floxif | 39e0e99686f3ff4871a53ab3700bd7e5b0fa9a1de1eb9fd90b9be77eb1bc5483

Analysis

max time kernel
120s
max time network
91s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-11-2024 04:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

39e0e99686f3ff4871a53ab3700bd7e5b0fa9a1de1eb9fd90b9be77eb1bc5483.dll
Size

296KB
MD5

8f4c7d749a2349d1a7d722be0ccef703
SHA1

cc4a971226e48748d4e07adf11a0c303bd44b1b4
SHA256

39e0e99686f3ff4871a53ab3700bd7e5b0fa9a1de1eb9fd90b9be77eb1bc5483
SHA512

71def671627382022def2060ac87e057077075a7eb745a0d67b18430b3d06dd670d830d68bb2448a2e567bb5f679a11faa8f518e84490c51ad58b05d6a1ebc93
SSDEEP

6144:r5y5VKltxeqbaacNnrQ6O6agZCPUgidwvRC4Kmnw:r5y5sltxeqbaar69ZNPUnfnw

Score

10^/10

floxif ramnit backdoor banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Detects Floxif payload 1 IoCs

backdoor

Processes:

resource	yara_rule
\Program Files\Common Files\System\symsrv.dll	floxif

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Program Files\Common Files\System\symsrv.dll	acprotect

Executes dropped EXE 1 IoCs

Processes:

regsvr32mgr.exe

pid process

2540 regsvr32mgr.exe
Loads dropped DLL 7 IoCs

Processes:

regsvr32.exeregsvr32mgr.exe

pid process

2520 regsvr32.exe
2520 regsvr32.exe
2540 regsvr32mgr.exe
2540 regsvr32mgr.exe
2540 regsvr32mgr.exe
2540 regsvr32mgr.exe
2540 regsvr32mgr.exe
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

regsvr32mgr.exe

description ioc process

File opened (read-only) \??\e: regsvr32mgr.exe
Drops file in System32 directory 1 IoCs

Processes:

regsvr32.exe

description ioc process

File created C:\Windows\SysWOW64\regsvr32mgr.exe regsvr32.exe

pid	process
2520	regsvr32.exe
2520	regsvr32.exe
2540	regsvr32mgr.exe
2540	regsvr32mgr.exe
2540	regsvr32mgr.exe
2540	regsvr32mgr.exe
2540	regsvr32mgr.exe

description	ioc	process
File opened (read-only)	\??\e:	regsvr32mgr.exe

description	ioc	process
File created	C:\Windows\SysWOW64\regsvr32mgr.exe	regsvr32.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\SysWOW64\regsvr32mgr.exe	upx
behavioral1/memory/2540-10-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/2540-15-0x0000000010000000-0x0000000010030000-memory.dmp	upx
\Program Files\Common Files\System\symsrv.dll	upx
behavioral1/memory/2540-18-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/2540-20-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/2540-22-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/2540-50-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2540-49-0x0000000000400000-0x000000000045B000-memory.dmp	upx

Drops file in Program Files directory 7 IoCs

Processes:

regsvr32mgr.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Internet Explorer\IEShims.dll.tmp	regsvr32mgr.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieproxy.dll	regsvr32mgr.exe
File created	C:\Program Files (x86)\Internet Explorer\ieproxy.dll.tmp	regsvr32mgr.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieproxy.dll.tmp	regsvr32mgr.exe
File created	C:\Program Files\Common Files\System\symsrv.dll	regsvr32mgr.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\IEShims.dll	regsvr32mgr.exe
File created	C:\Program Files (x86)\Internet Explorer\IEShims.dll.tmp	regsvr32mgr.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

IEXPLORE.EXEIEXPLORE.EXEregsvr32.exeregsvr32mgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32mgr.exe

Modifies Internet Explorer settings 1 TTPs 52 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{19597501-A6F8-11EF-8202-7A9F8CACAEA3} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{19594DF1-A6F8-11EF-8202-7A9F8CACAEA3} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438238865"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSSTDFMT.StdDataFormat\CLSID\ = "{6D835690-900B-11D0-9484-00A0C91110ED}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSSTDFMT.StdDataFormat.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6D835690-900B-11D0-9484-00A0C91110ED}\TypeLib\ = "{6B263850-900B-11D0-9484-00A0C91110ED}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2B11E9B0-9F09-11D0-9484-00A0C91110ED}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSSTDFMT.StdDataFormats.1\CLSID\ = "{99FF4677-FFC3-11D0-BD02-00C04FC2FB86}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C2F13ED0-91B0-11D0-9484-00A0C91110ED}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6C51B910-900B-11D0-9484-00A0C91110ED}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A1741EF6-FFC6-11D0-BD02-00C04FC2FB86}\TypeLib\ = "{6B263850-900B-11D0-9484-00A0C91110ED}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{99FF4677-FFC3-11D0-BD02-00C04FC2FB86}\ProgID\ = "MSSTDFMT.StdDataFormats.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{99FF4677-FFC3-11D0-BD02-00C04FC2FB86}\TypeLib\ = "{6B263850-900B-11D0-9484-00A0C91110ED}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{99FF4677-FFC3-11D0-BD02-00C04FC2FB86}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E675F3F0-91B5-11D0-9484-00A0C91110ED}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5DE7A180-91B1-11D0-9484-00A0C91110ED}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C2F13ED0-91B0-11D0-9484-00A0C91110ED}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A1741EF6-FFC6-11D0-BD02-00C04FC2FB86}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{99FF4676-FFC3-11D0-BD02-00C04FC2FB86}\TypeLib\ = "{6B263850-900B-11D0-9484-00A0C91110ED}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6D835690-900B-11D0-9484-00A0C91110ED}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6D835690-900B-11D0-9484-00A0C91110ED}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSSTDFMT.StdDataValue	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{699DDBCC-DC7E-11D0-BCF7-00C04FC2FB86}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6B263850-900B-11D0-9484-00A0C91110ED}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6B263850-900B-11D0-9484-00A0C91110ED}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\39e0e99686f3ff4871a53ab3700bd7e5b0fa9a1de1eb9fd90b9be77eb1bc5483.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5DE7A180-91B1-11D0-9484-00A0C91110ED}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5DE7A180-91B1-11D0-9484-00A0C91110ED}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C2F13ED0-91B0-11D0-9484-00A0C91110ED}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6C51B910-900B-11D0-9484-00A0C91110ED}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A1741EF6-FFC6-11D0-BD02-00C04FC2FB86}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSSTDFMT.StdDataFormats\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{99FF4677-FFC3-11D0-BD02-00C04FC2FB86}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6B263850-900B-11D0-9484-00A0C91110ED}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5DE7A180-91B1-11D0-9484-00A0C91110ED}\TypeLib\ = "{6B263850-900B-11D0-9484-00A0C91110ED}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2B11E9B0-9F09-11D0-9484-00A0C91110ED}\ = "StdDataValue Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2B11E9B0-9F09-11D0-9484-00A0C91110ED}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSSTDFMT.StdDataValue\CLSID\ = "{2B11E9B0-9F09-11D0-9484-00A0C91110ED}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSSTDFMT.StdDataValue\CurVer\ = "MSSTDFMT.StdDataValue.1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{699DDBCC-DC7E-11D0-BCF7-00C04FC2FB86}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSSTDFMT.StdDataFormats\ = "StdDataFormats Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6C51B910-900B-11D0-9484-00A0C91110ED}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6C51B910-900B-11D0-9484-00A0C91110ED}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{99FF4676-FFC3-11D0-BD02-00C04FC2FB86}\ = "IStdDataFormatsDisp"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6D835690-900B-11D0-9484-00A0C91110ED}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6D835690-900B-11D0-9484-00A0C91110ED}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6D835690-900B-11D0-9484-00A0C91110ED}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2B11E9B0-9F09-11D0-9484-00A0C91110ED}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\39e0e99686f3ff4871a53ab3700bd7e5b0fa9a1de1eb9fd90b9be77eb1bc5483.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{99FF4677-FFC3-11D0-BD02-00C04FC2FB86}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E675F3F0-91B5-11D0-9484-00A0C91110ED}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSSTDFMT.StdDataFormat\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSSTDFMT.StdDataValue.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E675F3F0-91B5-11D0-9484-00A0C91110ED}\ = "IDataFormatDisp"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E675F3F0-91B5-11D0-9484-00A0C91110ED}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E675F3F0-91B5-11D0-9484-00A0C91110ED}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6C51B910-900B-11D0-9484-00A0C91110ED}\ = "IStdDataFormatDisp"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99FF4676-FFC3-11D0-BD02-00C04FC2FB86}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5DE7A180-91B1-11D0-9484-00A0C91110ED}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6D835690-900B-11D0-9484-00A0C91110ED}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSSTDFMT.StdDataFormat\ = "StdDataFormat Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSSTDFMT.StdDataFormats\CurVer\ = "MSSTDFMT.StdDataFormats.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{99FF4677-FFC3-11D0-BD02-00C04FC2FB86}\Version\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{99FF4677-FFC3-11D0-BD02-00C04FC2FB86}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6B263850-900B-11D0-9484-00A0C91110ED}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C2F13ED0-91B0-11D0-9484-00A0C91110ED}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C2F13ED0-91B0-11D0-9484-00A0C91110ED}\TypeLib\ = "{6B263850-900B-11D0-9484-00A0C91110ED}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6C51B910-900B-11D0-9484-00A0C91110ED}\ = "IStdDataFormatDisp"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6C51B910-900B-11D0-9484-00A0C91110ED}\ProxyStubClsid32	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

regsvr32mgr.exe

pid	process
2540	regsvr32mgr.exe
2540	regsvr32mgr.exe
2540	regsvr32mgr.exe
2540	regsvr32mgr.exe
2540	regsvr32mgr.exe
2540	regsvr32mgr.exe
2540	regsvr32mgr.exe
2540	regsvr32mgr.exe
2540	regsvr32mgr.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

regsvr32mgr.exe

description pid process

Token: SeDebugPrivilege 2540 regsvr32mgr.exe
Token: SeDebugPrivilege 2540 regsvr32mgr.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeiexplore.exe

pid process

2696 iexplore.exe
2716 iexplore.exe

description	pid	process
Token: SeDebugPrivilege	2540	regsvr32mgr.exe
Token: SeDebugPrivilege	2540	regsvr32mgr.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
2696	iexplore.exe
2696	iexplore.exe
2716	iexplore.exe
2716	iexplore.exe
2732	IEXPLORE.EXE
2732	IEXPLORE.EXE
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

regsvr32.exeregsvr32.exeregsvr32mgr.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 2332 wrote to memory of 2520	2332	regsvr32.exe	regsvr32.exe
PID 2332 wrote to memory of 2520	2332	regsvr32.exe	regsvr32.exe
PID 2332 wrote to memory of 2520	2332	regsvr32.exe	regsvr32.exe
PID 2332 wrote to memory of 2520	2332	regsvr32.exe	regsvr32.exe
PID 2332 wrote to memory of 2520	2332	regsvr32.exe	regsvr32.exe
PID 2332 wrote to memory of 2520	2332	regsvr32.exe	regsvr32.exe
PID 2332 wrote to memory of 2520	2332	regsvr32.exe	regsvr32.exe
PID 2520 wrote to memory of 2540	2520	regsvr32.exe	regsvr32mgr.exe
PID 2520 wrote to memory of 2540	2520	regsvr32.exe	regsvr32mgr.exe
PID 2520 wrote to memory of 2540	2520	regsvr32.exe	regsvr32mgr.exe
PID 2520 wrote to memory of 2540	2520	regsvr32.exe	regsvr32mgr.exe
PID 2540 wrote to memory of 2696	2540	regsvr32mgr.exe	iexplore.exe
PID 2540 wrote to memory of 2696	2540	regsvr32mgr.exe	iexplore.exe
PID 2540 wrote to memory of 2696	2540	regsvr32mgr.exe	iexplore.exe
PID 2540 wrote to memory of 2696	2540	regsvr32mgr.exe	iexplore.exe
PID 2540 wrote to memory of 2716	2540	regsvr32mgr.exe	iexplore.exe
PID 2540 wrote to memory of 2716	2540	regsvr32mgr.exe	iexplore.exe
PID 2540 wrote to memory of 2716	2540	regsvr32mgr.exe	iexplore.exe
PID 2540 wrote to memory of 2716	2540	regsvr32mgr.exe	iexplore.exe
PID 2696 wrote to memory of 2732	2696	iexplore.exe	IEXPLORE.EXE
PID 2696 wrote to memory of 2732	2696	iexplore.exe	IEXPLORE.EXE
PID 2696 wrote to memory of 2732	2696	iexplore.exe	IEXPLORE.EXE
PID 2696 wrote to memory of 2732	2696	iexplore.exe	IEXPLORE.EXE
PID 2716 wrote to memory of 2856	2716	iexplore.exe	IEXPLORE.EXE
PID 2716 wrote to memory of 2856	2716	iexplore.exe	IEXPLORE.EXE
PID 2716 wrote to memory of 2856	2716	iexplore.exe	IEXPLORE.EXE
PID 2716 wrote to memory of 2856	2716	iexplore.exe	IEXPLORE.EXE

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\39e0e99686f3ff4871a53ab3700bd7e5b0fa9a1de1eb9fd90b9be77eb1bc5483.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\39e0e99686f3ff4871a53ab3700bd7e5b0fa9a1de1eb9fd90b9be77eb1bc5483.dll
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Windows\SysWOW64\regsvr32mgr.exe
    C:\Windows\SysWOW64\regsvr32mgr.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2540
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2696
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2696 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2732
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2716
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2716 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7a9009293fa7606d3ffe9fc8bdde4699

SHA1
70957bf383367582abc3ccb706a3b0be47f5e141

SHA256
cd32a84f5792ecdf175c0558fee3188af73a4b3fe038f7f1e6124954e4726f1d

SHA512
1ce9dd9af42cd58430eded0248d72e8b92635dcc9525a80bf49085934f9942ad4267f1ecd789204642bad5130a56fef094553c4a01745aed16f73f316962a0a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bd7207f4791b2a73edb742a7c1b81580

SHA1
5f4527398a5aa29f82c5c72cb22bb41a6bdde7a8

SHA256
d465e87a2bc56c6425d2ad6d8428ada96e2ae8883c94fcd001335551a4412ed8

SHA512
c6373eb8f4c50fdb281c9ec29c822ca31fbacb27cfa583ad9ba643539f2853219e5368f7f5c914c032f0bda0567f6095752f28d93c65842ebefe2b287e7d8e19

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ae34a7cf3a1257d48fb15e6edf5a4ecf

SHA1
486d91dbd985ee9fbe465eb4268002fde0831240

SHA256
f51e66ecff47a7c9a25d109cc578b4afafc61b17d10c92f211d22b17d90a67f1

SHA512
a02d9c91d29fc08132f12caea2d9995309b1c8beb24c7ca9b30247d5a6ba38caed9282c2884aef838494891c69dd7f262508bdf091574b012dbb3125abc6af5d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a6debea01fb4b119bd14148dbd514aab

SHA1
7b4c379084c73289dacc7a1588ed8f3f0c81adfa

SHA256
6887fe832aaf0dbe166537653cab00e0118216d31a8f0ea46ef080e672328d5a

SHA512
51db3a83a8d7fe14eedda941cf98f5b0838bdf5f7488043eab7d6573d373b761e587cf89f2a5a8882d8af3588184d117ac954d9886b0eee143710bb802dc5f3b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fbbdaf846d27a07b8478e43447a6ca75

SHA1
9f98b40e80d89270807c3bcdbdd610bf75b304c2

SHA256
8da286b758605cf848adc7f89e0d053602ef4199d7d427b93d6342133a61a468

SHA512
e1d8f8e415b9b3d6d5b13166f6e2f6047bb31997573e30d400f2e447bc01cbded0638bca4436195f5f3b51926357c47f979b4aad736ea9bbdd55476689f3fa1f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5253f2597008da346cf06b67cc5e6217

SHA1
4e03b44a5ca589eff20d467790a24b8200b2491d

SHA256
5d880ab7e6264588b7b9cc4f7970a4fbc113cba079dd0ff00ae7bf7ab5d0ba88

SHA512
59363c2be456babce0f712b765f24f620f8ec70ab4375e2c00af5a5246a8c516db8dfdb308b11d3f3fdf5ce738473eaa06973a1a3439c766940632266b142229

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c3aee970f250446685b9779bfff5870f

SHA1
453571d7430d46998bb589cdf2ee3f2fec5ec2a3

SHA256
237fd93be12f07790ca42663191c7e5a4d995de4502a02599a288062006b9606

SHA512
a0537543434c36d185f18f7731970f9ffc8201f6a61ce0b68e77d1782081eb79bd974c5017c274d83003fcd0e32d10169bf6595b064d142c37d58f6cadeb9908

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8b5eb266c9c22c88ce78f3fc6bfacfd7

SHA1
09f38d9918dab18e93154a305eb309558ffe9fc0

SHA256
9d9203b0397ec13a6694afcb6a478ee637ef16755d648bc95c99457d91e2efa6

SHA512
7bdfb8d8f22421af82cb1bd93f3842ef4e28928db3fb0f1c21113f9fdef77d19c4d850c01f2d84749191fc4013c1c4ff64d8f06b991f88c5f6a3232b0c87f22c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8049c9a737631c29168319b82df6d5af

SHA1
dc1654c5ded8e37fe9066e94474bdff23aabd7b1

SHA256
50f0d0ac834434370a9e9a0b9a478342640bec703d94c4d73413d8cf8e54e15d

SHA512
676f314d4f76bf2d51c4876f682773dccf2f5d7b507365de5eff2d4f9bed1eb94ed56f5d1f5ebc1aad9bcb347e1ce3b41de88ac774e95716af1bbfff20005693

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
83c2b52f92b3a861b95fd4dbdc2a20ab

SHA1
f6a7af353cac495643008cd82ddd9cd2e9488f5f

SHA256
d7cd87944847a34b0a138c686a2757532c1e9159fd8c2dc89a60dae04a79a343

SHA512
1616555eb3947b29d6aa49278652e62789cc2b347f06b26e257f1cdcf62fc080fcc6c6ae55b00c340100394ad4492aa23d75cc7d5124b369437d24c9722ce803

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f9e8e508009edfba6bb204ea0e57891b

SHA1
30b4e0e42de60651636f7a3df9445a0230002b63

SHA256
d29cad62e19638f0d2122b514b6e2d1eba1a156cdddb5816157b99e7312befc3

SHA512
357f38c27b8a002c6b01db797cac0df8d0c9b4ad48f0bf3c91be0813a819791cf8b75c09049d3aabe6a71606af523b4b60da539e72d4d25c28114f1190e1bd22

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
56f4f942c367a93a8f8f7743060a28c9

SHA1
f9869d7d6684f5fc7d22aa7631bb5ad3a6d16c17

SHA256
22aa49a15de751fbb38e056598c7af2ac2586d1d87a6c02084bdde6282e93990

SHA512
e42c767fbbf13de23502147e89aec0cfcbc9c1e9c1ff4b764716ca9c1bf9449c6501d7d8a49c0527160e98471cd2a1ab6371400fb35dc6fee4cff96c60d90eb2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
785e34726e95161d19277e3e8aa4165c

SHA1
340c45fdc3a73658024da4189c4642cc35610e71

SHA256
64d23ba5eb78165559d4ec43af7eef6a1c7989fda3ae2d074f362a5fa400b770

SHA512
ac619b69fadff5b3ed614166750887cd056aac018fab22c995f90a78674905a949f02fcf64f953cf8dc99b73ac0d682931da9b92bfb593978f1808548a1bfc01

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b693dc0b4ecce7660a187e1edfa328ef

SHA1
1ef30f3d4eed6ca302ee287b02d5b2bc72de9f18

SHA256
382e40a1bec17a2798f0e2143037edde2d01027b39794b20a0150a6ce27c9be9

SHA512
b8c112bac00c639c9df326c5d6f71340d8f97a82554b58daf5344eb984abb597f97c1331dac3fb20c8d4f28768cb221a74662255df6f9fb091970a52dd649021

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2d3349a230899a293d64597e3fe95154

SHA1
f7f5b22fc6ff6e7e5ee22efa269e036e7a8d91e3

SHA256
c64577523519d2cc513949db704be501ad37ee7c2549031ae72e6b6f730a063b

SHA512
d3166a7ee3d6285f64d5bc55cd769d7c22a79f9c59227dd7b8f41510c48d8bf1d606c058f6bb99014209b45c5c658c0465e84117cc70b66923bfe872c04b5a01

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6905dac04e84828a18932776565458d1

SHA1
d114aa87fb58d2196d5677215214400946e05e4c

SHA256
80297589f82b5347de83a224976f6ec1e2d1963686dd05b7e889d06bde58daa7

SHA512
4f136e72b79257ebc7af236799b7407a620fa9e45c6d6e3ab0e778cb9f3ea0115778fb061a2a031a189b864b80a84a79c0f515160e0880f2fb55fc99b330ce69

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e2b8d69a5946671e80b45e332e2f3b4f

SHA1
a087e7ef32453da0cd3d6b0b8f036c82da44a630

SHA256
a52366f609eab9328b17b795d4fda7fe19aa7d7db0e09f285104bb5ccc817639

SHA512
463b58f0d7db43a43dac782cbf3d2b798b73f32d5c23bf652f8ed0d509467d6b759c7ecfa58a449e7d6b4e33a34df9d0ac23dad3959938374132d34ee6a295b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a6a2dc2cbcbd493d6e0264a74cb44ea0

SHA1
36f65fde2e6eceb3b54c37161b0991742855cf65

SHA256
e43c1165a96e1e1168f1c6cb497ec4a2ecd4732b3279937ecfa508a7b2a24d4b

SHA512
2bc39be9c0b35fad6da380d821186710113d4597594362ed4bd5efd516af7906be15e9511325cc5fd67cf682f9f6256926597b3afc62572139b18dbaff84155c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8576d1b34e99a179c42e7c73022894d7

SHA1
e9f2f29d3fa222f2487e28e065eb4605daebf40e

SHA256
e082dfdb86ca6fb49411e57f9d4a0415a27d56582258d3eac5c1f088d2bca4a8

SHA512
44cca037d87ea178a29048421fe3356a71476035034aa35bb0555e55ac9823648dcfd152c8c90b422e34ef1d07e9a3bc70306b53f280413a806c673a16be46cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{19594DF1-A6F8-11EF-8202-7A9F8CACAEA3}.dat

Filesize
5KB

MD5
a60cf29b6b5f2798f28b7057695a77b5

SHA1
dcfdd33a5bc19140d9f7af11035b3b34cf363116

SHA256
d6f06affbbf761a14a9b5e78116988ed5beaffccebd77f68e2ae0884325d6e28

SHA512
45c28ab05358797dd7cb57dbba27d5d86d08af976875b9afa1bf6d529eaa0dad2a085f53540b07c244f9d952a35545e402d385dffa96e488db61bd88f63ac442

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{19597501-A6F8-11EF-8202-7A9F8CACAEA3}.dat

Filesize
4KB

MD5
fbe440038ee1e2c0d064f0f6f15833aa

SHA1
3572a5f9143e721cb1d7766cbe75d320aa94981c

SHA256
9d66f72130107cee4eed167dc2a612669d5abf22f23c548f44614f55ee05b73f

SHA512
723ce2e997d16c2ae602866195a4bf8ca99d1cb2c9db84861fcf99d04ebe914934438be6249976e95a49f1ed90731e4d0abd1c902ce644f21c8543768298fced

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE6D7.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE759.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Program Files (x86)\Internet Explorer\IEShims.dll.tmp

Filesize
313KB

MD5
e096cec8cb5d1ab89ec04160dd396b9c

SHA1
6ceb663be88f237f1d6b084f93c6ac7253078053

SHA256
7b6733c7f56b02154a5489369f340b42898251b40e88c74e5f77ec8bbc5b8034

SHA512
3d5fbb461805234dfd3a76ccfef92158666cf8d6d0b6447a4e571d27fc26579fb87538650f25bff4d9db7af78f62fb16c009ddf88cccb1e7d2e1c669f7f886e1

Download Submit
\Program Files (x86)\Internet Explorer\IEShims.dll.tmp

Filesize
313KB

MD5
ef2d1b8eabbf488a09685b64d7ec8b3a

SHA1
cde2db9b1fa71e7665af7b3393185e5aef79eea8

SHA256
5b43ad989fba6f0bf8816b9dd9bceae09c63158ecaf693bf8ecc80b4eff9c04b

SHA512
023ae9fbb27bd7c00122c5d729e847928d75f32e904cdfd5d99c02e27b131ccddebc452469644562bdebd713565156c68488ab3a1f72ea3cb5773860a6014b04

Download Submit
\Program Files (x86)\Internet Explorer\ieproxy.dll.tmp

Filesize
340KB

MD5
2ff34b19384e90d616befb932ffeb33b

SHA1
ea8d2943bd8720088f26948f8d7808f5b44813f2

SHA256
6f62b74bdb8d4e5969ea29f42e0edec517f5826d8b63ce9fb7335c1f459cbbb2

SHA512
41339df3046f68d192f81f00fac5f557c2a38d6b4b052117f597fd9d01c0d49261d1005a09f15b6b325d50d565cd56fc15bb354bc651fbc6164d4d76c849af68

Download Submit
\Program Files (x86)\Internet Explorer\ieproxy.dll.tmp

Filesize
340KB

MD5
da97b6b7abebc6cce2bd1fa14bfbd057

SHA1
3d7093c5ff69a9e68365d360355387e91f5d8ada

SHA256
1dc92d9f71c0225c0ff8366408698bef9953ee2bf032664e98ad9622de7a496f

SHA512
6b9199190217ff9c93e6d8f8f66e96ce186aeb7eee6b5cb5e8701ca2f397c68a76114f617e7f3fb5ef3554243cee89dc69af63af0144406012dc4ee707de9f0f

Download Submit
\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
\Windows\SysWOW64\regsvr32mgr.exe

Filesize
177KB

MD5
5c65d0f7ed0cf850e4e9cc219233d133

SHA1
093b25fe1598dbce3c9cb3aaf7da89f9e6fa321c

SHA256
c25c2eaf1dd5165bf46a36d9420d7fe718cb866831b91f22f55561fed08c7f4a

SHA512
2d404c860e037bc7b7e400ff2369de91599f15780d82364f119b356706aa3140499816c00a2bf99ba443206788ab0da527b16c3057372f803c5c112c2eae5d74

Download Submit
memory/2520-1-0x0000000024DD0000-0x0000000024E1A000-memory.dmp

Filesize
296KB

Download
memory/2520-4-0x0000000000230000-0x000000000028B000-memory.dmp

Filesize
364KB

Download
memory/2540-21-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2540-19-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/2540-20-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2540-18-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2540-17-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2540-22-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2540-15-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2540-10-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2540-50-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2540-49-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download