floxif | 39e0e99686f3ff4871a53ab3700bd7e5b0fa9a1de1eb9fd90b9be77eb1bc5483

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-11-2024 04:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

39e0e99686f3ff4871a53ab3700bd7e5b0fa9a1de1eb9fd90b9be77eb1bc5483.dll
Size

296KB
MD5

8f4c7d749a2349d1a7d722be0ccef703
SHA1

cc4a971226e48748d4e07adf11a0c303bd44b1b4
SHA256

39e0e99686f3ff4871a53ab3700bd7e5b0fa9a1de1eb9fd90b9be77eb1bc5483
SHA512

71def671627382022def2060ac87e057077075a7eb745a0d67b18430b3d06dd670d830d68bb2448a2e567bb5f679a11faa8f518e84490c51ad58b05d6a1ebc93
SSDEEP

6144:r5y5VKltxeqbaacNnrQ6O6agZCPUgidwvRC4Kmnw:r5y5sltxeqbaar69ZNPUnfnw

Score

10^/10

floxif ramnit backdoor banker discovery persistence privilege_escalation spyware stealer trojan upx worm

Malware Config

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Detects Floxif payload 1 IoCs

backdoor

Processes:

resource	yara_rule
\Program Files\Common Files\System\symsrv.dll	floxif

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Program Files\Common Files\System\symsrv.dll	acprotect

Executes dropped EXE 1 IoCs

Processes:

regsvr32mgr.exe

pid process

2344 regsvr32mgr.exe

Loads dropped DLL 9 IoCs

Processes:

regsvr32.exeregsvr32mgr.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
1764	regsvr32.exe
1764	regsvr32.exe
2344	regsvr32mgr.exe
2428	IEXPLORE.EXE
2676	IEXPLORE.EXE
2344	regsvr32mgr.exe
2344	regsvr32mgr.exe
2344	regsvr32mgr.exe
2344	regsvr32mgr.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

regsvr32mgr.exe

description ioc process

File opened (read-only) \??\e: regsvr32mgr.exe
Drops file in System32 directory 1 IoCs

Processes:

regsvr32.exe

description ioc process

File created C:\Windows\SysWOW64\regsvr32mgr.exe regsvr32.exe

description	ioc	process
File opened (read-only)	\??\e:	regsvr32mgr.exe

description	ioc	process
File created	C:\Windows\SysWOW64\regsvr32mgr.exe	regsvr32.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1764-3-0x00000000001E0000-0x000000000023B000-memory.dmp	upx
\Windows\SysWOW64\regsvr32mgr.exe	upx
behavioral1/memory/2344-12-0x0000000000400000-0x000000000045B000-memory.dmp	upx
\Program Files\Common Files\System\symsrv.dll	upx
behavioral1/memory/2344-15-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2344-18-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/2344-20-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/2344-22-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/2344-49-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2344-48-0x0000000000400000-0x000000000045B000-memory.dmp	upx

Drops file in Program Files directory 7 IoCs

Processes:

regsvr32mgr.exe

description	ioc	process
File created	C:\Program Files (x86)\Internet Explorer\ieproxy.dll.tmp	regsvr32mgr.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieproxy.dll.tmp	regsvr32mgr.exe
File created	C:\Program Files\Common Files\System\symsrv.dll	regsvr32mgr.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\IEShims.dll	regsvr32mgr.exe
File created	C:\Program Files (x86)\Internet Explorer\IEShims.dll.tmp	regsvr32mgr.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\IEShims.dll.tmp	regsvr32mgr.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieproxy.dll	regsvr32mgr.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

IEXPLORE.EXEIEXPLORE.EXEregsvr32.exeregsvr32mgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32mgr.exe

Modifies Internet Explorer settings 1 TTPs 52 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9955FBC1-A6F8-11EF-9E7F-EE9D5ADBD8E3} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438239080"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{99539A61-A6F8-11EF-9E7F-EE9D5ADBD8E3} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2B11E9B0-9F09-11D0-9484-00A0C91110ED}\TypeLib\ = "{6B263850-900B-11D0-9484-00A0C91110ED}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{99FF4677-FFC3-11D0-BD02-00C04FC2FB86}\VersionIndependentProgID\ = "MSSTDFMT.StdDataFormats"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6D835690-900B-11D0-9484-00A0C91110ED}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\39e0e99686f3ff4871a53ab3700bd7e5b0fa9a1de1eb9fd90b9be77eb1bc5483.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSSTDFMT.StdDataFormat.1\ = "StdDataFormat Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{99FF4677-FFC3-11D0-BD02-00C04FC2FB86}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{99FF4677-FFC3-11D0-BD02-00C04FC2FB86}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6C51B910-900B-11D0-9484-00A0C91110ED}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{99FF4676-FFC3-11D0-BD02-00C04FC2FB86}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6D835690-900B-11D0-9484-00A0C91110ED}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{699DDBCC-DC7E-11D0-BCF7-00C04FC2FB86}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2B11E9B0-9F09-11D0-9484-00A0C91110ED}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5DE7A180-91B1-11D0-9484-00A0C91110ED}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6C51B910-900B-11D0-9484-00A0C91110ED}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{99FF4676-FFC3-11D0-BD02-00C04FC2FB86}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{99FF4676-FFC3-11D0-BD02-00C04FC2FB86}\TypeLib\ = "{6B263850-900B-11D0-9484-00A0C91110ED}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6D835690-900B-11D0-9484-00A0C91110ED}\ = "StdDataFormat Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSSTDFMT.StdDataFormat\CLSID\ = "{6D835690-900B-11D0-9484-00A0C91110ED}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6D835690-900B-11D0-9484-00A0C91110ED}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E675F3F0-91B5-11D0-9484-00A0C91110ED}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E675F3F0-91B5-11D0-9484-00A0C91110ED}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C2F13ED0-91B0-11D0-9484-00A0C91110ED}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6D835690-900B-11D0-9484-00A0C91110ED}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSSTDFMT.StdDataFormat\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{99FF4677-FFC3-11D0-BD02-00C04FC2FB86}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6C51B910-900B-11D0-9484-00A0C91110ED}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6D835690-900B-11D0-9484-00A0C91110ED}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A1741EF6-FFC6-11D0-BD02-00C04FC2FB86}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSSTDFMT.StdDataFormats\CurVer\ = "MSSTDFMT.StdDataFormats.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E675F3F0-91B5-11D0-9484-00A0C91110ED}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5DE7A180-91B1-11D0-9484-00A0C91110ED}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C2F13ED0-91B0-11D0-9484-00A0C91110ED}\ = "IStdDataFormatEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6C51B910-900B-11D0-9484-00A0C91110ED}\TypeLib\ = "{6B263850-900B-11D0-9484-00A0C91110ED}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A1741EF6-FFC6-11D0-BD02-00C04FC2FB86}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSSTDFMT.StdDataFormat	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSSTDFMT.StdDataFormat.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSSTDFMT.StdDataValue\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2B11E9B0-9F09-11D0-9484-00A0C91110ED}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{99FF4677-FFC3-11D0-BD02-00C04FC2FB86}\TypeLib\ = "{6B263850-900B-11D0-9484-00A0C91110ED}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C2F13ED0-91B0-11D0-9484-00A0C91110ED}\ = "IStdDataFormatEvents"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6D835690-900B-11D0-9484-00A0C91110ED}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSSTDFMT.StdDataValue\CLSID\ = "{2B11E9B0-9F09-11D0-9484-00A0C91110ED}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSSTDFMT.StdDataValue.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{699DDBCC-DC7E-11D0-BCF7-00C04FC2FB86}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{99FF4677-FFC3-11D0-BD02-00C04FC2FB86}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\39e0e99686f3ff4871a53ab3700bd7e5b0fa9a1de1eb9fd90b9be77eb1bc5483.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{99FF4677-FFC3-11D0-BD02-00C04FC2FB86}\ProgID\ = "MSSTDFMT.StdDataFormats.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E675F3F0-91B5-11D0-9484-00A0C91110ED}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5DE7A180-91B1-11D0-9484-00A0C91110ED}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6D835690-900B-11D0-9484-00A0C91110ED}\Version\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2B11E9B0-9F09-11D0-9484-00A0C91110ED}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A1741EF6-FFC6-11D0-BD02-00C04FC2FB86}\ = "IDataFormatsDisp"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5DE7A180-91B1-11D0-9484-00A0C91110ED}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C2F13ED0-91B0-11D0-9484-00A0C91110ED}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSSTDFMT.StdDataValue.1\CLSID\ = "{2B11E9B0-9F09-11D0-9484-00A0C91110ED}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2B11E9B0-9F09-11D0-9484-00A0C91110ED}\VersionIndependentProgID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{99FF4677-FFC3-11D0-BD02-00C04FC2FB86}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6B263850-900B-11D0-9484-00A0C91110ED}\1.0\ = "Microsoft Data Formatting Object Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6C51B910-900B-11D0-9484-00A0C91110ED}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A1741EF6-FFC6-11D0-BD02-00C04FC2FB86}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6D835690-900B-11D0-9484-00A0C91110ED}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSSTDFMT.StdDataValue.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6C51B910-900B-11D0-9484-00A0C91110ED}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6C51B910-900B-11D0-9484-00A0C91110ED}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A1741EF6-FFC6-11D0-BD02-00C04FC2FB86}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{99FF4676-FFC3-11D0-BD02-00C04FC2FB86}\ = "IStdDataFormatsDisp"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

regsvr32mgr.exe

pid	process
2344	regsvr32mgr.exe
2344	regsvr32mgr.exe
2344	regsvr32mgr.exe
2344	regsvr32mgr.exe
2344	regsvr32mgr.exe
2344	regsvr32mgr.exe
2344	regsvr32mgr.exe
2344	regsvr32mgr.exe
2344	regsvr32mgr.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

regsvr32mgr.exeIEXPLORE.EXEIEXPLORE.EXE

description	pid	process
Token: SeDebugPrivilege	2344	regsvr32mgr.exe
Token: SeDebugPrivilege	2344	regsvr32mgr.exe
Token: SeDebugPrivilege	2428	IEXPLORE.EXE
Token: SeDebugPrivilege	2676	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeiexplore.exe

pid process

2172 iexplore.exe
848 iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
2172	iexplore.exe
2172	iexplore.exe
848	iexplore.exe
848	iexplore.exe
2428	IEXPLORE.EXE
2428	IEXPLORE.EXE
2676	IEXPLORE.EXE
2676	IEXPLORE.EXE
2676	IEXPLORE.EXE
2676	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

regsvr32.exeregsvr32.exeregsvr32mgr.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 1224 wrote to memory of 1764	1224	regsvr32.exe	regsvr32.exe
PID 1224 wrote to memory of 1764	1224	regsvr32.exe	regsvr32.exe
PID 1224 wrote to memory of 1764	1224	regsvr32.exe	regsvr32.exe
PID 1224 wrote to memory of 1764	1224	regsvr32.exe	regsvr32.exe
PID 1224 wrote to memory of 1764	1224	regsvr32.exe	regsvr32.exe
PID 1224 wrote to memory of 1764	1224	regsvr32.exe	regsvr32.exe
PID 1224 wrote to memory of 1764	1224	regsvr32.exe	regsvr32.exe
PID 1764 wrote to memory of 2344	1764	regsvr32.exe	regsvr32mgr.exe
PID 1764 wrote to memory of 2344	1764	regsvr32.exe	regsvr32mgr.exe
PID 1764 wrote to memory of 2344	1764	regsvr32.exe	regsvr32mgr.exe
PID 1764 wrote to memory of 2344	1764	regsvr32.exe	regsvr32mgr.exe
PID 2344 wrote to memory of 2172	2344	regsvr32mgr.exe	iexplore.exe
PID 2344 wrote to memory of 2172	2344	regsvr32mgr.exe	iexplore.exe
PID 2344 wrote to memory of 2172	2344	regsvr32mgr.exe	iexplore.exe
PID 2344 wrote to memory of 2172	2344	regsvr32mgr.exe	iexplore.exe
PID 2344 wrote to memory of 848	2344	regsvr32mgr.exe	iexplore.exe
PID 2344 wrote to memory of 848	2344	regsvr32mgr.exe	iexplore.exe
PID 2344 wrote to memory of 848	2344	regsvr32mgr.exe	iexplore.exe
PID 2344 wrote to memory of 848	2344	regsvr32mgr.exe	iexplore.exe
PID 2172 wrote to memory of 2428	2172	iexplore.exe	IEXPLORE.EXE
PID 2172 wrote to memory of 2428	2172	iexplore.exe	IEXPLORE.EXE
PID 2172 wrote to memory of 2428	2172	iexplore.exe	IEXPLORE.EXE
PID 2172 wrote to memory of 2428	2172	iexplore.exe	IEXPLORE.EXE
PID 848 wrote to memory of 2676	848	iexplore.exe	IEXPLORE.EXE
PID 848 wrote to memory of 2676	848	iexplore.exe	IEXPLORE.EXE
PID 848 wrote to memory of 2676	848	iexplore.exe	IEXPLORE.EXE
PID 848 wrote to memory of 2676	848	iexplore.exe	IEXPLORE.EXE

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\39e0e99686f3ff4871a53ab3700bd7e5b0fa9a1de1eb9fd90b9be77eb1bc5483.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\39e0e99686f3ff4871a53ab3700bd7e5b0fa9a1de1eb9fd90b9be77eb1bc5483.dll
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1764
- - C:\Windows\SysWOW64\regsvr32mgr.exe
    C:\Windows\SysWOW64\regsvr32mgr.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2344
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2172
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2172 CREDAT:275457 /prefetch:2
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2428
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:848
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:848 CREDAT:275457 /prefetch:2
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Privilege Escalation

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6920d7c3f6c8d868e37b51170ea219e1

SHA1
9df3be3fec80b9cd684b71e9698127771bb72c3f

SHA256
644f1a3261b1b493a3ddb9a67241fd6d6dfba808e5a96843955dedb7b05e725d

SHA512
0411d1d8790b2d0e70c9183fcd4522922dba04458654aac786c58cee151b655448ece385767f33dc487682861497ccdbcd65d9dae2a5ffe11abfac2a3ec9716b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
44d3815655fefea6f16f0a2c63577f38

SHA1
33f2ed1413d6f13a1515660c7b3de5e789cf3543

SHA256
9a55064abb2f2a8afb9a4915f5e3721e04920a1857289e2a11028b3b1c6ec5fb

SHA512
f2e93b9e33310e885dc45f579d0b385e7281a2a02bab9c80f2ce76b4b955fea91c7f3070974e2e23c86002d82f20d6606e23c3c0e61dd933e9554f2052be1e5c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0e788d2553b3c880a411257cececf086

SHA1
78522823516fa2ab85b195ce8103261ed0572517

SHA256
07e2946b5ce0ba538cd5e59a3b803506e2ed6c70828752ec5f74bca0dba00b6f

SHA512
103841ce6062775e2e11e2ffa1ea0a9ee2a7d9685f4194eb43d29a1e2d1985513ff2d3b1b1d61f422c5ed943d2e19fb5f3ee70ebbd91551505186551fab895e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e137099253297449fabc3eede3fa05f8

SHA1
fd3ab608dfde71760d89eddc5226275526f82670

SHA256
6a829cf7b1f618c06fe5e615ff56e9395f04fb12ad2b2cc7a14f90aeaa31b860

SHA512
5249055aa97f9f00eb016d4d08fd31d98566ddd03b5c446d47706831147f7f9806b163a7794a307297786b7ce2db0cb52e362ec9696638fab07d4ecaee5eb502

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
296c73e53261fd012f206a3e9eeb114a

SHA1
512aaa4ea9b2926c2bd65c9462eb53708046fe47

SHA256
50ddc23b6429a536b4325a217ff198054bd06ef69b105262e2d629a97658f48c

SHA512
e3844af4ce4e6b4e7313bf66f07cbe87b57f7c73e66395bef46bcdfe9677d398794e954d220a07725e097b8297246aa2452e485c2492fa9cbbcd9f891591a692

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0890a07a01ea6e2aa94e5c8a6920fa57

SHA1
620ecfc2dd888968f2013251f702c7b568eed35a

SHA256
a0884f5f25b6ff9a8e1cc48e55d30136cf6f3cbd47d2da42513e8f5fe631da97

SHA512
d9e9bfc937aa132431c06348e1c6c6014c6862a9a1fb64092352962cb01e83352960d8ae9a8e8392eb2bc42575e45668573f6799f422bdb908e5332ab80c317b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e9361a00189e9edc51094968e9f5352c

SHA1
4847fd176b3bd4fa05205d8fbe672fd1840bb557

SHA256
c885b424b11e364d56a3497537148099292ad2feec218843ab6543caa627978c

SHA512
f6e731ca51f8c204f99b23a9edfcc682e9505bc1c4f391dbe0e4f9a9d76c6db95d65bbec3bec03490f339afc7700fa406052976b6e5ac8360fe88baf59723c18

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a3c48936d3b52e63adc289dc671d5bd4

SHA1
5482297c74057fc3bded42b870e339e36b846dab

SHA256
36807d9ef1410c55036091fd261bbe91a5abbdd195afcbcfdf3ec229852c63d0

SHA512
3964b6288e567e176a8ece7e6ce8c9225362100868c5b573a81f0c50f616cfaa3c963beba88fe66cb76d9a305eac3f673c143b8718a6f664541fdddd8a8220f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b0ea3b9ea6714413c0121bf6e194a2c3

SHA1
057104a38c97b25419b6b7de58972fea81287251

SHA256
e5cca3a0df9b14cf246fbde695486cfad62af5c643c97e274dda87077bfb1005

SHA512
015580bc18b54398b5c30b8dc4aeea76e1f3f2e3a2facfa899ddf26a450651d3acece9da54340d52cd40a7a099e7f5267bc5773ce850f5c2bfe5098668f5dda9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ebb6e38ed56e99b405d2464bce0b427e

SHA1
2a9f4c3963f0043d49dbe126369924e7fff844a5

SHA256
d6dc9b34951607591e9410c5f93bf6d2fff6179a889a5390b5fb7963608809dc

SHA512
f6685a15ef22df164453101f125bdbe50af39dc51ee4d7846d2b7d7ef4cec98ced1bd1faf8f922142fec0d9decea7cab98a2a03de74ad951698d50c10a528052

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9e32f03ba1f01ea9ebb572d841cf10dc

SHA1
bcaadba45b17c050c128aec44dc0560398970ccf

SHA256
fd1e24f24f9edd8c4c7cbbe9708bddbc9e98ef2a64b42245d1cd51257435bce0

SHA512
5ac8a1141ad8693207a0f96ed7c483e50eff43192ced266cd5978a4c27641db5a950ead3a09b4520cb48962d3081688254045155702a26b2b4096b8d28367f90

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
211cd935df875ab13ee5d2544f123177

SHA1
d8aeb2d3653cd233fc3d3b50a3a9d5d4b507f03e

SHA256
926d518118bf75e5b36c1d56a20c9829b5189eab90d451ecfea7d80dc469b250

SHA512
8436df54292e9cfcb3692ee4952c93db7737ff7e00a413e91e95813afe54a4a74ae71165fc8d4b0510908663ab74163444b82edc924f0c689810168a7b86569b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6bd59200261370051a722cbb1b108238

SHA1
d1f2cd6fd9ab9b5c8f6a3b5f6e74ffc62cea1752

SHA256
3f3d926e3b5d704786b626206a6ef02d52edd4ca696919538d351f5784a25a16

SHA512
002173180b836f7da1b43188f32957696c8444a817301d7a8e9dcbfa6e5aaf591faae7b28ef9cc379185e72be9b6f36ad718c15fb93d4d528838b32f0ce76563

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
32bcdd9b29cc2522420bd794dc27761a

SHA1
e82fc8aedae8265d3be24cb0ce0934369b8ac338

SHA256
0a3f0e658fa3df3508a0d13517bfb953f18e30b4e5480856ef49b8832f948e23

SHA512
39348516d31ff92cc9f73c22048a5e6a3ddd3379871b9853120d2d12fa959053153ca5d78265151501409db05bcb75ebe78b82fc2656b76baf353c0d1e54441e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1797941d8bf2ef4cb821581310a46f68

SHA1
d14f246725a032aec0e61abfb28470e75bbc7c58

SHA256
f283b15c493aa35cde9913486b20deb097de42f35317a72e5e16cb5f206e85e6

SHA512
0e589e073929c2de8bfa98e9a51c50347d119283c65dd89ac928ff6971a0b736f95e53ab853afaa51336253bbe19f272485e5dc8ae6a10783484bd40f9d2584b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1c4315bf09bd0a15b31d749b1788f2fc

SHA1
fb7689aaf8aae91ee915e467a839a8acf74a47d0

SHA256
8ea6aee11fb33a7080535937e1ca7b86b4f4ba599373c60cd479622ec3c5bbe9

SHA512
fc25539f7a0c4a8aa0003c5870daa6719f176e5a341ba044256e50d9c68ac9580bf0630a35d9c2887026f3d88af6898759240b90d44109d21a01ca2f92d29d90

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
823c7fc1fac2b6bea6c98c0d46a63e15

SHA1
3ae189bcf82beffc414d2c4ba923ebb9b01f3ae4

SHA256
23ae2744df1fafc20bf60569ac39f93be702c571283845118bfc85fb0b80ce8a

SHA512
3bbe6319a4c9336124d9aef664c8cf0fecbbc83bc4a71b3f01a2f249a393456a2600010bfc205b1c0d089c63f0999b38fb284f9f1c9df3b321400a6afc791b24

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
83424af0f5e2cf6302e8f8975190ad49

SHA1
709d399dc303dc62fdfce9189f12dc5d7fff9c37

SHA256
2ce4e79b2b617573cf3b7bba0db5250775f71223245efda8747eae8b5305be6b

SHA512
23267df22da418cbb0aec15f2fce4f5c8e4da618bbeae9b5fc2c177aa37ac3781f247f92b3f0c644889d87e029a7082b6932fa9adca9f0df120dd8e7d61d5774

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9b3eac02984de7dae5d4f7b3f7bff8ca

SHA1
592b14445702c5704893794487c685eff332316b

SHA256
e7a1c42fd137eabba71ed3b1d321c3f822206f817d92ee62ff10e3b880f129b0

SHA512
dbb7641207eeeeb876004087d63d67988030d69468f76022739e038867205af6f646b40948dc9f7af125a5197c67a3c1813f0573a260079b068a52000acc1085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{99539A61-A6F8-11EF-9E7F-EE9D5ADBD8E3}.dat

Filesize
5KB

MD5
b022f7f75eff6e0be73fb1da224371a1

SHA1
5a7a7d7aba2d4a5b55818c1fc6d8245bf9d83257

SHA256
8d0c20b90b6402086e3e255218ee2b795c75549ed3bc0f7105a537925ae678f6

SHA512
931bbc188f493101e98b67e818e9ce5e269fc998420ab3a12d9c11390de80e6f2dc8c116752180eb1c87a8513dce3d836c6ee95e4e0ffae228fd59c14073248d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{9955FBC1-A6F8-11EF-9E7F-EE9D5ADBD8E3}.dat

Filesize
4KB

MD5
b626578fefde96df5f78aed215570aff

SHA1
394eebdff8a6b1b29ab3df3050c6f5dd125d9466

SHA256
1b4c6f743daad60a35aa62251d120bf7cf290914e45ed37dac51b567993c2c0f

SHA512
f20f8a54b5992bd5175ecf7c83e0746d9653fbc0f1d3dd6cbf16d4c7be35ae74f3ca4141594084da21c8598f7f6859a041158d0862ed0d2227ef9f801533821f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF8E1.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF9C0.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Program Files (x86)\Internet Explorer\IEShims.dll.tmp

Filesize
313KB

MD5
eec910a08bc5c2371dd951967a73a3ef

SHA1
f22341a3a2b0247b5da66363800af5ea8ea9f877

SHA256
f5a2df26740d19e2e57a1a2810e190e142cd7dd849fdee7084a0a1f3bb276629

SHA512
9a7c0f25f9a868ff8fa803e0c7e9ef9cc7bd0ec695a256d8618ccf1cb19d99d33fdc60a945ad397ea6cf0c0738d3eae0b5fa2e378283adee37d6ce17d01fae7c

Download Submit
\Program Files (x86)\Internet Explorer\IEShims.dll.tmp

Filesize
313KB

MD5
1a6a3cebb6b3ac6fb97969ef5fe85993

SHA1
b175d0cf225e352004101eb5e88f733106be4fe8

SHA256
d604a300b702c7ff3974908afae9fe22ebf9c448b1afc707c4c6c30f68fd52cc

SHA512
12da969c5af7fb028e7fb975cc214e9324266050bf8a3f6093506ae2063e341c749f37d4614d352405c87b149af638ffb7e6c604c860f48e2dee3f65ea002571

Download Submit
\Program Files (x86)\Internet Explorer\ieproxy.dll.tmp

Filesize
340KB

MD5
8fecfa2814831abfe0e6d65ff97df824

SHA1
3a3060a939aad3467205fe68181fda1c18d53c07

SHA256
399f175101cbcf3a259db9c5ed4a1c8b37c82e05c6cca71604b87805b142d7a7

SHA512
9cbdf7ef8a2d2c94f96cf48fd7b0265624e889bb6812c6fbffe9aba3abb73729db78147647a8e8571d60f9cc7caaece86d588a009e82ee2c2eecaf2406f9ddd9

Download Submit
\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
\Windows\SysWOW64\regsvr32mgr.exe

Filesize
177KB

MD5
5c65d0f7ed0cf850e4e9cc219233d133

SHA1
093b25fe1598dbce3c9cb3aaf7da89f9e6fa321c

SHA256
c25c2eaf1dd5165bf46a36d9420d7fe718cb866831b91f22f55561fed08c7f4a

SHA512
2d404c860e037bc7b7e400ff2369de91599f15780d82364f119b356706aa3140499816c00a2bf99ba443206788ab0da527b16c3057372f803c5c112c2eae5d74

Download Submit
memory/1764-1-0x0000000024DD0000-0x0000000024E1A000-memory.dmp

Filesize
296KB

Download
memory/1764-3-0x00000000001E0000-0x000000000023B000-memory.dmp

Filesize
364KB

Download
memory/2344-20-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2344-21-0x0000000001C60000-0x0000000001C61000-memory.dmp

Filesize
4KB

Download
memory/2344-19-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2344-17-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2344-18-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2344-15-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2344-22-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2344-12-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2344-49-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2344-48-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download