410ad42c401d2c43db5977b49ca27b24f6172ce478a6d4a20d7edc9e60f25000

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
07-09-2024 20:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

410ad42c401d2c43db5977b49ca27b24f6172ce478a6d4a20d7edc9e60f25000.exe
Size

3.0MB
MD5

f11fd043f1263a6f3d92b8d5b3a40959
SHA1

a1fc5a7aace39cb0c1de8b01779255960486f31f
SHA256

410ad42c401d2c43db5977b49ca27b24f6172ce478a6d4a20d7edc9e60f25000
SHA512

a5a43652120c1142db823598c9302eb646265b1b2fed5bed9d92a3485c861ff6b5f7de56a1df631fd6b9d4c6f5b7111e35a51db2e28c6ed7e37c57a601166954
SSDEEP

49152:GtSL8K3mO+3LZT06JKFoCfwxpdFx7OFCrPYVGwv5Mv2xplBVeH:MSYym3LZ5/KGdFxBKw2xr4

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
2748	wmpscfgs.exe
2612	wmpscfgs.exe
2676	wmpscfgs.exe
2884	wmpscfgs.exe
1628	wmpscfgs.exe

Loads dropped DLL 6 IoCs

pid	Process
2820	410ad42c401d2c43db5977b49ca27b24f6172ce478a6d4a20d7edc9e60f25000.exe
2820	410ad42c401d2c43db5977b49ca27b24f6172ce478a6d4a20d7edc9e60f25000.exe
2820	410ad42c401d2c43db5977b49ca27b24f6172ce478a6d4a20d7edc9e60f25000.exe
2820	410ad42c401d2c43db5977b49ca27b24f6172ce478a6d4a20d7edc9e60f25000.exe
2748	wmpscfgs.exe
2748	wmpscfgs.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe_Reader = "c:\\users\\admin\\appdata\\local\\temp\\\\wmpscfgs.exe"	wmpscfgs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe_Reader = "c:\\users\\admin\\appdata\\local\\temp\\\\wmpscfgs.exe"	410ad42c401d2c43db5977b49ca27b24f6172ce478a6d4a20d7edc9e60f25000.exe

Drops file in System32 directory 44 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{2EC8FF33-6D5C-11EF-913A-D61F2295B977}.dat	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	iexplore.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\BC22VKKC.txt	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoaming	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{2EC8FF31-6D5C-11EF-913A-D61F2295B977}.dat	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatCache\Low	iexplore.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\BC22VKKC.txt	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[1].ico	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{2EC8FF31-6D5C-11EF-913A-D61F2295B977}.dat	iexplore.exe
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini	iexplore.exe
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\desktop.ini	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	iexplore.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\DNTException\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	iexplore.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	ie4uinit.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ieonline.microsoft[1]	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	iexplore.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 29 IoCs

pid	Process
2820	410ad42c401d2c43db5977b49ca27b24f6172ce478a6d4a20d7edc9e60f25000.exe
2612	wmpscfgs.exe
2748	wmpscfgs.exe
2612	wmpscfgs.exe
2748	wmpscfgs.exe
2612	wmpscfgs.exe
2748	wmpscfgs.exe
2676	wmpscfgs.exe
2884	wmpscfgs.exe
2676	wmpscfgs.exe
2612	wmpscfgs.exe
2748	wmpscfgs.exe
2612	wmpscfgs.exe
2748	wmpscfgs.exe
2748	wmpscfgs.exe
2748	wmpscfgs.exe
2748	wmpscfgs.exe
2748	wmpscfgs.exe
2748	wmpscfgs.exe
2748	wmpscfgs.exe
1628	wmpscfgs.exe
2748	wmpscfgs.exe
1628	wmpscfgs.exe
2748	wmpscfgs.exe
1628	wmpscfgs.exe
2748	wmpscfgs.exe
1628	wmpscfgs.exe
2748	wmpscfgs.exe
1628	wmpscfgs.exe

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\259543231.dat	wmpscfgs.exe
File created	\??\c:\program files (x86)\adobe\acrotray.exe	410ad42c401d2c43db5977b49ca27b24f6172ce478a6d4a20d7edc9e60f25000.exe
File created	\??\c:\program files (x86)\microsoft office\office14\bcssync.exe	wmpscfgs.exe
File opened for modification	\??\c:\program files (x86)\adobe\acrotray .exe	wmpscfgs.exe
File opened for modification	\??\c:\program files (x86)\adobe\acrotray.exe	wmpscfgs.exe
File created	\??\c:\program files (x86)\internet explorer\wmpscfgs.exe	wmpscfgs.exe
File created	\??\c:\program files (x86)\microsoft office\office14\bcssync.exe	410ad42c401d2c43db5977b49ca27b24f6172ce478a6d4a20d7edc9e60f25000.exe
File created	\??\c:\program files (x86)\adobe\acrotray .exe	410ad42c401d2c43db5977b49ca27b24f6172ce478a6d4a20d7edc9e60f25000.exe
File created	\??\c:\program files (x86)\internet explorer\wmpscfgs.exe	410ad42c401d2c43db5977b49ca27b24f6172ce478a6d4a20d7edc9e60f25000.exe
File created	C:\Program Files (x86)\259439412.dat	wmpscfgs.exe
File created	C:\Program Files (x86)\259439537.dat	wmpscfgs.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpscfgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	410ad42c401d2c43db5977b49ca27b24f6172ce478a6d4a20d7edc9e60f25000.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpscfgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpscfgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpscfgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpscfgs.exe

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "431904584"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000d854e951ecdca4792ad3aea80f03551000000000200000000001066000000010000200000008f84e9feb80a0398e81e47ed1b101d8a71ae75c298a93f74a4d53a8bfca49440000000000e80000000020000200000005a314c64b1356d32252f054e32c1e26612b9ff9ec987ad531d2e1a9bcf85c5c8200000005daec8afabd2b35ac50152c2c61e96b13b7374ab89956b3c03a96d8819b30c55400000005a9dfc46b0ead4372984fc350d089f0a0e64d5296cb9624cade7f85bb142c5bc72b4d95ae197358ef540621e77a8858f4e82efa5d36df7417c9453b54f31b54e	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80e816b76801db01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F0FF6E51-6D5B-11EF-913A-D61F2295B977} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000d854e951ecdca4792ad3aea80f035510000000002000000000010660000000100002000000077e89c74955843d80842c6ae8e834e560e37e702201db32d30d83c3f9f49c9d3000000000e80000000020000200000005958840d740f035022a6c91a3d390bb9784a3b247aa51fc871508613ebf32eec90000000be6aeb7ef23ce7f565d21bf3d61cceb07e9981322d720541632d54e7f6d4ae8111e4df0eefafecaa2c85f56bc358b0b4cacf6c8606211e490cb208c59f7f51d852ccd4063e4295f98088fcb8d31bd483696793eaa2a69557bb66a24ba5bd59c3a8710f5e94fcb829c741da5bd16449c2303e1d3ad415c9a98c53258ed8b0baf36ec5362d7cbbda2d2eb0efd74e4f63f0400000007402fa19eb37348a240550b34ac755f8d26d6e5f2f1a5857b1e849dc2e9f5fe1fb622a44395596ec32e97e3eef37a651b1fdeb660db37ac093d290793433065e	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Windows\\system32\\config\\systemprofile\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 7075c0fe6801db01	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Time = e807090006000700150000001100ec00	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-732 = "Finds and displays information and Web sites on the Internet."	ie4uinit.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\Flags = "512"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Flags = "0"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021493-0000-0000-C000-000000000046}\Enum	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021494-0000-0000-C000-000000000046}\Enum\Implementing = 1c00000001000000e807090006000700150000001800260000000000	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D90DC620-3478-472C-ADC3-FE3C13AEB0D5}\WpadDecision = "0"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\Software\Microsoft\Internet Explorer	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Type = "3"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\ImageStoreRandomFolder = "ga3qnwo"	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IE11SS&market={language}"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	wmpscfgs.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\Flags = "1024"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "1"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Blocked = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Setup\UrlHistoryMigrationTime = d04361f36801db01	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Passport	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\KnownProvidersUpgradeTime = b0f88cf66801db01	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Count = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\LinksBar\LinksFolderMigrate = 900666f36801db01	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}\Version = "*"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Flags = "0"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}\Flags = "512"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2820	410ad42c401d2c43db5977b49ca27b24f6172ce478a6d4a20d7edc9e60f25000.exe
2748	wmpscfgs.exe
2748	wmpscfgs.exe
2612	wmpscfgs.exe
2612	wmpscfgs.exe
2676	wmpscfgs.exe
2884	wmpscfgs.exe
1628	wmpscfgs.exe
1628	wmpscfgs.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2820	410ad42c401d2c43db5977b49ca27b24f6172ce478a6d4a20d7edc9e60f25000.exe
Token: SeDebugPrivilege	2748	wmpscfgs.exe
Token: SeDebugPrivilege	2612	wmpscfgs.exe
Token: SeDebugPrivilege	2676	wmpscfgs.exe
Token: SeDebugPrivilege	2884	wmpscfgs.exe
Token: SeDebugPrivilege	1628	wmpscfgs.exe

Suspicious use of FindShellTrayWindow 13 IoCs

pid	Process
2576	iexplore.exe
2576	iexplore.exe
2576	iexplore.exe
2576	iexplore.exe
1708	iexplore.exe
1708	iexplore.exe
1708	iexplore.exe
1708	iexplore.exe
1708	iexplore.exe
1708	iexplore.exe
1708	iexplore.exe
1708	iexplore.exe
1708	iexplore.exe

Suspicious use of SetWindowsHookEx 26 IoCs

pid	Process
2820	410ad42c401d2c43db5977b49ca27b24f6172ce478a6d4a20d7edc9e60f25000.exe
2748	wmpscfgs.exe
2612	wmpscfgs.exe
2576	iexplore.exe
2576	iexplore.exe
2208	IEXPLORE.EXE
2208	IEXPLORE.EXE
2676	wmpscfgs.exe
2884	wmpscfgs.exe
2576	iexplore.exe
2576	iexplore.exe
1280	IEXPLORE.EXE
1280	IEXPLORE.EXE
2576	iexplore.exe
2576	iexplore.exe
2208	IEXPLORE.EXE
2208	IEXPLORE.EXE
2576	iexplore.exe
2576	iexplore.exe
2208	IEXPLORE.EXE
2208	IEXPLORE.EXE
1628	wmpscfgs.exe
1708	iexplore.exe
1708	iexplore.exe
2940	IEXPLORE.EXE
2940	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 2748	2820	410ad42c401d2c43db5977b49ca27b24f6172ce478a6d4a20d7edc9e60f25000.exe	30
PID 2820 wrote to memory of 2748	2820	410ad42c401d2c43db5977b49ca27b24f6172ce478a6d4a20d7edc9e60f25000.exe	30
PID 2820 wrote to memory of 2748	2820	410ad42c401d2c43db5977b49ca27b24f6172ce478a6d4a20d7edc9e60f25000.exe	30
PID 2820 wrote to memory of 2748	2820	410ad42c401d2c43db5977b49ca27b24f6172ce478a6d4a20d7edc9e60f25000.exe	30
PID 2820 wrote to memory of 2612	2820	410ad42c401d2c43db5977b49ca27b24f6172ce478a6d4a20d7edc9e60f25000.exe	31
PID 2820 wrote to memory of 2612	2820	410ad42c401d2c43db5977b49ca27b24f6172ce478a6d4a20d7edc9e60f25000.exe	31
PID 2820 wrote to memory of 2612	2820	410ad42c401d2c43db5977b49ca27b24f6172ce478a6d4a20d7edc9e60f25000.exe	31
PID 2820 wrote to memory of 2612	2820	410ad42c401d2c43db5977b49ca27b24f6172ce478a6d4a20d7edc9e60f25000.exe	31
PID 2576 wrote to memory of 2208	2576	iexplore.exe	33
PID 2576 wrote to memory of 2208	2576	iexplore.exe	33
PID 2576 wrote to memory of 2208	2576	iexplore.exe	33
PID 2576 wrote to memory of 2208	2576	iexplore.exe	33
PID 2748 wrote to memory of 2884	2748	wmpscfgs.exe	35
PID 2748 wrote to memory of 2884	2748	wmpscfgs.exe	35
PID 2748 wrote to memory of 2884	2748	wmpscfgs.exe	35
PID 2748 wrote to memory of 2884	2748	wmpscfgs.exe	35
PID 2748 wrote to memory of 2676	2748	wmpscfgs.exe	36
PID 2748 wrote to memory of 2676	2748	wmpscfgs.exe	36
PID 2748 wrote to memory of 2676	2748	wmpscfgs.exe	36
PID 2748 wrote to memory of 2676	2748	wmpscfgs.exe	36
PID 2576 wrote to memory of 1280	2576	iexplore.exe	38
PID 2576 wrote to memory of 1280	2576	iexplore.exe	38
PID 2576 wrote to memory of 1280	2576	iexplore.exe	38
PID 2576 wrote to memory of 1280	2576	iexplore.exe	38
PID 984 wrote to memory of 1628	984	taskeng.exe	40
PID 984 wrote to memory of 1628	984	taskeng.exe	40
PID 984 wrote to memory of 1628	984	taskeng.exe	40
PID 984 wrote to memory of 1628	984	taskeng.exe	40
PID 1708 wrote to memory of 1752	1708	iexplore.exe	42
PID 1708 wrote to memory of 1752	1708	iexplore.exe	42
PID 1708 wrote to memory of 1752	1708	iexplore.exe	42
PID 1708 wrote to memory of 2940	1708	iexplore.exe	43
PID 1708 wrote to memory of 2940	1708	iexplore.exe	43
PID 1708 wrote to memory of 2940	1708	iexplore.exe	43
PID 1708 wrote to memory of 2940	1708	iexplore.exe	43

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\410ad42c401d2c43db5977b49ca27b24f6172ce478a6d4a20d7edc9e60f25000.exe
"C:\Users\Admin\AppData\Local\Temp\410ad42c401d2c43db5977b49ca27b24f6172ce478a6d4a20d7edc9e60f25000.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2820
- \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe
  c:\users\admin\appdata\local\temp\\wmpscfgs.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2748
- - \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe
    c:\users\admin\appdata\local\temp\\wmpscfgs.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2884
- - C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
    C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2676
- C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
  C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2612

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2576
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2576 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2208
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2576 CREDAT:1913861 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1280

C:\Windows\system32\taskeng.exe
taskeng.exe {C87462E8-B3A0-4BBD-9CE7-ECB57F6187CD} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:984
- \??\c:\program files (x86)\internet explorer\wmpscfgs.exe
  "c:\program files (x86)\internet explorer\wmpscfgs.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1628

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Windows\System32\ie4uinit.exe
  "C:\Windows\System32\ie4uinit.exe" -ShowQLIcon
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:1752
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1708 CREDAT:275457 /prefetch:2
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\259543231.dat

Filesize
4B

MD5
4352d88a78aa39750bf70cd6f27bcaa5

SHA1
3c585604e87f855973731fea83e21fab9392d2fc

SHA256
67abdd721024f0ff4e0b3f4c2fc13bc5bad42d0b7851d456d88d203d15aaa450

SHA512
edf92e3d4f80fc47d948ea2f17b9bfc742d34e2e785a7a4927f3e261e8bd9d400b648bff2123b8396d24fb28f5869979e08d58b4b5d156e640344a2c0a54675d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
79ee21d3b6907dec8f1a65aaac464497

SHA1
a33d729cbbb71059cfad78cdef2f4c6c077d5814

SHA256
8bbc3490eecc1604111d1723f5c58ee540b4d4934e2c875c05144286612ed6a7

SHA512
1e140176292f3d8a2b74c2bc43334a8b1307d16ce9ec3199bb147343c87c6eae3bf8a5392db3003e9a8b1eb825f4daa8bd2789bd985683cebbf2d663fae9ea4e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
20f255457c328ce555f1639d940d5581

SHA1
59ee750500236f22817c130d8dd393e0d32cb9f3

SHA256
7827aee1bab4eaf8e5818caa65f8e4d7107fede6e2b6f58ef9ce331059e9c32f

SHA512
f27512d34f12e38ac5c969f9a999e0832b7ad697c04ad55add49ba11d4cb369d2abc76f250ffe8aee7d57e5bcedf70de9d69467df913f1b69fd245ff76a83b5d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d741991efaefdc3e3da617ae02f55c85

SHA1
015c4ec80024827073c560f0ee4463e7d53b44f8

SHA256
4867f11c770285a29d7b26ad52ef78218af102da51db0d3201aa1149f30b2a39

SHA512
53e40e83fdaefbad4451e2629be23f2da5a0cd6f36bed81e8cac7867a6f1c6500bac431c78357fc7733fd9b23edf8b23859ef7fea2cd6e4535b65ffb0aaa8451

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cb49fc700e7a28a991503cd0edfe0a9b

SHA1
7bc3ed3c6a0c860c88cb0e833f01cf7a84a4c114

SHA256
7d52db24a5752c6814d34e53adeedd7de2e4abbe5c38ee195f01d63ef9f6bc07

SHA512
0eb6df3acac533d5f79a611827a38b1361ce23c0f592cc16c6828c7166945949ff78e20d95c8fac30d3085fa14dcf611121b52b38b78494da631ed4e08f3cefd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
318998f699f70b9c0ca22b18a7357e4d

SHA1
ff53a74ba7bc2f50f7a1324b2571a4feaa32c032

SHA256
793ce80878a155085ccadab74b252b5ffa0494ec9e2f0e281182fe4868435e42

SHA512
795f24385c0b180d4c5d4335120ba7da1b11d2c6338ac60e9a9d25c40a2e03e18a89d7075950518e6a57c52dff47f11e4cd29fc53576903840158b8a47aacce0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
73d3e0c62637894e48dabd2ff31c71fc

SHA1
f6eeee08a1ca81df07f10658e925f92c8d6ba80a

SHA256
53ff8e01bfa279da7ca5c91927423402a792d5fa17bd8bdc721e8e397d46a973

SHA512
d6779bd8b01e7a0838945701a1c55503eb4288909d9d6cd1921f8ab6f5b221e35cac033e65b77890011740a1470521248b794cdc8a8bc925571ddca9b73de11b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
918ebba5d44e26f91f625bde160a5980

SHA1
c4a2efaf6cad839101333ed2e7978b49772bf270

SHA256
7104a282d84b5a6a531532640a48bcf9b2524e2bfe700ab3b10b7f47ce723ec4

SHA512
4a83914057307eee6b4ca0de0503240c0b9d8e0432ff2ccdd7412e2c7830f7714554b66c4964c367f9bf12d7aeab9416e51445a5170b59b48ab1840fd3030dd0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b2839038531c93b7749aa823b2ba4302

SHA1
f3d71d788eadb69f9a08825e68888ebbba6892a7

SHA256
0f8b782c51c4e2d27767e115b558fffd630dcee7a20f479478b6bc16584c4040

SHA512
2dd3b1d18b1bca568cb1bc771ef78be59da0d3a94b89fcfbda8231be502751dd1dd206ff1204654777cf2824b03e91922ab2e35bfe904e197ecd47f8b111127d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e6a4de005fe84bf9c09f572a9f634b7f

SHA1
b66542b0782ad98a63cc71adf51634c42187887b

SHA256
12c5feb5a4580ceae3f04c861b6229fa8e736a58f793aa6693df06c5ce66f163

SHA512
5f9e07d05ddb1f76c3e6d8f02ecaa819bd14b1f05c14f9eb58e6611f1ac1b5c60a67b9aca97febe52fc6ec39a5abd97c5f8deff06c0685013a3d061be3f35ebb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
812db51602303f4332fa091cf22d93f5

SHA1
40d35ec2a44c0863c8230f2c8a58b034b91da2dc

SHA256
0cad8c1bc05878dabe905e164a4dc50490c4d4d798f1b6295489b27478974846

SHA512
221e37f95080adebebb07892cf15509ea8bc4d88449aed0abeb1025ce45e02942fc12c9913d523e13918f394f27d9b7330795729536c73cf0cf74d4f72927793

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4134cf6f0f160a7f57bbe473c27e77df

SHA1
ea17472218ab2eddfc462cce69e6ded7c7b896f0

SHA256
77042042d48f426c38c18bf48e064f8827df5b0d978c8ccaef1e22e9fa210893

SHA512
ed7cfc78e776ad3200bfe00665d0acb0e0f60a76843cf351cfc27c144eb57b19ad6f522b7ccc076be743273d8374a746a8b516c695ecab4161f7b47a0faad506

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a9aab6d8e02a6df28055d30b352bdfb9

SHA1
f24e2667739374d7e0f04a3061828d0e8df594e5

SHA256
ae8b15427a31c0e9067e3a1581e701be5b3102251ff8ee9f8dc38287b3b21620

SHA512
b0076e1eaed85190a44d7b6bf1e9223583beec909cfe38ebf76c16878d78cc65a7fc3e2cfce1918814052bd4f7fc9331e493a2d6925835b076f77d8eddb14f7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4e71f9f4571c60f9ef9e23ef8c3f873d

SHA1
c762a90352d6983e520935057e001324e2d8ef9a

SHA256
5f4baed27c105d9b81fa0476a74e3de19603bdd1a5ac0612528c7b77b0018c7a

SHA512
e312f29a243202d18caff1caa74b497dacd38a475b1c61ee8abace2e6b2c8b43090928c1a555e4713990e5cf7eb92d48123d30fb26109e10611bb242d8334e35

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabEB9A.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEBBC.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmpscfgs.exe

Filesize
3.0MB

MD5
a9e01f74e0dd2fc9c421a0fea24b4b6a

SHA1
26f6f9bc449520e8f0af302eca26afa678a73e3d

SHA256
a1d9665555a30e4cd219df07f322979260d873bb2d8399a16450aa0705e3d665

SHA512
e4a7b499869155286a048e989f3bfb218c311bf0bcdf2515bb2d7d32aed55976cc2036d2aef7c638af1b55a88263e32cbaecd71e84760a870c239212930bbf98

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\7NQ8A6OV.txt

Filesize
107B

MD5
bd3214958983cef7fae389f079c4f2b7

SHA1
ec617602cc75cfe71daac99df1a817fa3d1a1042

SHA256
2894b52427953c4a064208ae61dfb17ae3d5e9e2749d1b08477278239fa53973

SHA512
2400b957c36602dbd772b02adf59c4b2726103838236538fdefc0b5a9350893a35f35947e5ae811a3859e7a10e75f9beb3a191832c35339ca13268c25ddbf333

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\L0T7ZPTA0WC701UO29S8.temp

Filesize
3KB

MD5
b01376caca6809e0380e1521c432f17d

SHA1
d7095369bd34c33aaca52a3b3b5d6ce72275ae4a

SHA256
6eea2d128e81c9caca3377db5f2948f6d8065a714d4e55b28eec1b143a190d4e

SHA512
b84a323266e5e79cb6d69746b69ca618e0a0396c4ea7422b0548361ce0ce8053c023555e263d45aadc4c6b8e48edfed2e36a6a21180fb492478de522c40f853b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
dc22e5ee9abf06f76c02442b5057154b

SHA1
2bf5f9b5eec6fd223902d29a977eb129d298262b

SHA256
ed5c06ae8fd90044b2ea755910f1eff83695d38c81d7685e16401e8b93fe1a7a

SHA512
e2cab63edaa3196353e55930050826060fbb25b912a8343cb4c361925e30d3536222d58a09c33e4f3c1bbf8ed72cbf3222a9a183024b42f3617599e9f7b7ebcf

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b69845663da6a79426be8a6763c9dc10

SHA1
c83778b66e5490e0ce0a9f33058aa2542eb5c389

SHA256
b119e30e4399208f75a07ebf22ae08011cc3d7aa544c79271bca600738c8bb6d

SHA512
44db21cd648a9b4e8b4c529b07aa271ecec4aa2341f252fbf0e28b0ba5f9472769cd72463cfeccfeb9dcf333c732880a2a6d8f25b462c1162cb930cfb88b115f

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
07750d27656ab35a86273135d1820da8

SHA1
4bea13c90d6b69cd414bcf158dbb392f71b5a70d

SHA256
b34805eb0f5acb869e91036ffda72cc0e85930b52fd3634de861ace26faa0d62

SHA512
f1c3c668fab4b1f887ec9daeac7c2186603dadc82a8d971c37d998615329dce23da450ae78ac26ec10b476f053d5910d79562fdf59c3fd25825431663c88f8bb

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a2b688f70928211bdba762eb0b61961a

SHA1
5b7e733dee1c82d98ed4221c36dcf42ac01cba18

SHA256
37fcfbbbf566ed7d2955d99ea910c08dbb9e6f2704a9792ddab519afd96f3b33

SHA512
2959f66fcf7a0ffa46a5d3b2af779d34c2351d83e02988ebb3ca9863dbfcfc509ec744e9e58ba8c11963730d19b1c09f2c71807ab69d4f6721dda88769ef8509

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
13a75752320105fa1ac1b36afd1ecb13

SHA1
9008cd012a5ec626cfe5412a55e6b1afa88bbb18

SHA256
678fe34f62215f3cf564f080309254349e6d6f2281a9b044a9ebf7aeece78b8a

SHA512
956ba8d5035ab232e9c335a903cc46e21e81c327138a181721987bf7a09fc7d4f42126adc24bb70e2b6de329ccadca1de7cc484d65acff13fc0d36caf2ed9678

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
85b3d4097382a2679bb3e2c1e9212fb0

SHA1
221ca7ba070dd202a70fb751c79ab2c21973418f

SHA256
43cd732bb53dcdde97c3bd4e7a23e32d662e7587984eba4c481f458d60fd4154

SHA512
5319d971a954c16922b1af6d00206367001f2b4720b20930b418ba5b2365cf666f79c3a7ca6e15306dbb868355decd1d9b706e5fd515762172de0e5e3fbe0d5f

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4410eeb4545d97787848866c1e754943

SHA1
146c68c59644fa9cf963a885032396612f31a010

SHA256
8eeea9e42b8bda0ceb5cf415027ec07ec040a1f002f1ec53a5d97ab8089eb8c3

SHA512
4a4c45757672face39ff13522fd60b65e55bcd21a6763bd03d9ae6d897f77015a2f3d636ce51106e17741fe123af167fad49e162003d1786ff457952949e4656

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
54128537715d368c3e0ded882ab6046b

SHA1
040d71105456a5f38763b358b098b2345bc453ee

SHA256
0ec3e0febefaa3ceda0aa84d35ab4daba6ef427e0842955868312dbdc964e024

SHA512
896c4255c3278de1463f855559fee1c804dab116e85e1fb4a2dbbed38a053dc04a8d823cb20a2ce42e8631e439fb82ac6c5cc69189af54b85d4f46fbb59f22bc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f7960401bfab8230f69674600168901a

SHA1
38bbabf90a11f9668a865b67d1bda38d5f653063

SHA256
791c9e12f8704edd3e3be526b9ee0d0a3f2edae4ceaa393350103c7f05552c2e

SHA512
89f6aecf0a39d544ad9a0507111ce45d74e3e3174f442078f78a58c7cee826941328a938f3261ecdd67c8e7a46c7ba8ad6f7375d12755e84710cf0211c879421

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f0d382cc3cf97fc7e0d522bac03e2f8f

SHA1
8897e4bbd0e015fe31045c79b73b65bdc573673e

SHA256
6925923292127a479b389c6158e4bc1a92c1d0682eeececbdf9c9b5f795f2870

SHA512
7d39d952061a269ae836da2fa094a20b30678f3529796e41ee2d2479ce8c99662359931bf92c18a1967a21d17071d7bdf5c070e607e68f1c41969ed4f0a544fb

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
4aefb893865a86c77635e0cc55cb12ff

SHA1
a24203fea176ec6932ed8d0411f0498fa7b16c01

SHA256
22ea7ce81b08646413963d62fbe7c6d73b698c815a49e9b53f65396838ed75b9

SHA512
5792012c900143d2bdaf0a2078a872d912a5a175471953a722f22b266177678d4ed2a50a68d1dd6329b923e053881a34a060259f4250ba0469059101826353bf

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
129B

MD5
2578ef0db08f1e1e7578068186a1be0f

SHA1
87dca2f554fa51a98726f0a7a9ac0120be0c4572

SHA256
bdc63d9fd191114227a6e0ac32aaf4de85b91fc602fcb8555c0f3816ac8620b3

SHA512
b42be0e6f438362d107f0f3a7e4809753cf3491ab15145f9ffa4def413606243f4dfffc0449687bd1bb01c653e9339e26b97c286382743d14a2f0ed52e72f7ee

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
236B

MD5
11cede0563d1d61930e433cd638d6419

SHA1
366b26547292482b871404b33930cefca8810dbd

SHA256
e3ab045d746a0821cfb0c34aee9f98ce658caab2c99841464c68d49ab2cd85d9

SHA512
d9a4cdd3d3970d1f3812f7b5d21bb9ae1f1347d0ddfe079a1b5ef15ec1367778056b64b865b21dd52692134771655461760db75309c78dc6f372cc4d0ab7c752

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini

Filesize
80B

MD5
3c106f431417240da12fd827323b7724

SHA1
2345cc77576f666b812b55ea7420b8d2c4d2a0b5

SHA256
e469ed17b4b54595b335dc51817a52b81fcf13aad7b7b994626f84ec097c5d57

SHA512
c7391b6b9c4e00494910303e8a6c4dca5a5fc0c461047ef95e3be1c8764928af344a29e2e7c92819174894b51ae0e69b5e11a9dc7cb093f984553d34d5e737bb

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\desktop.ini

Filesize
402B

MD5
881dfac93652edb0a8228029ba92d0f5

SHA1
5b317253a63fecb167bf07befa05c5ed09c4ccea

SHA256
a45e345556901cd98b9bf8700b2a263f1da2b2e53dbdf69b9e6cfab6e0bd3464

SHA512
592b24deb837d6b82c692da781b8a69d9fa20bbaa3041d6c651839e72f45ac075a86cb967ea2df08fa0635ae28d6064a900f5d15180b9037bb8ba02f9e8e1810

Download Submit
C:\Windows\Temp\Cab6695.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\Tar6A40.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\Temp\www6326.tmp

Filesize
195B

MD5
a1fd5255ed62e10721ac426cd139aa83

SHA1
98a11bdd942bb66e9c829ae0685239212e966b9e

SHA256
d3b6eea852bacee54fbf4f3d77c6ec6d198bd59258968528a0231589f01b32f4

SHA512
51399b4eac1883f0e52279f6b9943d5a626de378105cadff2b3c17473edf0835d67437ae8e8d0e25e5d4b88f924fa3ac74d808123ec2b7f98eff1b248a1ab370

Download Submit
C:\Windows\Temp\www6337.tmp

Filesize
216B

MD5
2ce792bc1394673282b741a25d6148a2

SHA1
5835c389ea0f0c1423fa26f98b84a875a11d19b1

SHA256
992031e95ad1e0f4305479e8d132c1ff14ed0eb913da33f23c576cd89f14fa48

SHA512
cdcc4d9967570018ec7dc3d825ff96b4817fecfbd424d30b74ba9ab6cc16cb035434f680b3d035f7959ceb0cc9e3c56f8dc78b06adb1dd2289930cc9acc87749

Download Submit
C:\Windows\Temp\~DF37E6322AE2D15576.TMP

Filesize
16KB

MD5
bd7db75aae276ef7c95665f93ebe5dbb

SHA1
e77c12631baed14d4a76b9264bb869d67574a8dd

SHA256
66c5f78cd7ca3c00d0c16f3ee180d3fadd54c88b16a3d4cd67f3062ba18fa51e

SHA512
a166cc5340c7a37392af5a380326c101776e7c51be6ba1bfadb7365066ba2ec2f63332f518e483746b3a2dfcffdaafb513d257f5bbfd456e3258d7902ed86963

Download Submit
\??\c:\program files (x86)\adobe\acrotray .exe

Filesize
3.0MB

MD5
0fb9c687fbd1b4f07c7bc67dfd96df5d

SHA1
769121d2416fb21bd286ff7742ca8c7c2adc06b0

SHA256
d60413ba7130f64c09d3bffc121ab906338b8c72843ad97d8a6a813e66536079

SHA512
1a41aabed2d3a2311a81674594889b677941f9a3ebb6e625aee60cc0a0d8779ac13ac3a38626dee5021ebc9aa37c1ef86e20eb088fcbbd5b1158ccafeeb111fe

Download Submit
\??\c:\program files (x86)\adobe\acrotray.exe

Filesize
3.0MB

MD5
fee3fe6d1ed58417cc25e4a547e436c0

SHA1
f13038c843e85e2c95b90e491f1e9d8f98110b62

SHA256
88d3ffda7fdd6ed5624b566d4e66ef0b63b5bd875344fa8c39106f63c7381366

SHA512
88cf335993d3e6883344490ddb93403761bfef745888c193cfc9a7e158ec3a94380f5a79b88d0b88bf6f6320ee4c321d160da586479ad9a88d6a6ec8f83c1782

Download Submit
\??\c:\program files (x86)\internet explorer\wmpscfgs.exe

Filesize
3.0MB

MD5
5199e1061dd85d085f4a572698c054ed

SHA1
17b4fd51e9b0a87acb35863429fd34544f455484

SHA256
5bba6a9f87f141b8795ccd23fe0d6f4233af414cbf06c17d50421ba78afc81fa

SHA512
18e0aa8b970ec9e1f43d69689dc37f28a6065fb9f491593dc04ff4f2abf1e16e1ac87c81f8b8e2bf3438c12a2fffadbe14ea7a58cd8503e809bf997f49e4a9bf

Download Submit
\??\c:\program files (x86)\microsoft office\office14\bcssync.exe

Filesize
3.0MB

MD5
d00d99d1404b8fb8e7c3196f2c90f874

SHA1
15ef48b03ddd00e0e5c8ddfeb363535978ff3c8b

SHA256
6fabb6d4dc32470e4ddda53a33a902fd56377e8545d8069ac7136b1040f65973

SHA512
966765ca47e38968aa5adcfbe6a9a5d39de7de627307e4218286b6a90181991b8e6d16501ff5f7c109201638fa6fe4d1b41aaa4f2e996ec91167ebfb9c94023b

Download Submit
memory/1628-1625-0x0000000000400000-0x0000000000DB6000-memory.dmp

Filesize
9.7MB

Download
memory/1628-1621-0x0000000000400000-0x0000000000DB6000-memory.dmp

Filesize
9.7MB

Download
memory/1628-939-0x0000000000400000-0x0000000000DB6000-memory.dmp

Filesize
9.7MB

Download
memory/1628-909-0x0000000000400000-0x0000000000DB6000-memory.dmp

Filesize
9.7MB

Download
memory/1628-931-0x0000000000E30000-0x0000000000E32000-memory.dmp

Filesize
8KB

Download
memory/2612-43-0x0000000000400000-0x0000000000DB6000-memory.dmp

Filesize
9.7MB

Download
memory/2612-51-0x0000000000EA0000-0x0000000000EA2000-memory.dmp

Filesize
8KB

Download
memory/2612-55-0x0000000000400000-0x0000000000DB6000-memory.dmp

Filesize
9.7MB

Download
memory/2612-40-0x0000000000400000-0x0000000000DB6000-memory.dmp

Filesize
9.7MB

Download
memory/2612-32-0x0000000000400000-0x0000000000DB6000-memory.dmp

Filesize
9.7MB

Download
memory/2612-140-0x0000000000400000-0x0000000000DB6000-memory.dmp

Filesize
9.7MB

Download
memory/2612-196-0x0000000000400000-0x0000000000DB6000-memory.dmp

Filesize
9.7MB

Download
memory/2676-73-0x0000000000400000-0x0000000000DB6000-memory.dmp

Filesize
9.7MB

Download
memory/2748-66-0x0000000004A00000-0x00000000053B6000-memory.dmp

Filesize
9.7MB

Download
memory/2748-199-0x0000000000400000-0x0000000000DB6000-memory.dmp

Filesize
9.7MB

Download
memory/2748-910-0x0000000000400000-0x0000000000DB6000-memory.dmp

Filesize
9.7MB

Download
memory/2748-908-0x0000000000400000-0x0000000000DB6000-memory.dmp

Filesize
9.7MB

Download
memory/2748-895-0x0000000000400000-0x0000000000DB6000-memory.dmp

Filesize
9.7MB

Download
memory/2748-894-0x0000000000400000-0x0000000000DB6000-memory.dmp

Filesize
9.7MB

Download
memory/2748-451-0x0000000000400000-0x0000000000DB6000-memory.dmp

Filesize
9.7MB

Download
memory/2748-65-0x0000000004A00000-0x00000000053B6000-memory.dmp

Filesize
9.7MB

Download
memory/2748-453-0x0000000000400000-0x0000000000DB6000-memory.dmp

Filesize
9.7MB

Download
memory/2748-68-0x00000000003F0000-0x00000000003F2000-memory.dmp

Filesize
8KB

Download
memory/2748-42-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2748-454-0x0000000000400000-0x0000000000DB6000-memory.dmp

Filesize
9.7MB

Download
memory/2748-1624-0x0000000000400000-0x0000000000DB6000-memory.dmp

Filesize
9.7MB

Download
memory/2748-39-0x0000000000400000-0x0000000000DB6000-memory.dmp

Filesize
9.7MB

Download
memory/2748-33-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/2748-139-0x0000000000400000-0x0000000000DB6000-memory.dmp

Filesize
9.7MB

Download
memory/2748-340-0x0000000000400000-0x0000000000DB6000-memory.dmp

Filesize
9.7MB

Download
memory/2748-54-0x0000000000400000-0x0000000000DB6000-memory.dmp

Filesize
9.7MB

Download
memory/2748-1403-0x0000000000400000-0x0000000000DB6000-memory.dmp

Filesize
9.7MB

Download
memory/2748-28-0x0000000000400000-0x0000000000DB6000-memory.dmp

Filesize
9.7MB

Download
memory/2748-29-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2820-27-0x0000000004EA0000-0x0000000005856000-memory.dmp

Filesize
9.7MB

Download
memory/2820-26-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2820-3-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/2820-1-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2820-24-0x0000000000400000-0x0000000000DB6000-memory.dmp

Filesize
9.7MB

Download
memory/2820-41-0x0000000004EA0000-0x0000000005856000-memory.dmp

Filesize
9.7MB

Download
memory/2820-0-0x0000000000400000-0x0000000000DB6000-memory.dmp

Filesize
9.7MB

Download
memory/2884-77-0x0000000000400000-0x0000000000DB6000-memory.dmp

Filesize
9.7MB

Download