ec9ff18dd5b73c34528baf413f0dcc1face2d98af44ab9804530f

SHA512
3ca5651d6a9958e5da3638817cea9b0fdd7ca464084b82a692ff54c7803ce75dd34405d9150e5d8d323e2024356012c313874caf8faa38d8c2ba4436e38b3b2e

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
73848a9d43263dee7ef8d6953aab9142

SHA1
c770ba3a6cc5cee33c0810d230c31240f0c1e6db

SHA256
f8eca02ab3a376027f99d4a9ed32b8246c5b47e4db25e383dfa5ee6f9cb1a1e4

SHA512
15852bc661d31f261a3ab82382b60e7524cbf4b6d3217d84f020b28d771caa7fdcfdb278a15c77f0a5bb2dc8075afee8b1d9ed8f48e0da45e1ccc22a6fe212f4

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f1261a1b7b69d76d222f7519d8b697f6

SHA1
b8c75969c2f99200322fdfbf0be5787880b354a6

SHA256
46e8cf138514c43ea0e1368a3f26cc86eece72428086c4e1f1b23e5540505751

SHA512
bbef319616c72bc6b26ac3502b1e87009159e415c6c40bb76b3a59fe2e69ab303e02c0d4c225551c593c9d51266bb92b3a0914ed775dc01c39f9e8aeceaf3a78

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9359a669be7acc72a5de40cf27968785

SHA1
6bce71b07fd018ada1bd50b8a6d011a2fa95a672

SHA256
452e0f1b606418d5934fbf9b9013d63c9bb5cf939bfb0a59763ec4953616805b

SHA512
a49678205121a0299f1f07e55e54f9684f7c6102dc0917727ea6496ae21c06b97cb683c938d6a2ee8b5c92a9380c1f431443ed00bda20761442ec5c4ebc84c7e

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ffeef4c8f886ddb9680f5b3365911c37

SHA1
5ef7f53c2d9ce785c1a1423e1b86129e317216c4

SHA256
17e484db6be7d92cf93c862e917c41dad659f824f9d83870dd4473a3e94a5619

SHA512
0f14d60d607992b54c4514af6f653c179fd2a6eb90c2d9497fec488ae5d03a3039a2aae50f991080b43f08cf99524ed28e163d4715d75c6caa4c4bfc731fa884

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6b1f53e51191266803d413416f5fcab5

SHA1
610018229ed6878178cf57cfbf8f3a532764dfb6

SHA256
e1e77dfd0d2bdbb14dfaab6583da41b40da35c157e1ef4ce89097e63db6d65b9

SHA512
02142cdc8b381f40813b91b9d37f7f84219dcb5eaa4d8998bf1eb974df5c75973169d27c7bee6bcc7317ec790b563cfc8fe983ee65bc33707351cac14879e686

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
af717ee2e22b4b241a63c10767feb45d

SHA1
b572f7d7889ebefb54df3632ecfda48ac297fdf4

SHA256
6d6f108622ef9eb201ab6c96fe7bb127557c66d47ed62b7ee4436d86d04f016e

SHA512
4853101c73ed2b88dccee67a8861431fc22d6ea2aa2cf32d1adb4f91353671770027abb8985c708a59699c1952ede01671a12f3d32bd507a51d02cb5b570f704

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6f27fc9e4bd7ec9a1d46adfda43247d3

SHA1
53f55aa47b7026513a289bc202bf1f9ce77e91b4

SHA256
21f6c45740b35b1a55fb788beb09c4bf766e3c03926079500c4b8f34feecb409

SHA512
f191bd9a5dbb1732fe2ebfee16c22e5f9f5452cecc24f374b14469a2787a2dd61425e55137097780b96c28222d07dc99d24c8971716d38f9b3c3d9bc9b971b4a

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6cc02b9a7b1458cde974c49d80810335

SHA1
5bc05138a44de454b524ea2636053b837a58c651

SHA256
d2bc474a2c2bae127549a566e535a69d3a3d82a37f26f417a2f9fe4d306f853a

SHA512
2405f0b8fde5aa192fee72d2a1d244ba0c84f0515a237f43ae5c12f83bf1f9e7aa79652d5892a62ef0852b8cc260bc0445b461328565dbbaa62fc7cceefb33f4

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3b1b16a2f700d3b54adfd38cdcb37333

SHA1
37c046b1f42355bac61319c102b90d3fbeb36500

SHA256
16dda4184bfb9cb03fb0abf91f8f263d907004769385b2fb95cff40c6b22a3e4

SHA512
2e14e4e1889ef5f737caaf7ce844e6cf16105a13b319a7671d38a7b2d8b626a8b4a4a02db33279459c4f27f09bb40680d43128cda643c8d2e0840688f2e90b8c

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d3b014513648771c46f0cd9df0798ba9

SHA1
88058128bb23aa0f7b35c936e3e3a37103b80d3f

SHA256
3241b56075456a8a2e6ee6d5ceea33b1a42ae091af82d535e5ba3c8b66013144

SHA512
3d0b86918191d9db4a017ae3912bda5dc080041a248396737996b3a375de3e991597df27cff04d3582676bf52b3dc3cc84dc784933acad6628bf79f185dda124

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
179ed61c97d33d3a69297fbd84e45e92

SHA1
81ca24573c0be2e8665582bc3330ff15c349dc72

SHA256
350d6bfdc9941ffd7d4b60179fb0d0cb1ec9b64049d160853e4dded8d17f5721

SHA512
cefe393ede96adf5ba2a71283f377a6742a705756fd3e85891781ee694f11154367391960936fb3679479b78cf7ece3beed5384cc38ad5a651219aaa1830fe68

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a8c8e5ae6a59a3093cc8919f42aeaa6d

SHA1
932603df2fd817069c4795e5d0bdd33742123ab3

SHA256
ebfd6e426710947e01f8b41c9842ec0342d504032491dd8080e28aa955646514

SHA512
64bf3b7e2dbcf5d348949ecee9e367759de4ad1da54d5763232988842babdaae37a61875d940e146a463b085c09a81ba69fbdc89705a92e3ade9b664a10c77ab

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
fbff6859a2b030c51b0fd85c3a2b2e42

SHA1
8c40a3ab3f9d2d91fb94f0b7d11b91579b4c7637

SHA256
b1a3448d5ef893246a40fbe2de14ec9312e0e8d4d068d79e8432e0a9fbd67d57

SHA512
857af7cdb43050f31c63e31ac42cd5ccab699f0a34578212083b0c68bc43216de91c862a38261945650b181d75b904ce87e67ffaa6a9858285243dee14e7e4d6

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
129B

MD5
2578ef0db08f1e1e7578068186a1be0f

SHA1
87dca2f554fa51a98726f0a7a9ac0120be0c4572

SHA256
bdc63d9fd191114227a6e0ac32aaf4de85b91fc602fcb8555c0f3816ac8620b3

SHA512
b42be0e6f438362d107f0f3a7e4809753cf3491ab15145f9ffa4def413606243f4dfffc0449687bd1bb01c653e9339e26b97c286382743d14a2f0ed52e72f7ee

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
236B

MD5
11cede0563d1d61930e433cd638d6419

SHA1
366b26547292482b871404b33930cefca8810dbd

SHA256
e3ab045d746a0821cfb0c34aee9f98ce658caab2c99841464c68d49ab2cd85d9

SHA512
d9a4cdd3d3970d1f3812f7b5d21bb9ae1f1347d0ddfe079a1b5ef15ec1367778056b64b865b21dd52692134771655461760db75309c78dc6f372cc4d0ab7c752

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini

Filesize
80B

MD5
3c106f431417240da12fd827323b7724

SHA1
2345cc77576f666b812b55ea7420b8d2c4d2a0b5

SHA256
e469ed17b4b54595b335dc51817a52b81fcf13aad7b7b994626f84ec097c5d57

SHA512
c7391b6b9c4e00494910303e8a6c4dca5a5fc0c461047ef95e3be1c8764928af344a29e2e7c92819174894b51ae0e69b5e11a9dc7cb093f984553d34d5e737bb

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\desktop.ini

Filesize
402B

MD5
881dfac93652edb0a8228029ba92d0f5

SHA1
5b317253a63fecb167bf07befa05c5ed09c4ccea

SHA256
a45e345556901cd98b9bf8700b2a263f1da2b2e53dbdf69b9e6cfab6e0bd3464

SHA512
592b24deb837d6b82c692da781b8a69d9fa20bbaa3041d6c651839e72f45ac075a86cb967ea2df08fa0635ae28d6064a900f5d15180b9037bb8ba02f9e8e1810

Download Submit
C:\Windows\Temp\CabDFE9.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\TarDFFB.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\Temp\wwwDF19.tmp

Filesize
195B

MD5
a1fd5255ed62e10721ac426cd139aa83

SHA1
98a11bdd942bb66e9c829ae0685239212e966b9e

SHA256
d3b6eea852bacee54fbf4f3d77c6ec6d198bd59258968528a0231589f01b32f4

SHA512
51399b4eac1883f0e52279f6b9943d5a626de378105cadff2b3c17473edf0835d67437ae8e8d0e25e5d4b88f924fa3ac74d808123ec2b7f98eff1b248a1ab370

Download Submit
C:\Windows\Temp\wwwDF1A.tmp

Filesize
216B

MD5
2ce792bc1394673282b741a25d6148a2

SHA1
5835c389ea0f0c1423fa26f98b84a875a11d19b1

SHA256
992031e95ad1e0f4305479e8d132c1ff14ed0eb913da33f23c576cd89f14fa48

SHA512
cdcc4d9967570018ec7dc3d825ff96b4817fecfbd424d30b74ba9ab6cc16cb035434f680b3d035f7959ceb0cc9e3c56f8dc78b06adb1dd2289930cc9acc87749

Download Submit
C:\Windows\Temp\~DF0C052ED1BF4A8F90.TMP

Filesize
16KB

MD5
a351690f2df3c71842e0c41d09ac9d89

SHA1
4e8a85ba87da776937ac569a6ffff667030c34b1

SHA256
9c0d15e746540b21d4cf4a654ecaf211c89d814160f5c35edac16bd9071448ac

SHA512
1f7973880ef4f1460c857872bcb8b1459d4ca9fa3ed33f846673e68e5c1165b36b81cb9534040cf5847e5dfc1f7ffad1e6d09c3ecc635b47f41f423f64aac7d4

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms

Filesize
5KB

MD5
f2edfbd70e264da621b6ab6a771962c5

SHA1
8e935699b5037aea8541843eeac4ea0daa936d93

SHA256
43adef38c12ace52e2b8437b675ff8ec7c83da647f7c7fc0fce8aa56c3518cc5

SHA512
30a250e025dcaa4fa9f290a28911bd8c135e2f9e8563d38a70c35c31ef871b8a95191d2a83de3ccb37dca92f89b7b24f874d94c8cf60edefd6a05872b2428324

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms

Filesize
4KB

MD5
3e27c3d92d250d9ececa8b4b8974f655

SHA1
211725cec183d09d064db0ac2093a441556883e9

SHA256
eace760d480e773131ead04fa8272365577e6e6f094eb2a06db87c5469fe74d3

SHA512
912a09cd428a9185dcb829f1b686a36b98b9c55d801552847fed04cca566c404ea1e02826749a0e3bbb6951162ae23c6445f8507768fbe0551628d46387dd5fc

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms

Filesize
5KB

MD5
12148676c5498a926b5023ceefd2e248

SHA1
519c9f9161f5fbb431005b01715837dc88a25b56

SHA256
b96722b6874256d1651a3f0bba6f04e05db6ca0676bf8d4fff6713de556d7001

SHA512
805039720fa117c6ed1ae9b715d6e584ada580cf7c3e06f8163dae4e65a9656e1be0af262a8cc4ba72a2c76d03aec92404e358da6c2e2e9326a8275d54f0619d

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms

Filesize
4KB

MD5
85e502eb081151ad3c6d121d53ab8fef

SHA1
94b770d3fb83d2a6551c94f695d60f5964c33ca7

SHA256
c251a44e7da239008e681ffa535d73916858d8ffea8479449df4de92152db832

SHA512
36afe5b8f3a1f50e2979962fa27e8ea35b98b03f3b40c79632c8f4114da6e9aeb1c12ab84fac5249e32283b3a00353fe2c220c400a88581917d507b973529cc8

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms

Filesize
28KB

MD5
62d977481bbe1a94e4c1cdc169969d7a

SHA1
5550b43d879df777df12b2f75ac4d3025e6f4610

SHA256
75f7d219f369cdf0af0713400bc3ea2cf3463b22d526c5480fc12965489d8ff0

SHA512
269c0aeb122e2c21bb9f7881f7c929d7c256437cfb758fc57f0008eb208de84812b3b7c82d1c079a99470da4059b990b9809cceb29c2ca82b7b0a5fa54b2e3e4

Download Submit
\??\c:\program files (x86)\microsoft office\office14\bcssync.exe

Filesize
225KB

MD5
a9423edb0c8d21619a95eff528313a82

SHA1
2acaac0339309616a5b0baecb73e1ec4b60130b3

SHA256
c52980f2111764c357c697fe24ac3a39a2b7495023ec139bccdc467913c672ee

SHA512
b30f076568bdc030943bdcc79c3d00cf3ae7c49fb34df3c176dad06c089fb18f9015956e305bd23bf9bba8a4b2b95600d53669d244d8f33f8804c803891c67ac

Download Submit
\Program Files (x86)\Internet Explorer\wmpscfgs.exe

Filesize
224KB

MD5
3cf167b097c69193feb3e73a906755b3

SHA1
99224e5ee9c033c1c32585787adb8234859c3ef6

SHA256
b285baef2181ba98de2f6b7aa4e354cc2e49a188858a5e430f4f438959079395

SHA512
666b6ac6152fe18c46eb640b9aa394dbf9cc87195ff8f366c689ffb7546e729c9ee1f2a58040a03639061f5121ba85381fefbd6f3d50eb35bf29db99abcb0867

Download Submit
memory/1624-986-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1624-1022-0x0000000000570000-0x0000000000572000-memory.dmp

Filesize
8KB

Download
memory/2128-91-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2128-71-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2168-28-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2168-46-0x00000000003F0000-0x00000000003F2000-memory.dmp

Filesize
8KB

Download
memory/2168-36-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2292-18-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2292-35-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2292-70-0x0000000000260000-0x0000000000285000-memory.dmp

Filesize
148KB

Download
memory/2292-72-0x0000000000260000-0x0000000000262000-memory.dmp

Filesize
8KB

Download
memory/2292-524-0x0000000000260000-0x0000000000285000-memory.dmp

Filesize
148KB

Download
memory/2292-29-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/2416-0-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2416-17-0x0000000000220000-0x0000000000245000-memory.dmp

Filesize
148KB

Download
memory/2416-16-0x0000000000220000-0x0000000000245000-memory.dmp

Filesize
148KB

Download
memory/2416-27-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2416-1-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/3032-95-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download