9c9d2307729bfe4b348f0eb4a04991ce633d2b9ea12fd3182f3c67dd9985518b

Analysis

max time kernel
141s
max time network
130s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03/09/2024, 09:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
Size

464KB
MD5

83bab7b9286354c9cc3fb55269e62088
SHA1

cbc35cedefe6dee32fa94759b212bec76ae832dc
SHA256

246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627
SHA512

ed0f167cbbfd1c33d8cc30856d78d9435d3423fd2bca99ec0ca6d94d632739ffb6b671f68309c86f0d0c8c56a61db96750daeeb9c5138690d36be58912b9ea70
SSDEEP

6144:t5kjHf7sw+GvrsPc5FXCQGOGTywkUb8MyXWMowoqPraQagmrk5ISkwjuO6+JTfiD:0jHf7v5FX0UUb8MhMNoqPWQagmr6Iv

Score

8^/10

discovery upx

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\drivers\gm.dls	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File created	C:\WINDOWS\SysWOW64\drivers\gmreadme.txt	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File created	C:\WINDOWS\SysWOW64\drivers\wimmount.sys	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe

Manipulates Digital Signatures 1 IoCs

Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\wintrust.dll	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2528-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/2528-3-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/files/0x000100000000e664-8.dat	upx
behavioral1/memory/2528-121-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/2528-357-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/2528-1455-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/2528-3653-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\NlsData0011.dll	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File created	C:\WINDOWS\SysWOW64\NlsData0018.dll	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File created	C:\WINDOWS\SysWOW64\dhcpcmonitor.dll	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File created	C:\WINDOWS\SysWOW64\dpnlobby.dll	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File created	C:\WINDOWS\SysWOW64\msshooks.dll	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File created	C:\WINDOWS\SysWOW64\wshqos.dll	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File created	C:\WINDOWS\SysWOW64\msorc32r.dll	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File created	C:\WINDOWS\SysWOW64\NlsData0026.dll	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File created	C:\WINDOWS\SysWOW64\normaliz.dll	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File created	C:\WINDOWS\SysWOW64\pegi-pt.rs	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File created	C:\WINDOWS\SysWOW64\authui.dll	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File created	C:\WINDOWS\SysWOW64\loadperf.dll	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File created	C:\WINDOWS\SysWOW64\msnetobj.dll	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File created	C:\WINDOWS\SysWOW64\ole2disp.dll	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File created	C:\WINDOWS\SysWOW64\oleprn.dll	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File created	C:\WINDOWS\SysWOW64\usercpl.dll	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File created	C:\WINDOWS\SysWOW64\amcompat.tlb	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File created	C:\WINDOWS\SysWOW64\dvdupgrd.exe	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File created	C:\WINDOWS\SysWOW64\NcdProp.dll	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File created	C:\WINDOWS\SysWOW64\netprofm.dll	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File created	C:\WINDOWS\SysWOW64\printui.dll	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File created	C:\WINDOWS\SysWOW64\appmgr.dll	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File created	C:\WINDOWS\SysWOW64\dssec.dll	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File created	C:\WINDOWS\SysWOW64\gpprnext.dll	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File created	C:\WINDOWS\SysWOW64\wudriver.dll	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File created	C:\WINDOWS\SysWOW64\C_870.NLS	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File created	C:\WINDOWS\SysWOW64\mprdim.dll	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File created	C:\WINDOWS\SysWOW64\vss_ps.dll	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File created	C:\WINDOWS\SysWOW64\sxs.dll	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File created	C:\WINDOWS\SysWOW64\iprtprio.dll	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File created	C:\WINDOWS\SysWOW64\msxml6.dll	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File created	C:\WINDOWS\SysWOW64\printmanagement.msc	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File created	C:\WINDOWS\SysWOW64\netsh.exe	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File created	C:\WINDOWS\SysWOW64\wincredprovider.dll	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File created	C:\WINDOWS\SysWOW64\cryptext.dll	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File created	C:\WINDOWS\SysWOW64\iprop.dll	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File created	C:\WINDOWS\SysWOW64\netcorehc.dll	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File created	C:\WINDOWS\SysWOW64\KBDFR.DLL	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File created	C:\WINDOWS\SysWOW64\korean.uce	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File created	C:\WINDOWS\SysWOW64\wmpsrcwp.dll	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File created	C:\WINDOWS\SysWOW64\wpdwcn.dll	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File created	C:\WINDOWS\SysWOW64\AuthFWGP.dll	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File created	C:\WINDOWS\SysWOW64\BWContextHandler.dll	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File created	C:\WINDOWS\SysWOW64\C_737.NLS	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File created	C:\WINDOWS\SysWOW64\mgmtapi.dll	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File created	C:\WINDOWS\SysWOW64\RegisterIEPKEYs.exe	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File created	C:\WINDOWS\SysWOW64\simpdata.tlb	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File created	C:\WINDOWS\SysWOW64\SyncHostps.dll	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File created	C:\WINDOWS\SysWOW64\user.exe	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File created	C:\WINDOWS\SysWOW64\authfwcfg.dll	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File created	C:\WINDOWS\SysWOW64\dmdskres2.dll	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File created	C:\WINDOWS\SysWOW64\HelpPaneProxy.dll	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File created	C:\WINDOWS\SysWOW64\odbcbcp.dll	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File created	C:\WINDOWS\SysWOW64\PerfCenterCpl.ico	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File created	C:\WINDOWS\SysWOW64\wshbth.dll	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File created	C:\WINDOWS\SysWOW64\cintlgnt.ime	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File created	C:\WINDOWS\SysWOW64\C_037.NLS	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File created	C:\WINDOWS\SysWOW64\elshyph.dll	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File created	C:\WINDOWS\SysWOW64\NlsData0024.dll	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File created	C:\WINDOWS\SysWOW64\wscui.cpl	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File created	C:\WINDOWS\SysWOW64\zipfldr.dll	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File created	C:\WINDOWS\SysWOW64\mmcndmgr.dll	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File created	C:\WINDOWS\SysWOW64\verifier.exe	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File created	C:\WINDOWS\SysWOW64\dispex.dll	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe

Drops file in Windows directory 26 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\Ultimate.xml	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File created	C:\WINDOWS\explorer.exe	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File opened for modification	C:\WINDOWS\system.ini	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File created	C:\WINDOWS\twunk_16.exe	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File opened for modification	C:\WINDOWS\win.ini	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File created	C:\WINDOWS\twain_32.dll	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File created	C:\WINDOWS\fveupdate.exe	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File opened for modification	C:\WINDOWS\setupact.log	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File created	C:\WINDOWS\write.exe	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File created	C:\WINDOWS\hh.exe	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File created	C:\WINDOWS\notepad.exe	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File opened for modification	C:\WINDOWS\Starter.xml	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File created	C:\WINDOWS\winhlp32.exe	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File opened for modification	C:\WINDOWS\TSSysprep.log	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File opened for modification	C:\WINDOWS\WindowsUpdate.log	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File created	C:\WINDOWS\WMSysPr9.prx	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File opened for modification	C:\WINDOWS\DtcInstall.log	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File opened for modification	C:\WINDOWS\msdfmap.ini	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File opened for modification	C:\WINDOWS\PFRO.log	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File created	C:\WINDOWS\splwow64.exe	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File created	C:\WINDOWS\bfsvc.exe	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File created	C:\WINDOWS\mib.bin	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File created	C:\WINDOWS\twain.dll	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File created	C:\WINDOWS\twunk_32.exe	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File created	C:\WINDOWS\HelpPane.exe	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
File opened for modification	C:\WINDOWS\setuperr.log	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "290"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "233"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "290"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc50000000000200000000001066000000010000200000005b894a6aeb88d9a18e3a3a543c048328c8171bd771b5fdfd524e88f7cc81051b000000000e800000000200002000000011ed86c188b6c9efd33c2dee8d40dcc1b3b4a6b59050616480d6f88930e145da90000000b2391d4a2053a476a16c6ff09d1b9bde58df80129dcc1fb9409204acba31efaa142b3429ae8469a71056a4b3874da504f847176e51e9c039294dc0995674fd941175cd5ce6819c7049706aa2043ec836b95e323495535943eb840375c0623fde4c24655016c601f2014ee61f7bfa31c6661f0c1850422242ab217864338353963d2bd59160f8d21b7c3682e1cf6e6a2240000000e38b86e239475e831b8919c3982965feaa0345462c37431204e71e43f3555acc335ecb76239e4b68627ebf5d581224d66dbac2af71bd41fed7b359720d16d2a8	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "233"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "255"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D1FAEA71-69D7-11EF-B4D5-7E918DD97D05} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "255"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "8"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "118"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "100"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "118"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "233"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "431517980"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "8"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70fd73aae4fdda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "290"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "8"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "100"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "118"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc500000000002000000000010660000000100002000000058ea65599f52412b4c71b4c269d01ca3c9755fa9ae6af8719bd8c382104aa035000000000e800000000200002000000070d445ced1b6df772667e2b7afba10335f558d402a4056f3a0f67efbe29e381c20000000688373242afa455aa165f4c5e225d0b1897bfe758b1e749f2ac0f63004406963400000006ca0e6a242ce37748d9fb32429fb833b9c34d49bb043e0674ad1c361bef06d9460f004351f99892e61281150d34dde425754610cf6c6aebf51d757e6b1d37899	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "100"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2040	iexplore.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: 33	2824	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2824	AUDIODG.EXE
Token: 33	2824	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2824	AUDIODG.EXE
Token: 33	2356	IEXPLORE.EXE
Token: SeIncBasePriorityPrivilege	2356	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2040	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2040	iexplore.exe
2040	iexplore.exe
2356	IEXPLORE.EXE
2356	IEXPLORE.EXE
2356	IEXPLORE.EXE
2356	IEXPLORE.EXE
1652	IEXPLORE.EXE
1652	IEXPLORE.EXE
1652	IEXPLORE.EXE
1652	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 2040	2528	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe	31
PID 2528 wrote to memory of 2040	2528	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe	31
PID 2528 wrote to memory of 2040	2528	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe	31
PID 2528 wrote to memory of 2040	2528	246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe	31
PID 2040 wrote to memory of 2356	2040	iexplore.exe	32
PID 2040 wrote to memory of 2356	2040	iexplore.exe	32
PID 2040 wrote to memory of 2356	2040	iexplore.exe	32
PID 2040 wrote to memory of 2356	2040	iexplore.exe	32
PID 2040 wrote to memory of 1652	2040	iexplore.exe	36
PID 2040 wrote to memory of 1652	2040	iexplore.exe	36
PID 2040 wrote to memory of 1652	2040	iexplore.exe	36
PID 2040 wrote to memory of 1652	2040	iexplore.exe	36

C:\Users\Admin\AppData\Local\Temp\246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe
"C:\Users\Admin\AppData\Local\Temp\246418b835995d34dbcdd3b348aec91e0e92f6c5bffa3f581b7900f490110627.exe"
1⤵
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.freeav.com/
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2040 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2356
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2040 CREDAT:799763 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1652

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0xc0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6f7346af7b03c23a118b754b35ddddcb

SHA1
38e29f9d079d66d8748b3f95da95fbb42c973c45

SHA256
e28a15972cfdb80a373e832a85ec63ff512c5c9ab912a69e950f4cd06ae553d7

SHA512
746d788d0211d9168502dabfa2afa354a0ec213cb9f2f149ee641ac1b8089201ab2b8f12f538823974eed0be887db3e82dc4d85e731084908d944f6f69e69e2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
96acc381c7e3c7b3b124c24f0a0e49a1

SHA1
d4ba2ba36ce3d5ac1083402132e8d455ea1db03f

SHA256
5998c883be9a47a7158b7a196d9498269a8af45064ec614c379c2202ce424f08

SHA512
98e4eae2bd05da422bc8123182acff9ee7b7a15ed1464c31c25262bee6f36face5d508a8a517843206ec8fdd985f0d9f9c8ca027fc9e592edfb49d4b1b643fdf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3edbfc522db1062034d4a5aba48107b7

SHA1
4d5dfbbc14a5f8cd82b23974b569bad52c91a4b8

SHA256
90624ab01fa5b2facb3fe7726b535f2194d3dd0ff2e10e38a27067986e3d89e7

SHA512
22198e4ca98cf1de5f9597f218f6c43438dc30d9b35c010b88170757e6c104f196986397a16f7f07ac806bffecc6a664aa6ce1a356ac64ed26f62f5e6d07cf43

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d25f7401019861c91eae66089b794a9b

SHA1
4fc453c397171a95e79d0457dc9b1a0b61e3ab48

SHA256
aebbf04bc9353ec8d9fec121c68a70a632c4dcc7c0eeed04f0241020b2947d78

SHA512
447eb8c22ef556a247e726d16964b6b853e235c58d8947b773b0b5cf6f33c0cad5f26fb8e2ba9964f07ae169312e81695d789f08283ffe6acff85eb3cfa0fa48

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5b44f9e49220d994204a83fd7cca0d92

SHA1
2f179edbbde9dcfd9b7e122309e254af0538c579

SHA256
ce2c0b2794541b8e17a4a950f1178ae8d494c3d54e56524002b213c5d52c2fe6

SHA512
d617a9db80aeb01f4fafbd5b96f49cfa8b2e8954439201292d2560c7e62e14ccd76f1ebd7fe9232c4bf11bd59597de73a29f42e2fc2dff8495e67565ec2d5c59

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7b95c66a8231a7e483559da314b4cd97

SHA1
5b770880e0afbe9fa255334003bc00a3c3d70813

SHA256
ca43116d9386769ea48453bd3507b6c8d6fa7208afd90a9808fcda4232e77f2a

SHA512
fac0b77fcadc89b91b7dd165858d733c57f90551c76ce823aa1448cc574dec456c6c59f4df7f5052d5270f8dea55e4266375abcbf30b17caa3f39a542467ea44

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e987b1558f4c9384b6948b41dd474975

SHA1
d44310f36ee14c2a0d28ada1151b36e710b6d93a

SHA256
44332dba3bd576f431f4c246c0efe3420ac2a238400883a25bb23f2f04607529

SHA512
3a62d73f7657bec4d34fb2cdcde61ab41b26a9c3617e2703e6b75e5780f955d6a55e220d8e98ee99b84c20c86a20594c4de73cb0510378f52a2a0275d33704f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7b74ad4dc0c6e4bbf05e675da8e6db5d

SHA1
5bda8f28106cdfee4177bec7ba3052a2b8e1299d

SHA256
f0b2a3d0e753237180ce5dd645d2e9fade0616bf44265e7a52ca0566fc34b36b

SHA512
3267a06de841d9d640d547174308b3be04d462545d577a2354b6aa559742c6c1658fcb3937374d8ac64ea5ed03ce9ff24330507a1add0a80398ae72fadb13991

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cd9c9748cb06ec0ca4c941f2b1a09074

SHA1
442ff975c836a2d95fe15f023a576ddcd482985c

SHA256
fe796c768d40c76110f9ac70e2ad233121075b5e526bf4218ddc1c981cf9d6c2

SHA512
b2ffdcdf1e0cfa962e4dd0be12b1ed8bc3da92267d491a4fdffffeea502fecfd9007cd65c3a2b9f91d7bba43c98cc2c15d1a1a94b598e4cc0ca78d046caeb13e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6ee45b6a786aea98fa7b436dcee5b840

SHA1
4421bd28eb4aaeba23f3dde9d5f543f17e61589e

SHA256
458d78fd77bc36fbf133b104fd1709ed9e4ff137a7e3a5f41be323e59aa4c353

SHA512
99f1fb7e7e96bee1ec8bf6e13b81ba1477a5589b71d410bb503947a43088a80e2dbcc59da3d7859de72f76ac8ef5cb1eb7007794ef68fe99f496eb61e4b9d4ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9788297e8a9c4ad91eaaef4835af59ba

SHA1
03b4e685a39f84fcd019f00a408b60ab7ef67e61

SHA256
1ce774ad525e5c1c4e1e7e45b2e133dfc1ff3c4c7145ed054a6d5cfe1e163368

SHA512
04c3c3ebe373e211775122a18d11d14d30d0841f955dab72ad2060b359ccb033e113b0c532f26285c5cbcffe941e05c727f7cd5743bda6567636d0a936f1f8a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d1b26f810bf00d1e03fbf05e19352492

SHA1
682dc890f116335c4c79f5f3bb8003aa5fb65656

SHA256
b24ce4919572919a7f861f69100764aeb7217a720401fa226f9e6a5e2f5c6b3e

SHA512
7bfc209b314c68d5eff3e6bbb145fdd932ff6342c7c53f0ec007a47fb2a9a673b0c8e87e1cae15a2e5675371897094794bc9cf1578c07826a9914262a9397e91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3c09ccada4ef816aa9393037d8bc7e21

SHA1
37a73e6872669d803680e168f7cc3a3f39d403a8

SHA256
972f3e433c4005c0c5f570498b8363a6eeee1f73c0be3998e603612c60db806f

SHA512
31a44d73496aff28265e224c90b8b5761b54a9bd6080c8e7af57234fbca36294098fc083f44756ffcef176e6ee679c25a96f210b253e51e341342946bc22e200

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ef7718262d663e04d625785d2848a3f1

SHA1
a7fe61729d7f17c34e1d2d6f04b8778ed58db8dc

SHA256
d7b66897645c2f1defd59ab321828866ed8567e61fd2c7934e73f50e2be3d193

SHA512
a83dbbb1711f40d91d82335b07e72bbfe4b570d0876868c3bfe001173ff2657b3b5763da77d1e5bd4df8e1a95dc1151cede8ae536f2c28ce1b83f5aaa40e6d56

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2890348f3b5069c5c9708033e6d900b1

SHA1
506fa05de4ff14342f0eb8a4b277ccc83639c61d

SHA256
84537da3a05b39b933833e1634fae29b76b28be430087664bf31be338119444a

SHA512
f592c43b35e615b842f4e1d7fbab145456ef3e2d5ae60ace2931028bbbba84288040fa143509a8e2bda1bfa3bd057e7a82af051844f745017584703fd6ef2915

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c80fc853cb06b5926177bb71511a6f19

SHA1
a99c9bde39a17a696d9c3dc2ade19d708ee95d86

SHA256
7da64d9f41c334a62856f172b64fe89d7369bd32acd1852e9c07085dbd0a40df

SHA512
1ca2619916590a82ac9f4b37a149e0aef034678914251b8b331a7a5709969d3ec474225e437aa41b3f8824225b4f863615920c2355a961f1a277eb53837d803c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3262cf9933c2e1caf4a80755a5c8e119

SHA1
dba23c035d693d1582d1f8c5e0ca39242c311799

SHA256
7ee977a326a3b7c5181994130d33389a00a01798ee46ea73f7b644e462018db9

SHA512
fa9b21704ded9cf7a932adbb6980996104bd1e5fb39f81c301bf2abaa6be1ea9f15819c8d81464ef588f639f250ed5200f3da79a30a1eaf921a3311134da0029

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d513b94065bb1e83a5fa5b761d890265

SHA1
4b0b48709b27597cbc1924c739c4ce98a481bf49

SHA256
d80cce8a2a1252045d7cbac57dc14638d2f7d06decbccee562000480899f58d7

SHA512
c71b18fed4726268dfbb1e1b532922409b836fff271e4d0265cf06b294df432c0ee08a48656905cb1866d8218f342d5e32fc4a8d2e510f93e42d5cc8c3ba0458

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
94515c4942493ea9f3530cb021092606

SHA1
e64905f68c2b5b7fab3ae3f0246a1c93f43f8b3c

SHA256
64ebc068fd82209bed049aed30a8916c33d85a10ebdbd74ef2bf1c9e9f9650e0

SHA512
7641018dd07caf108c0eb2de74c53a45df814ff9cc345e4a193fd0fa19319142adbc0608442f0742cff0e34a5f914a085284c7f61f474cfe25ee60ee0a1e7f2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
89ff07b4a9746d15010329a1e998e3b6

SHA1
fd0ec16349c61b94745bb88e8738729d293a4f2b

SHA256
e44f62714cbe5d1975c0032f7c7d9dad3d50a0416f5657cd1ecebd218fdc0b64

SHA512
b0180f975f25925b7198ab18190e58cb1c40f63485679a26542189385ba3cba35ed31e5c5ea7af6aa873606f6c144228787d69fe20cc1df20dcac6934a08bdd0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
815b8df3925deae43c77cb2ca53a916d

SHA1
60d51bf86e32d4701ea948cf54be0c281779f885

SHA256
e9639cf521f1b0f708d354dc4e89d9defede37db67c7380b17e5cd6a9166383f

SHA512
fa1ca84fecf3e8a2d78c3f3565aeb9e8d38e7177d89141e8cf3f60103700ce9a03ec00e62da6a65d4f1de42117eaeda07f09ebfc64040be2e6db32bc489a0797

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d9c03c8c9cc4135031c7f091e9891f76

SHA1
e539b7a9f673bce5ebc1f7ca52fa5b33eb78ee9a

SHA256
8ff026dc7d81a297dedc9bff4e97e68bdc0e0e3b268d5f4e934f8405afcf2ceb

SHA512
0900c45c0440fa78777e3da1056f5f24968af091b5c9530089b87441d8a1d21c5bb734cd5051c4d62856db0d2411c486d9f9d419357f9b6732eb27635ca22451

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f5bf2a6f72c2ffbfb9f452a0ed801731

SHA1
f191afd27cd3255ab09523b57741ee6b0d053577

SHA256
212286e9da20e1af2398e7645a5cb05bb24be14a66b5a2ddef25211c52541c9d

SHA512
f6361d46ce2c399ddf38839c0036407432495e3de729611249caac6a9ab0e93977b9099d292fdbfe002aca4a1c2a0535c6d47da0dbefc98db130c4156000a4f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
86f7b8ab6ff2a872f0a7a1cfa9d5a616

SHA1
a535a0906aed6b6c6d3404c421a335730fb98d04

SHA256
e213d8d62d4561e0856416fc240e342dfccf2509fc720d0e7db77c545c9d4aba

SHA512
18984f4c6fd6f95eec27d715cecff43297975a1b597b1cc55076cf675239907c5fcaee506baf07ddb8763e1b64137f04549407bfd521076f9d9c5ac74b66ddbf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5f40cd3b62da26ac9c204056c39ba92a

SHA1
c48c382540facb3021a38c58b5a0ace8c93ce1a5

SHA256
718951e2f4c65242f5e1c7b0239cc0c96ca31df47b12cc33d2e2038bce970e25

SHA512
3df49acffbb87d693c696e4c8550e087e064c940bd35657e558445c7d1ca421c87b17d18b5d6da6786b45a9551d39fd1bbd9e976b9fd092a6c11e0ae6562620f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aff9252e9a00de44a355c7f1bafa8b68

SHA1
178648bdc1c386ac230907f73ef809cdfc27f957

SHA256
20883643bcc5a9d772dcd389a11be2dca3f64b972e61cf6fa2dff93e4706f298

SHA512
0f8ab52d549e4f84810e310b1472ad0d4c0ec86e437ea9df9e8bc24caf3b1a57a3778ed85428279ba60c8bffad01daf30177045bc79a6682cb2073207b1d6e7b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
90a84a9a1951430822c532db7157048a

SHA1
771765a98a503756db42befd27eeafdac24ee77a

SHA256
4ad5312fe66b22dc524d72f0b44b49e29aeba55805c8578599f7763eeed4306d

SHA512
b33ef0b1ecd73edfb3225eff5eb248fbe76fa1b9af8862c9d91056e054395c922694ffbda30ef4fb3b3f6c166ea2a075eba5476fa6e61e01e204291629c31168

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cda62d19be225cda63c50153553eb01c

SHA1
e0462713bf9799c916e14cdb0c5db9473f27ff70

SHA256
00525634311e51371c3ad2031ce354006e01e0864a27170cc86ac1e554907129

SHA512
2781f18ed13fb82eaee28bf0b7110b2edcf0ad08a80a5edd218b1091aceec5b691d09ae45f88a38b80f0be097f1c4f2afc8ea6e82c95c6dcd81475520ace0cc8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8c2703c20b78bcc888e79e61a1dddd90

SHA1
145a42bb9a3663fd8e5edbe8b55ec59fcf47cfdf

SHA256
774a94d697a260c96ed92e5d668cbf00cfdc98f97885b7552500c02b5ae70382

SHA512
9b34cd8b25cac4da76c014003cdf14f54a14817e416d41d5d3f5638a5f288d2e74e0a57477e079358dddc887b195b512a5cdad090042e23894ef064864e1b3bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0c5ab260ea096a77ee0bfb52d5855afb

SHA1
9871e4f2fbf704a623524e737908753c5d7119ea

SHA256
42ce5c8dcbd65f0de4e4c968d865aa701af3367cafc7855bce705732f6bfaf96

SHA512
273bd1d0107b047ec481ab361353e915da98c2752b771808893122d0584ee076437a503c904988e674da06e5898b56bea9a0034ba8913a145fdb6671baa8f390

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ab7c63ca85f9639c950c400c42b012a2

SHA1
c6c48e5135a20dca103601619fe52b551ff7f13a

SHA256
ca349a7405af1c5ff1a8239482707c4f49b6c1629572c61001955b704585ce0c

SHA512
f20e90ff364a4fe09042f158472ae777e98a129f8c6cdb84797791754940f779cebcf4696105a05e23f3e6013168de7cacf93e344faed225de471d6b327be640

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f017b507740f96e67257b536609fae19

SHA1
041107815a5376f73ee3c93f0d5311eb8387e540

SHA256
1b749a72e6ceaaa0d2a730544131eef8c006016be8e2cb6e6cbe3bd552fcd75a

SHA512
c4872cb18b3c6897e63a8c692a8cb455a2ad8886c29e7eb4ea4f84e6ff9fba033b2ef07cfb49bccdd3a3033226912b74d556dfd4aa6cbf1eb694cab5151b4ac9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\LRLTV0UJ\www.avira[1].xml

Filesize
224B

MD5
f3ad7d7923f54ee7df8a1906f95b1e2b

SHA1
502ad54b8b079edcbcea794e34410be6c3249272

SHA256
d5327520bcbbb8b6752b641b9574c275a3e5baf850a6335b9f096220f4e44428

SHA512
9da046d1c02edb8d6481fe946fe4a41f0610e6e504528989f6d4ad4e2f17dc18debc7416a3a66066697580ffca60e7fca2ba995cff0d2a65a7cbf7be473dbc1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\LRLTV0UJ\www.avira[1].xml

Filesize
437B

MD5
52c25e9175649b49085ddd93cc71c52a

SHA1
60e33ede917518cc540375b300155a21d895a89b

SHA256
8be839d59cfcdf0cd59d91192bf5dc98f9fea97b1ea398887862ae9b1fefe2aa

SHA512
c29a4a994f351c1e20d2858f00d7c94933e925346d724781e4b55f17b97e14eccec14f167793a8cfe8045b7fe9ffeda4238b07bc4c4e637ef4c06a21771acd8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\LRLTV0UJ\www.avira[1].xml

Filesize
575B

MD5
fa93e3d10699989d5b596338e35bb08f

SHA1
ed17c00d4dd1c00061034d55b83fe9bd3da1512d

SHA256
fb0b12dd26b77cba88d193e3931cdc425538e399bafc7cf6c15b341b5d0bc0bc

SHA512
7f4944c0fefe6296b0be8ce02d4781a0bdb2cadd068caafb0626bda65b3f7c547f0a8524c774cfec5703bafd6a41222cc398cf908aea1db189c99c1d00e6ecda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\njqq61f\imagestore.dat

Filesize
1KB

MD5
30ba83f5a3ad541966acd746e2383d2b

SHA1
970e05d0e778a11dfa360dfb6a6c9ebd717a84fc

SHA256
c4dfc69ebe2abe90d2e3845bc0982f17d61dff2244f017cf716729cbe0e564cd

SHA512
6edf1206191ae671d96fd481f0e27be1b1f21a9793529f12833e66c809017e82bf3bb2b94bef360c99569c378c87a78a29e4da15acd580477baa73997f2c44ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7CNUR30T\favicon-32x32[1].png

Filesize
1KB

MD5
13e4a579c3cfa586f665ecd794e0462c

SHA1
b629b7170f76734c495630191e665b6a88024268

SHA256
a961b4999fbb3ea58527df10b36cfd5c6ac7cf9fd12a0ecede32a8f7f48fec30

SHA512
813d424cb854ecda3bd1cb73e87af2e1072364e5e6345e2a7ff0c93cdac34628146786f1f5fbfa869b95d72ff0071414af13c4453545e76b3f627c1343cbdc8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCC96.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCC97.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\CFLM2XVW.txt

Filesize
394B

MD5
65ef95a9eac1383247ea3689d2d47d47

SHA1
c2d6d8fce88f5c1e5d94018d5dc77e238df804ce

SHA256
8cd3f2078b5c7c1b4cd720a5096a7bd0f15541c12c7fa17963a878d3703e5021

SHA512
6b1144382bce166448fb8525de197bbc27c259ba3d1e1a3c43b907bce7d7b252af8e2dee451b4215453f1151787cd5eb3214ade0f13dff941669f85bc8e90a7b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\HSFSI3MH.txt

Filesize
642B

MD5
858df244d7bbf01e884f6865e4788c78

SHA1
b5ea558d839ff688df8d725b84bad029dcba0276

SHA256
b148f73bcb044a186af423734014f92cafab9778633423901098197bcaee87a4

SHA512
727e3768f28c51cd2ee2b6dad93dcfe1922b49ddf50190d30e0f021b15e49e59d3f8fb040524d150e37d378227f5334ef149873ad95a561423012b0851aa9cbf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\MZFU9A53.txt

Filesize
583B

MD5
46eac515ddb64b37b89a36c29cb91481

SHA1
c3a6d886b05c56df6ed46b438e732ad7e5d2713a

SHA256
76c32656a469ca7ec27f8746a3185eb0e718560e7da4a86adf1ba78df7cdb6b7

SHA512
2683896e384ff23b65786c78cafe66812fae5a4ecd3253dd49b23eb5f71ec7166d72f9aa4b15a49f0fd0d0617d5c92c0b61291ed71852edbe60158907c356179

Download Submit
C:\Windows\setuperr.log

Filesize
27KB

MD5
9ceaa7806fd5a63c95180241abf5d855

SHA1
bbd06f507ce6c050f11f6f12e01190649f0e7e80

SHA256
6a8b7e9da48619f5c4819b17be4afc8cdef64fd9481f42d3dfacf35c047f085f

SHA512
94894e0f2146a051471fe44e4ed84b52bbe456603f256be1f2463cdcb796b389748f0ebe8dc4b916eedaa9805a6c482376f06ad2adb15cc9cc0cbb5c0e6bc709

Download Submit
memory/2528-357-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2528-121-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2528-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2528-3-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2528-1455-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2528-3653-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download