7c44076317c70c875ca31500607b833d229f79413d89522cc6cb61c2acb4eb2a

Analysis

max time kernel
143s
max time network
137s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
03/09/2024, 18:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
Size

747KB
MD5

808b1e446a6784dc5da2967435e76ca0
SHA1

ef7295fd32f9356d2199ed3be3f9d8f75e71f2ce
SHA256

bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8
SHA512

d64963b6325a42c0b8b1d703277a17d0017b11a6802da92bc0cfbdf986c54bec0a774d01a3fe80d04427b90bffce0481dad5165fe6ef862a98b93bb95f3b1f0c
SSDEEP

12288:Mgv0EYgaJV/Qt8tBBgv0EYgaJV/Qt8tBBBgv0EYgaJV/Qt8:Mgv0tbjIcBBgv0tbjIcBBBgv0tbjI

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\drivers\gmreadme.txt	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File created	C:\WINDOWS\SysWOW64\drivers\wimmount.sys	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File created	C:\WINDOWS\SysWOW64\drivers\gm.dls	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe

Manipulates Digital Signatures 1 IoCs

Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\wintrust.dll	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\kbdax2.dll	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File created	C:\WINDOWS\SysWOW64\KBDDA.DLL	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File created	C:\WINDOWS\SysWOW64\regapi.dll	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File created	C:\WINDOWS\SysWOW64\wlanpref.dll	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File created	C:\WINDOWS\SysWOW64\WPDShServiceObj.dll	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File created	C:\WINDOWS\SysWOW64\whealogr.dll	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File created	C:\WINDOWS\SysWOW64\dmscript.dll	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File created	C:\WINDOWS\SysWOW64\drttransport.dll	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File created	C:\WINDOWS\SysWOW64\msoert2.dll	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File created	C:\WINDOWS\SysWOW64\NlsData000a.dll	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File created	C:\WINDOWS\SysWOW64\NlsLexicons0009.dll	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File created	C:\WINDOWS\SysWOW64\PortableDeviceClassExtension.dll	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File created	C:\WINDOWS\SysWOW64\rekeywiz.exe	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File created	C:\WINDOWS\SysWOW64\wmdrmnet.dll	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File created	C:\WINDOWS\SysWOW64\NlsData0c1a.dll	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File created	C:\WINDOWS\SysWOW64\NlsLexicons0024.dll	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File created	C:\WINDOWS\SysWOW64\onex.dll	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File created	C:\WINDOWS\SysWOW64\winmm.dll	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File created	C:\WINDOWS\SysWOW64\wudriver.dll	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File created	C:\WINDOWS\SysWOW64\getuname.dll	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File created	C:\WINDOWS\SysWOW64\scrptadm.dll	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File created	C:\WINDOWS\SysWOW64\SensorsCpl.dll	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File created	C:\WINDOWS\SysWOW64\spopk.dll	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File created	C:\WINDOWS\SysWOW64\tlscsp.dll	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File created	C:\WINDOWS\SysWOW64\traffic.dll	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File created	C:\WINDOWS\SysWOW64\upnpcont.exe	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File created	C:\WINDOWS\SysWOW64\msg711.acm	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File created	C:\WINDOWS\SysWOW64\NAPCRYPT.DLL	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File created	C:\WINDOWS\SysWOW64\sdiagnhost.exe	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File created	C:\WINDOWS\SysWOW64\cca.dll	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File created	C:\WINDOWS\SysWOW64\locale.nls	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File opened for modification	C:\WINDOWS\SysWOW64\msvcp110.dll	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File created	C:\WINDOWS\SysWOW64\inetcomm.dll	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File created	C:\WINDOWS\SysWOW64\KBDSL.DLL	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File created	C:\WINDOWS\SysWOW64\lsmproxy.dll	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File created	C:\WINDOWS\SysWOW64\powercfg.exe	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File created	C:\WINDOWS\SysWOW64\esentprf.dll	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File created	C:\WINDOWS\SysWOW64\kmddsp.tsp	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File created	C:\WINDOWS\SysWOW64\taskschd.msc	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File created	C:\WINDOWS\SysWOW64\korean.uce	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File created	C:\WINDOWS\SysWOW64\radardt.dll	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File created	C:\WINDOWS\SysWOW64\TCPSVCS.EXE	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File created	C:\WINDOWS\SysWOW64\wuapi.dll	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File created	C:\WINDOWS\SysWOW64\comsnap.dll	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File created	C:\WINDOWS\SysWOW64\cliconfg.exe	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File created	C:\WINDOWS\SysWOW64\fphc.dll	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File created	C:\WINDOWS\SysWOW64\phon.ime	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File created	C:\WINDOWS\SysWOW64\rdpd3d.dll	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File created	C:\WINDOWS\SysWOW64\dpnaddr.dll	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File created	C:\WINDOWS\SysWOW64\ksproxy.ax	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File created	C:\WINDOWS\SysWOW64\UIRibbon.dll	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File created	C:\WINDOWS\SysWOW64\diskcopy.com	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File created	C:\WINDOWS\SysWOW64\NlsLexicons0414.dll	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File created	C:\WINDOWS\SysWOW64\samlib.dll	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File created	C:\WINDOWS\SysWOW64\stdole32.tlb	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File created	C:\WINDOWS\SysWOW64\KBDMACST.DLL	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File created	C:\WINDOWS\SysWOW64\KBDUR1.DLL	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File created	C:\WINDOWS\SysWOW64\MshtmlDac.dll	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File created	C:\WINDOWS\SysWOW64\msisip.dll	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File created	C:\WINDOWS\SysWOW64\ActionCenter.dll	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File created	C:\WINDOWS\SysWOW64\d3d10_1core.dll	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File created	C:\WINDOWS\SysWOW64\Dism.exe	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File created	C:\WINDOWS\SysWOW64\racpldlg.dll	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File created	C:\WINDOWS\SysWOW64\bthudtask.exe	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe

Drops file in Windows directory 26 IoCs

description	ioc	Process
File created	C:\WINDOWS\bfsvc.exe	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File created	C:\WINDOWS\splwow64.exe	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File created	C:\WINDOWS\twain.dll	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File created	C:\WINDOWS\WMSysPr9.prx	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File created	C:\WINDOWS\hh.exe	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File created	C:\WINDOWS\twain_32.dll	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File opened for modification	C:\WINDOWS\system.ini	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File opened for modification	C:\WINDOWS\PFRO.log	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File opened for modification	C:\WINDOWS\setuperr.log	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File created	C:\WINDOWS\winhlp32.exe	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File created	C:\WINDOWS\mib.bin	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File created	C:\WINDOWS\notepad.exe	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File created	C:\WINDOWS\write.exe	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File opened for modification	C:\WINDOWS\DtcInstall.log	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File created	C:\WINDOWS\fveupdate.exe	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File opened for modification	C:\WINDOWS\msdfmap.ini	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File opened for modification	C:\WINDOWS\Ultimate.xml	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File opened for modification	C:\WINDOWS\win.ini	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File opened for modification	C:\WINDOWS\WindowsUpdate.log	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File created	C:\WINDOWS\HelpPane.exe	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File opened for modification	C:\WINDOWS\setupact.log	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File opened for modification	C:\WINDOWS\Starter.xml	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File created	C:\WINDOWS\twunk_16.exe	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File created	C:\WINDOWS\twunk_32.exe	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File created	C:\WINDOWS\explorer.exe	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
File opened for modification	C:\WINDOWS\TSSysprep.log	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 62 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "8"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "255"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "100"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "431551754"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "100"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "118"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "100"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "118"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "233"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "233"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60134f4833feda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "8"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "255"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "8"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6F9359E1-6A26-11EF-8920-7AF2B84EB3D8} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "255"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000d854e951ecdca4792ad3aea80f03551000000000200000000001066000000010000200000006d9a6d6d35a08d04667e375c406781ad2e37f3b1cefc5e8ecc995031b8e5f4f3000000000e800000000200002000000088c394a12df2e75fb4a7120e10c52b626bbebb784ade68b4453655f920d3b85a200000006e776b95ae99deb88a5fb3c7863dad6e9d64bb2fcf38322206f7c0ee71dc88c1400000008b00213a5c094b8f38e8536d217e1dc04a923d2b04b66a64b2a25015146523b2a74f4b860a604b599504d5ead2c70dde8a60586e35698bbc15018f90ab0baae1	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000d854e951ecdca4792ad3aea80f0355100000000020000000000106600000001000020000000971d12d89059bb15d33c6de18da4b9fa7745162985de212874647e7c3139885c000000000e8000000002000020000000f08c7c7d2ffa3e69f81c5f070755162292395c1587307f9cea7f6e824c03b4ed90000000cb3561dcdde8dc6004caeb724ea5d2381e5b935b9d553fd3ace8925e6e683c3a0faf5595548a8e4085c8af35d3d3076bac6b4ef3a1c1915a3ff12fee2d36a62134c749899a2285e0f061397e8ea0d0b49703cd885c5a3b802c025a26706035bd4bd115e0a96f0e6b2de9df4a9fc22eb9c8c53cd77c9262b391b16affba810088e313bc0216c5b72413cc420e067f3058400000001f2a40d4deeb3f1f0d9b4c918d78556294718c21df967ec6d0cf519fd6c78fae267cd19e20ed832bd0e3327d769721e9c0db75bd0eb946829d0d9beda95e8777	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "118"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "233"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1964	iexplore.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	928	IEXPLORE.EXE
Token: SeIncBasePriorityPrivilege	928	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1964	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1964	iexplore.exe
1964	iexplore.exe
928	IEXPLORE.EXE
928	IEXPLORE.EXE
928	IEXPLORE.EXE
928	IEXPLORE.EXE
2552	IEXPLORE.EXE
2552	IEXPLORE.EXE
2552	IEXPLORE.EXE
2552	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 1964	1976	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe	31
PID 1976 wrote to memory of 1964	1976	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe	31
PID 1976 wrote to memory of 1964	1976	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe	31
PID 1976 wrote to memory of 1964	1976	bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe	31
PID 1964 wrote to memory of 928	1964	iexplore.exe	32
PID 1964 wrote to memory of 928	1964	iexplore.exe	32
PID 1964 wrote to memory of 928	1964	iexplore.exe	32
PID 1964 wrote to memory of 928	1964	iexplore.exe	32
PID 1964 wrote to memory of 2552	1964	iexplore.exe	34
PID 1964 wrote to memory of 2552	1964	iexplore.exe	34
PID 1964 wrote to memory of 2552	1964	iexplore.exe	34
PID 1964 wrote to memory of 2552	1964	iexplore.exe	34

C:\Users\Admin\AppData\Local\Temp\bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe
"C:\Users\Admin\AppData\Local\Temp\bea69dc98608cac98198a93a37dcd822ba3cb0d2a1a42be95e92d0d5ce7babe8.exe"
1⤵
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.freeav.com/
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1964 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:928
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1964 CREDAT:930835 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
0b7ae5baedd77a6c04dab7704e13377b

SHA1
b2d8d3a150dcfc0c426bfb681b080aa49888dd65

SHA256
5aeff8a5a5de55f9b8202a7e6c34efccffb4bd2b3d23e6c2b1697f9594aae840

SHA512
cc640b798ff4189d7c17948a5ce6d7e3c441e77e264e05eb73719d7de4889e90a8c785ead5aa44440a74b21bd4d9a7ca7aea474eca565dd3b09fca80300bd7b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fae73427a0721a40776d3fdc41445ac5

SHA1
5140c24cd4d0b5161220e531d8410bf444b59f96

SHA256
a013c66204f220303a2ef9c74b1e5c33fed5b391f3ab93af8fc707054e37449a

SHA512
62805ba786f78dc128e9fff45ecb1239839ff229303364f35bcd3d1feda9d0f965c870855d3110de0770cc0bdfab78ad9fd0892b4584df09af5f3a9d9720a7ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1a2e4adfe5bfee3bedeaa748fb2198e4

SHA1
01bbffb84a09343b2158d27308f22c80c5f03df7

SHA256
dc615e460e561bac6398f10589220c04e1109623c18e2e8b440abbfccb698917

SHA512
6a5ec06a0e7f9104c747e9e55bc439f683af6269bb2712b940010031fcb09b4ba6f6647827d3fdb386869c3990ba311e1a3c802ce37a0e6ab22a5bc1af54a774

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
64a922e2dc5d98a195af7ee261860498

SHA1
a855969612a10b8a0c18be6b2c86cac5e94ba84b

SHA256
bf772206500281829589565524012a94011400540b0e53d9411e01524db4bcbd

SHA512
2a0d2a35a7d0c0b85e9068ef1ec34b07ad441dbc1f7a9df3798b1178bca4b9cad336bf33f2656a6be6008ceac7b89dd42b7fdea1988d43df89a91b8e9342932b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e64045c6a2379d92c776af5157d862b6

SHA1
7cd99356213697d1ad47d5223cd953ca9acdac91

SHA256
8b975ebe57ecbed9b411b9c88e0e57cfbceeb87a05086c31a005b1701fd68005

SHA512
316633bb5f0c32ced960a585923ae302ebe1f5557eaef0d7ad4b23e0bac162ba6b63090122102b65a6408269cf3d11bcd041e153148c0e7fb092be20ea92eba3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
df8cdd36ecb0a8f752a7fd0103b92f3e

SHA1
8c680135f376388d61985b607ae1a7a4bc1a8c51

SHA256
d097615a8671e2a82b67106188c0bb468fc65bbc00e81503d2c3169131979b00

SHA512
5cd65d0d86598b4e6f694b1a4757f7e50ad2e2eb1f49a9673924eace4c350bdd614d7894ec5725026adbfecec46e880870399cb0cdff47a310b2bdc9a9608954

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9a538aa4ed5e5d0ea0ea7d9b1e64c148

SHA1
a5a31d6a960f52983e63af112e16a8021a6c6059

SHA256
418cb64c6998cbacb9fd0611ebe507ab22f117f15aa7417067b5ce1783781e78

SHA512
6a1b71d97933507253b5104e29a8972c29e2331f617a0cdcc21d03aa051aa4bb8acb8b49bc1abe22dd5868711a8288c4f16cd45803fc6332ffac794e72525185

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ed2730bea6393a86a59ea311c445387f

SHA1
e889d3812f9e7fa784c69aac835204365466650b

SHA256
cb4e8a85292bca7783e6cd6ea51cfda6ea672f0db0ec78f08ca0efad4a931a7f

SHA512
d441cf8970acab716597fc9c602ce598d0a3cf454122a4aa051991c6bbf528a48c85f2d3f29513c6dd071d7d35fd03ce71cf53a19d9d41b2552d11c7cbfe1237

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b4ed5e8a284863b1399be52327fc3aba

SHA1
92d4e80b16c15cc190c890cd3b362bfca014faa9

SHA256
9cf9c6f4401a45c321b46b8c246ef1a4f432892cdcb5899d4dcd039b9e97815d

SHA512
534e5e2030242c3783a3cc6edb739943eb6723278c470b9b2ec8de5f41163243efcceca74f775fd5aaf739b51bb0933f038e17552fe18c87ce8a17f30922b36c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
58992df6dde75894b6b18ecaa6a1743b

SHA1
0879c47c02a1bf47c0b07cb896fa3bf82cb558a8

SHA256
39aa96302941e156f40da9f228e5ab4f9c8386435d77c994ab40bc5d7ded55b4

SHA512
cee0cc708c3cdf37537b7eaa76444caf7a8a2f502c06b1b7ad7cacdb37822fe5373762bec0e24d655d575f034a3da92c3fda618cd316cdfe98f0865cd0a0781c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f8962f77e9e618ca7d82d126c7270174

SHA1
71c71c92e723cd650cd060ec0b4b853b2844170e

SHA256
6fca28b451f0f767e261b5ade650ec009bf1fa4fa95b867e5905b03150290ea9

SHA512
1da50753b892f17a5e0d7a8d85071ba8844d99da450cea7166489de840c7b6c42c2fab3ecc8898e146534ee0ae4696dbcb2eb0c2d76da917820604e988b99c43

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
78d4224a80aede23fc3ebbdb9e746b80

SHA1
79c8016aa09cb62c33c42dc3e5b55387471c972a

SHA256
474b5a962fec51147d6ec807be3fc3395bfb7f1f3bb75382004a41a26b9d86f3

SHA512
2fee1fb7aaf0aa57c545e600d31317cbc1f44e8982706bf7715369de486d2271d0aa0a9dedb0b70d0a9e810a2819f608c93400c83210ca9f4892a4e14475e488

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c13af00676a457b7b53e887bfd849191

SHA1
c01466c8db16b46154a7045e3b060ad554e6c2d7

SHA256
5bd537df9ce56dbd3607a8a725ac68e4e57d3efaffec55da75ca589367904f70

SHA512
bb4193a118afbeeb4425a26b7297ca7151aa929c36806a8ca0d51f609be9e99d88bc57159355453b8894e93e5d7429c2dd4f9178674aa069a76a2f8496d5a80e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9a457d3699a74e7477ed88ab9c8c5fa7

SHA1
35f9ce819777025f2dfb6a20b5cfaa9c76ed7054

SHA256
6e65da77729cd76e19d9cc5f6a1b04c346140ee2ef52018207e53ad010d1546f

SHA512
c15d5740bd3381c5cd117ea1f5a5614e33b188e7e67129c32c8892ca0be4bce53b7d93ac5dcd57130d8aab3988cbafb0bf9db7af7d4a051a8e66ddc989abef97

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9bbb4b5168126ac5e146b92d989bd927

SHA1
40c228cebefcec984d092442b4e1ac41462743ed

SHA256
db3e49fd901e65d6a8c01cefc5834b9656056a6670157bf550a635818dd620c6

SHA512
d41a95796162a0879e64639e6fa8918884b8410c8d15b559e5d9e4127b12c8ee4c8d376758b33e51fb14505918b8042c7dcbe6dd6a58dfac587906437a8b042e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6e8b9f26353282a2e7de09e0676151c2

SHA1
efed519c4c69583fbe396a3a615389bd71dcacb1

SHA256
e69b4a238899c969584ebac65463f65f8820d3e926b08ad4e6d7cbc0d58cb586

SHA512
5fffea0e801db12556986322e5342e213d349e19db5459c8b306044dbb7926ba8341096db5806ad39922b7a3499248191115645832fcc2e2b90231a35667532e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
51d5190c3ebdf3b4dd2e8e407726e6ad

SHA1
ee79c0eb1e6b2e4339b56ec7148ea37409fb319e

SHA256
84147eb385f152e6b168047c58a2e874738256f52e4878c3e0af5cd65810af9b

SHA512
eccc3bca7d7fc203eb95c15ed3e39b4ff53d3a754f9c7bfe4499d64234505b9f407bd064dfede1f0db1c17f67b82bdfc4702f04d9aac9521db03b75b1323f6fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9b5178336cde567139f70dbcc5fe960a

SHA1
decf60b4b3a43f0f3fb91440c5aaf9848fa1e36e

SHA256
82d16753f0f937f9d74a454975e99762619d0e90718dad02f7d9a20a706e2dc4

SHA512
7931e7dbaba5fa1f49b91fa27dd81c3265d97f2c17a4c0cb9b34ab2926cdd6ac1509058d8e20391e55b3438ba8c2dd843f5193170ef407797840eecd1b9611d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3915ae1e914286fba1fbb498af3d23de

SHA1
089d01dba24c7011f401d159f77938a1d9e020da

SHA256
68ca629cce22f34a19e4825e724fa925fa60e4ab3115467dd403b66247a1fcb6

SHA512
c64b59c594935ddfc1308501bd978aad21e767a594d4b39e108b13fb335f454783468f8ae47e7a53dc240657640ccc828536c29e447a78285a2e5d50ccfe76db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2ed8d81f24f5c5674991575ebd915a99

SHA1
f1ea107b167c91737e0f4a93b6af00d63a3e3c4c

SHA256
d9508dae842d11bbf4096a2809be3c3c81f9c4204f8294fc028596ef9151fec1

SHA512
5fbfd92ec1775d6710125d014c96b2d23275f8b7fe3bcc4dafad1785a3d72dc97a52cdd1f29cb004d7e0289b1b90aa0e4157de5cac17fae6e76ef2e1c81ceadb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1d1fabaec37151797959292ea1cc6491

SHA1
8bee5e2405946d315053ff8b264fc1fd2ea3aae7

SHA256
693b4307f2ee5479bf56b01c8a56be1d239e205a29720c029dc36c1f96766e84

SHA512
18d9e262ba9e0e7d39e7ee8e19af5fb82cb7aa3a83526fe4bbdd6ed50ed3c9ab2948f31da0c82ec7e52b86c566c62fb582e08251eb9bfda5cc2d3d7022cef381

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
85e4695d76dad132d207325bcf58cdc7

SHA1
85504e70b757a4852759c15411b3ec5752e5ca7c

SHA256
2481e02260695e0d2c02101ba2322fa5f47200e26523b1199f6f82b517dd120a

SHA512
5d6ca3ba084f181326ee289c1faed0f078ff6c572de6dff5f80b3114af675e265e51b97cb0319299bf85d8d34582e931141c2d9d3e65956a1c053223d83bc457

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6add57fa8f67110e06f685bb5e36c9b6

SHA1
c0071eefde6a4d66b0d3077dba11adbfffe433d9

SHA256
7c498cae6c47a122b4cd5abf2d70a1da251928e491e91abc2c60ad773b2c88e9

SHA512
e001fc0fac926b76c1aa653b4fea2c940b18303d829f1bd2281040e95d6ac38638396790c8a0e62a6f05a05fd55a1cb1b409a9fb654e9a2bb3555379f7d789f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c62a759cf6c3fa7a482c1be620b1baec

SHA1
773611606d347c1e473fa76fdede1a667f9628f6

SHA256
fb399c8e21b17a61b064e33b5edacc342c7b36194885fe18e8d2446b826b53d8

SHA512
5c803b6ead134cddaa1407684b1537177addb28b18cd93d09f146de204ebf95259a456194bba821d20b97ffdc37eafce6fc3b646f5e8be1dff65c3d124b4ef89

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4094beae5fb9b13104dddbb0e874b14a

SHA1
e21960f601dc241f8399f9207f98ced720aea501

SHA256
20a483848064cc21a100bef1c0a35fb2a22b41d428aad850f865150abf13c6fb

SHA512
58ea3d498585b1c1941574dfddf9116edfa2cd3bcb1ecff1c876530612453dea19807b933d45a0af6a6f7585daa21d6efdbc7ef36814e80d9e0272da463a1f09

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7f393a012051229ad23561b9a320cc1c

SHA1
c180a1b6aaa6ad8e5008f89c236fe9a3f33cd608

SHA256
356e4f62bd9dfaf37e2bf79a89f9649ed88efc5940eb9e6dcbc3210514381d56

SHA512
f1b3a1350241e61c968ceaa7992038102aa12184303f67a050fdea800a6a4300263d810baf8af865d8647722afcaa935cd88f5701e95cbd5b0dcef3826208582

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a84d941a414d6f7f032fe70020cee434

SHA1
3b4ffdea4c3de09a4a111c2da8ee516a9db8c78d

SHA256
9f9aeab4c7e1d7b4040a95614139fc45475426ab560f4ca7d2eb0d0ebef26c3e

SHA512
1766105238372c0f18f4a33d00049fff578a7868a6c86cb13673fbd9b07fc1d65c9ade537891959e3381b4f81c5849a428b8b7d798346e50329b5edbdb37582d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dff9cfee518c3bf0b6499749b0ac89a3

SHA1
9e678d1e4a68d0ce4e2ac125e5748d33763ab97d

SHA256
174930c9a1b1754f0012022b3bcc8f356de3226119472b9ee9e9bc0a6a877f98

SHA512
cdea0fa6a45e62837f54d99107bf6b2e3b7a94fcdd634097f20971f1899367db23663516a6167bf68095c197d6091a86cc3b003fa10253052c018b5352d622e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
06878de0d284222df4def84f5b995b01

SHA1
1f4929bc564266c388e3099b2acd9dc22556dd60

SHA256
d36ee07c50b7a9d9b973af9367a998d996003ce8f522210b1f8232be4843b937

SHA512
d5ee8492803fa6f44158d6770b0bdedae154f49238bbe47521ec6f0006833160832dfa837f7c3dee5010348599537505a3ba7b8b84adaae7abd4ba8969e469c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f5c18faf197333b471675aac980851fc

SHA1
70d9b4c2b3e5425f56721cbb242cae5b07f1fd4c

SHA256
751dd2cb12004e8cd05fed63800b38ae051b9dee2a1aa2507c3cf6c8f687af23

SHA512
14e509bb8bccaf7a6f0f59b9c4cdbdb2e720a78743fa17fe5afe19422252e638599aa8933a0e3838971f234175820430fb3744f34e19a4fa287ad3f4bcdc4803

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8106a29258abaeb30b5ee5f847ac1831

SHA1
195fb4ed24e34d33e5f28900dfc3414b08b0dfdd

SHA256
5343b0227c960f8da4707f1e3f6bafa2f967a3f4e049ab4b131d058332fb971c

SHA512
fe114bf9177ff1b1eaf8176b091fdc87c6c19ecc0c3b860c0bd0da66cd77aff71b82e7e871f40790003a1c87d595889736c661a74fcf9ed82d5f6e955c3a80ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
148eaaaa10acddacda27a9eb96bb345f

SHA1
664eedcbc9caada348700be3c62997ae4be83462

SHA256
204d8cb70dee791453a165bad782e8345b59a26a0cfa2dace8cead708d332bb4

SHA512
1cf0e7814902aef93f91302d376df4322ceb5f42f5b14ae77a8f0863ed77eedd2f22fca8760534ce106f85c3de18399bc2db5510777342a7b8eb714a3c24bddf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2043e1469e2e2452bb9c03ba19f8cb2e

SHA1
576d25ec8d15b82afebebb66b8af46879d34e3c9

SHA256
8c110a4627c3d86750c5956ff792bfa3491ade48452bc5d2b928de78e9dac192

SHA512
3a176e30c96e466d9d94d03c89c5fed26bc3a2201ddbb10d93a9554b209e8babd714787ebe57ada46e92b5c67e545f671a9e2201da8645d386adab7b3121c736

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dabc9ee2aac7741f662751de546cb3af

SHA1
fb59ae55fae5c32e04ab68e85162f89a8f889f72

SHA256
af4d71fad449dc3a97df3cb367174bac3c9d0bc47b0129d98140278cf32084cf

SHA512
7d69961f8773119dbf99d5d541534ba9271cc703a96d34278ad5a83d7e65603a3eae93c4ef3a20746683d9384ba15626b28a9956945e66a7f024bb997f420c93

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
fb163830f7ee9eeac561b42770f1e9dd

SHA1
2cf20c467ba50bf56c9d20056ee7090b8a340701

SHA256
a46352a6c22070b37a06a864989f1bd2e04d8135b8fecb0bab5a7b217eb752d9

SHA512
1c3a8fe8b41a8eafdac863298ef97e9a619d5d5c5f639c996fc19b0b7315b35b0f1e4bb75c5c9edbe7d61976c526382e2ed2dbcf9a2604869d6952644cb8f150

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\LP0UESC8\www.avira[1].xml

Filesize
223B

MD5
1a36b7b6a831010ec3cc329858cb8002

SHA1
f1657994a7d9931b06b61338c024fd2e87d4633c

SHA256
ce4d116ad586487ee34af0bb3129d173f12408694d8908a92df774f424ce8659

SHA512
1afeeb8ce4b70d3534b527438dc4c47a2833b346dda2355fee512e29d71a2616a3856f129b6964864801378ae2bf3fa1bf73629adc5c5cc16307df5ac34c2ed4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\LP0UESC8\www.avira[1].xml

Filesize
436B

MD5
eb0661d61c1372e7d43a8248c6a589fd

SHA1
2beec5c35f3ee8934993f19c7339fad92117d3f1

SHA256
5cf0c9a276765817e4df1c126eefd68159f910c9da05c0f25ffa115112fdc99f

SHA512
6b995deba53228dd6cf10480d989d8bc94e610aa2794124e9633a849c4dd6d165c207c6cac347eeb0f7db076be50e11c769311178fdc22756f199eb31645a206

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\85y7ywt\imagestore.dat

Filesize
1KB

MD5
1b0f31f3bfce996e883496442adce4a8

SHA1
340fcc79602bca84cc5f60843566ddea27cfd4d5

SHA256
829c37d416440c6ae1e213b9b4b4c79e3f77d0c20859ca67ccf49c2a6dc7a884

SHA512
6da269ee5913bb191c6397bd008f2b63aa149ce7600f0e70cdda5bf130aac84ca54ed15aba3c72d5b7b665f035421d4be93347894f3b39c15c2f1ca5a0965eeb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J7FHNNOW\favicon-32x32[1].png

Filesize
1KB

MD5
13e4a579c3cfa586f665ecd794e0462c

SHA1
b629b7170f76734c495630191e665b6a88024268

SHA256
a961b4999fbb3ea58527df10b36cfd5c6ac7cf9fd12a0ecede32a8f7f48fec30

SHA512
813d424cb854ecda3bd1cb73e87af2e1072364e5e6345e2a7ff0c93cdac34628146786f1f5fbfa869b95d72ff0071414af13c4453545e76b3f627c1343cbdc8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB899.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB898.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\EB0V7RBP.txt

Filesize
392B

MD5
29bc7107286b591b3ff41af33127e656

SHA1
f0ce012648de5f06f5048d04379aa49c44cfd0b3

SHA256
6d72b2d451c3bc673d30b0ba9c6b7dfb5be10cd975fd6214c5c6b71a8e4b70ee

SHA512
6c6c999a140063fae822f8a2c6f7ae588c698d59f2b52184ec5fb1a4cb8a7a08b5ce37ac3a69600f97a60638dc58d5e5a9dd17c4610164cc26c22011bede3c66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\VK234OFM.txt

Filesize
580B

MD5
314fee2276c3ad703b1c44ba0777cef2

SHA1
5627caddfa3da367c7fff75af214e7fa65ec7a3e

SHA256
3142e039075c7e2916226f8d0fbfa301079cfbbf76ebe1f17a45c2eb193d26fe

SHA512
7a93d0022579ef3a776161a0d8d20e0f84510a63a2cc6053d2d3932c89344aca0266c13dfac4df6346f1a36a3ff17799aafd8f9677626706c2c80e0167bb97cc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\YWU61Y88.txt

Filesize
638B

MD5
099862065edbcf4e81b3b910517ecded

SHA1
7075c4873c8941c76c1b065659046ed78b7d9316

SHA256
3aaa90efb06a46358d490d3230ef0fe2b7ca7a71a109c00ca6e094b664bb1a62

SHA512
b56d227c680468d2876711f4a37e535c4a3e70001d96403f817c7613de354427b5ce905b2575fadcbec3d7fa2826ec40fd173522c83624090f4ab5da1c2e125e

Download Submit
C:\Windows\setuperr.log

Filesize
27KB

MD5
7805538d58f3fd8f35095e8f23cc1877

SHA1
36f902bc2df05b944308d253a00158804d4e1b10

SHA256
36a283a3dff96092b04cab3626eea056a66ee17b98e3b77f0aea277e0ebe12c9

SHA512
609109db72bd23cd8e9fafa1b40ab8d7d35f2fa46f49d32a8909d7a8464e8d9164c032adec3d1e071064fc82480fc884b538070ca416019688e373abab5689fd

Download Submit
memory/1976-120-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1976-2-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1976-1440-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download