b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd

Analysis

max time kernel
141s
max time network
143s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
21/11/2024, 06:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
Size

51KB
MD5

0ec13669b9f8bfa8f75e3a8829b34778
SHA1

612e4eb12b67c413d1f24115b68eedc500d240af
SHA256

b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd
SHA512

fcf5733623347e06642e024e5f7825fadc585880bf8e9087019ddac36e0c1ede9a37e9422530b40dc053b7fa198ff2c31ffba6805c6f333c71a0dc380fbd5fab
SSDEEP

384:/B9FqeuDcAfrL6Kt+xDMmkhdQhmwcpbKGqJixShqxHUXFO4Xik3dKx9UrFXdB6ba:JCJgi9+xDMm+SQwcV/JU0DUv0Vknu4

Score

8^/10

discovery persistence

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\drivers\gm.dls	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\drivers\gmreadme.txt	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\drivers\wimmount.sys	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe

Manipulates Digital Signatures 1 IoCs

Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\wintrust.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Win32.crAcker.A = "C:\\Windows\\system32\\crAcker.exe"	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\mfplat.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\ole32.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\Robocopy.exe	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\WABSyncProvider.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\InfDefaultInstall.exe	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\KBDSW09.DLL	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\msi.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\msexch40.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\sysdm.cpl	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\inseng.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\instnm.exe	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\KBDINHIN.DLL	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\lpk.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\ncsi.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\NlsLexicons0003.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\unimdmat.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\C_21866.NLS	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\KBDBENE.DLL	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File opened for modification	C:\WINDOWS\SysWOW64\mfc110deu.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\shpafact.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\sxs.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\vfwwdm32.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\authfwcfg.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\dataclen.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\printmanagement.msc	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\comsvcs.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\KBDKAZ.DLL	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\wecapi.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\mscories.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\syssetup.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\pla.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\desk.cpl	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\dmocx.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\NlsLexicons0816.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\KBDUR.DLL	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\MSAC3ENC.DLL	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\nlmsprep.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\PkgMgr.exe	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\provthrd.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\makecab.exe	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\netapi32.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\netid.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\wmdrmsdk.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\hcproviders.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\KBDTAT.DLL	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\sxproxy.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\sxstrace.exe	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File opened for modification	C:\WINDOWS\SysWOW64\vcomp110.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\KBDINKAN.DLL	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\mstask.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\oflc.rs	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\sberes.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\vdsvd.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\label.exe	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\NlsData002a.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\qdvd.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\C_10000.NLS	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\sppwmi.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\pegi.rs	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\usp10.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\inetcpl.cpl	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\KBDMON.DLL	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\NlsData0046.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\SysWOW64\JavaScriptCollectionAgent.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe

Drops file in Windows directory 26 IoCs

description	ioc	Process
File created	C:\WINDOWS\explorer.exe	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\HelpPane.exe	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\hh.exe	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File opened for modification	C:\WINDOWS\win.ini	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\winhlp32.exe	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\bfsvc.exe	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\fveupdate.exe	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\mib.bin	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\twunk_16.exe	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\twunk_32.exe	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File opened for modification	C:\WINDOWS\WindowsUpdate.log	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File opened for modification	C:\WINDOWS\DtcInstall.log	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\notepad.exe	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File opened for modification	C:\WINDOWS\setuperr.log	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File opened for modification	C:\WINDOWS\TSSysprep.log	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\twain_32.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\WMSysPr9.prx	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File opened for modification	C:\WINDOWS\Ultimate.xml	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File opened for modification	C:\WINDOWS\msdfmap.ini	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File opened for modification	C:\WINDOWS\PFRO.log	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File opened for modification	C:\WINDOWS\setupact.log	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\splwow64.exe	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File opened for modification	C:\WINDOWS\Starter.xml	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File opened for modification	C:\WINDOWS\system.ini	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\twain.dll	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
File created	C:\WINDOWS\write.exe	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "100"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b13190000000002000000000010660000000100002000000035f48723c0bdca6336ff1c6ba099e9788170883b21e8c755b465b70b51c6bfaf000000000e8000000002000020000000750f70731f6978699ec97f8cc43165a048aea0429423539efc27ee44664f4cf3200000003932b00d2129461853a05bc6d7976dce3dada944254b61622e1d9f8e1f0e374a4000000030ec21338dde5bc2bd190a0ddd3091e1b3b6553b204582d42cc510c4ab8549eb104fb84629da14a522de626adcbc6299a7637b034cdc3700e75a81d21011b520	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "118"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "100"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b1319000000000200000000001066000000010000200000004373c3ad2f930465a6b7d719378c2eac4737712b592dc47b637725b09287d6ff000000000e8000000002000020000000d2d0a0e58401297dd5c264d496a4bf8778c773115e97f5785de1f9c46394490290000000cefbe775a3b8a6fb8aa3de007b7dae0f9620e0ebe79596acef5bd86b346518fd737a27f3ecefaf19fa688f35c84040361fd15cf53e4027b8d7aeec8f015c322228ee88491029c6adb25deb2a193046031d136291a7a551fe6f50da1020e4f34f48b2455f9d984cc3e9acc234f9cca9692ad6e0a0fe4c8e7b20f68992c4468f5fdb8e69552989176e46e1c83c1f72ee4e400000001eebda0aac8a8d9602d76ec388cc3452806b0a843561b1b019bc69c09fe849b81a69cf52650d3cb9acb0dee1c1603beb57991b8c4987f344e5eb8843e9647f8e	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "233"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "122"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438331056"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BE692C81-A7CE-11EF-A7E1-668826FBEB66} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "233"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "290"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "122"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "122"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "8"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "8"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "290"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40223597db3bdb01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "8"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "290"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "118"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "118"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "100"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "233"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2564	iexplore.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: 33	2412	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2412	AUDIODG.EXE
Token: 33	2412	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2412	AUDIODG.EXE
Token: 33	2524	IEXPLORE.EXE
Token: SeIncBasePriorityPrivilege	2524	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2564	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2564	iexplore.exe
2564	iexplore.exe
2524	IEXPLORE.EXE
2524	IEXPLORE.EXE
2524	IEXPLORE.EXE
2524	IEXPLORE.EXE
2960	IEXPLORE.EXE
2960	IEXPLORE.EXE
2960	IEXPLORE.EXE
2960	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1356 wrote to memory of 2564	1356	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe	29
PID 1356 wrote to memory of 2564	1356	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe	29
PID 1356 wrote to memory of 2564	1356	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe	29
PID 1356 wrote to memory of 2564	1356	b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe	29
PID 2564 wrote to memory of 2524	2564	iexplore.exe	30
PID 2564 wrote to memory of 2524	2564	iexplore.exe	30
PID 2564 wrote to memory of 2524	2564	iexplore.exe	30
PID 2564 wrote to memory of 2524	2564	iexplore.exe	30
PID 2564 wrote to memory of 2960	2564	iexplore.exe	33
PID 2564 wrote to memory of 2960	2564	iexplore.exe	33
PID 2564 wrote to memory of 2960	2564	iexplore.exe	33
PID 2564 wrote to memory of 2960	2564	iexplore.exe	33

C:\Users\Admin\AppData\Local\Temp\b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe
"C:\Users\Admin\AppData\Local\Temp\b997d4f7005f89b816b1760272f91adc83da7a8fbbe6dfc9db372c8fe2ef68dd.exe"
1⤵
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1356
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.freeav.com/
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2564 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2524
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2564 CREDAT:1258511 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2960

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x5d8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
d169b2c718089c6050ced4d1af6e4345

SHA1
16ea2e051c5d3c82f5e4069bb22ee3d60f2be04b

SHA256
0296d24d42e80ac03c27558ca8280d12c0ac08892b7f82c2d6cc228426a3dd25

SHA512
3e7e006579ee43cbaeef501514f9c5e8346db6ee8183425c17436f763aa478498c191825e8c955bc5043088954f5941a8ec5fc2f71207108e962177841edc800

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5d58c06a7993219f27d157377494ef8e

SHA1
0f0b93b7f868bdf31abb16230faedc2cbc31581f

SHA256
770e83a690e46ffb6d272fc8c664e446d8f3e7969f7826a64cdbd736ed7a9084

SHA512
d5059a1e2c2d601715bf69e664c397068b8b9c7e700710d2c3763d17039ac436256de30b099488937653069fa675395a74da4c19fd29c04b0b3a50d7c4fc4b05

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
23651b13e82d6da7cc57ceddedcc8d13

SHA1
691cd989063500762b60ab9e38b666dc0feda11f

SHA256
181a0abde39c223d81099d3e1b56d3453958b8bcee0dbb34d5a2f2cd6e9218f7

SHA512
03e314adefb2a60a75568ff94a26f8318935939b9a548264b49a3961508e69a1e436f21f64341a28b391c7bedd878528b5970d43c06cd907e7db4290ac52e730

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e230fe10780b87c604cace3d046f5485

SHA1
c269ae6e5894d2bfcd893de71e850a813538daf4

SHA256
42dde719e5603043e8b0cb6250538dab5967f6c65fe475d42bd36eaf52656be5

SHA512
b8e07b97be25985eae06fe842c8b1f657d992956e6ba55adf0e78618dfa6b1229639375aa87af3a2a02fccdbc2b256043c43d636fa0f361c8dbb5a727de7e928

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
36b5b294ff5937e1da1a117c116410a1

SHA1
bfd7eeddb40e9b1364fdf8df516a253567fb1521

SHA256
1ef96c93e161c601e8984dc214f1ec113bac7a11a419388acaa69cf0f9935839

SHA512
96dcecd1db94c0d2505d328decc7f83ff9049d4b5220d2fb1678d1d72117b3e78982c3574cfe0e6b07ef5c1f83e2e3014cfc4fbf6b23f0d55b2a06b17e69a6b3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
704043071638214464291a8734731305

SHA1
b38d7ab9a90a71fe66b12397d5a806ac1317c474

SHA256
3fd73e1e977b17e4dcdc3308a2e94d69bcd3baf1102d6ce51ddf5128c7910e6a

SHA512
8e4f55babede41fbf2564c56f35a671fa9429dd283f7ca0f4e252267ef3f906fa8a9ab63fb864ce6fc02af237529c228b4f55f0c36e8101dd860e54d3a6832a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
90415363bd427cbc05e3e2901a462a2d

SHA1
e3de16bdeb26677eeb99c5e94b04d342bdcfa24e

SHA256
3d0b77a72d1bc4480b755eefba2160686717c01ca4101902d19c82ed4ab4ad2d

SHA512
94af3a8642d1e875853f01a690be2169c0278e319fbb3ae7414cb1ff6ccf06b53e4b90aafa2d22c74f31c17fda09715af4fb46de1c4a1f08c702afce7c0c2c7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
22a1a2063553f87c6c64ae6d2bd14051

SHA1
ab2a964e4c1ce4b5b82a247d237fac53f82d8c5e

SHA256
33c34b40890905fc824e57894d620d6dad7ff997e11b4b16b94bc3fa1fb56e21

SHA512
3ed2dff4e801de0ee732398859632aad973873c7d2867a1a6f222bb304f11040ee9b70e81cad5382384178702274b20855dd2061991b6906d222a95c66d7916b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2755618820f55f9d395f5ecb411afbc7

SHA1
599f38797c0817fc488ac4306b413b023115a3d4

SHA256
d266144b2bdece2b87df58ef4418e95e2049799f80c981afb7f0db977300aec5

SHA512
c6f81eecc5bbf1a7559f5f0aabf0376de4a21112c80cd9e04aa3775b0859ed9a17702875254adbbb29f8366b854eb70a0b747ce4e58ea0de50dcbc65f4e96619

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0773764e1e72bd9d79f57c56fece98df

SHA1
c0b0c6977bb322df2c98386b203484d07131e538

SHA256
31af59acdb78c5f311ec8a10b56222b339b561a5fc02399e60df5e6c661ebbb5

SHA512
537f99a5453017247f62d745b67093b04431b2fe28f6b787318f9b012069952f503d8492c1512e19d74ffbc7b15fbb231157444479bfd3c26bd53b78fcbbec61

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ee5be1ac31b6140951b9cecaf7ee0081

SHA1
4f867e95a6bc770d3bf68991dc7ddbc0b1533cb3

SHA256
34674dea7651c0e3cfa6019cec9f6f93cba5701ed6412254167bb2954b8e8412

SHA512
8b4cd48578a06301c2124c5d6db14f2296d346aa666c6f3e67bdd168332c8790cc90cf7439299c55c8568a8ffda0fda64adc298daf7c37490bfb765edbe55908

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
60741195e64324df33858fdfb4768dbf

SHA1
5d559e86077df978b6de2446b87069006eebd5d1

SHA256
83c3eae27dfab3a0ecc644b7ffa29fed627f54f719186948c46e8c2605c71211

SHA512
3b77fcd0cbd8023fc8f7c551e2e940f5ddf8cc63aef4c5a0223515100b03c7137414fa5eb69957e6ab09028cedff7f0dcd5f208f022a122f308f7fbf4374a0b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fe162466271d3884cec61744441cbc7f

SHA1
c4bddab4941c12f6d4d325f8554b31c4bb5654d9

SHA256
2c576846cc2cc4bb43e13922b363eea444af847155629c7dbd298d5e56010b4e

SHA512
d138aeca4ad2fd873b64829f24e5ef7dd50d4e41ca966b1c8511ff5b847dc27717312face7b12164a5d30d13130af187f68a7cfdb6763e0a8ff021d1505aadf6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c989a7a274b3617d12a6ce37d30a7720

SHA1
286d12ded3cb316c15b618e8bc454c608afdda85

SHA256
8f2ea480046e46d076f5a6cdbdda421345ddc13aa362e37d02a8abc00e2bc25f

SHA512
87f9e4da336c7e48e8dab4eed51d44d66e89a35c84ff1859d7a4a0513f2aeebfd060b31f5ea2ce89aa5427bb8b88222735c3bcd089f55b48dc5bd17685fdfd18

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ddfea7d8858433caa6527f0f81d54cf2

SHA1
f3ef36593c60b52e2c0e63b9ee954e30d3c3a12d

SHA256
937ebf39ca2f46f8902cbe797e2e43a8d550fef688edf957e9d93779cb592226

SHA512
b432b6d1248f33f05ec64b6b430e774e2a740cb121b2cca33eef0439f7989655bfbc5a0ac753a922a298732116e5e643c05428ffb0542de968b34858e590efda

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a53570122a209c0501ac2403ee9a8928

SHA1
2e6ed633736bf93ad90835b3d236656b27a3bca7

SHA256
fa25d6c84e68d8dbac622227421e1dd398f393d4d72ff61927002290893c4574

SHA512
9684d3cb2880a888361a199917546ffa380dd554fa69fead7ffcebe7b0bc0bdad323c550918b3cca54c29c17b81375932a014f2c799ad48d7a11c62248ea67e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3d69e7ac132f9159521e555ea1fada54

SHA1
df6a141ce87bbc64c4004136c77eaee7dbfeb0a9

SHA256
41ef03faa5cdc100addbf070ab34032df6352458e7135a75ea8bd217866c466f

SHA512
49d90d17f9801872676c0cb5230e3bb7792d2741da40f8f061e4546475485e6c702d936fd6b63c014b60cd6a54d7f6e6f692363f0b462e554e18d31e168127f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fd04bc1d2d760a00475cbb60ccee206e

SHA1
343ebdedcc4557bad395bd910c45d1f31773c0b5

SHA256
fa9a476d5c8adf3e4d47a9d8e9aac93cb94402dd8626a7ba104a8ecadbfced5e

SHA512
ae0644368421be3be80424347099c8f77525d047a991d544e8ae47d5e6f8ad1eb80f25315f38f84e7786a6de91a95e32a85ef63c31e110b79dcda306235bb4d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d518722796cc2729bc435346a1a03371

SHA1
a1e9fb661aaf7257d281ef12ce7587a71214028c

SHA256
041cfaa1fefd9339ca0dc90e202d1d99aa5b2d13342fd7e4263b35e7489249de

SHA512
45c24b639aaf293f9bea6aa2eed9c766985184029b47da46b75c247f6696ea76af8986cfbb864af7f3c8f9a71aa9f4160fde33269f10a3bee2c78cdf59b97e4e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
acd479eec5c573feea52fd263157c5b6

SHA1
c90710265ecab019545825729ddb529b769d11bc

SHA256
16c5f84b70ea254872d2b1dd2accb896de811457613fecaaecb9b42046085946

SHA512
3f9fd46c4171cce0d699a69b451c9158b318844004e84a91eddd7f05156eed9bf8cd1d645e03ed68d64015d49c74cfbec6e06ed50adc536afd7b0a3c0c004849

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
69af49140462ed08d7aea9b3d7902035

SHA1
cbbfe5cc23dae1be3146418b24815a22b798e749

SHA256
51cc5440e289222593dbd0a45f8d98f69ba755f3c67c907bbff3d85f27e13e7f

SHA512
a536b2b4ceba9a5f4ef2acea6e19c06ab6dd5b6ffa39e22a58fedee66a7b96ca105b11b0a39d2252535d127e403679e4001ceae457a51e1227b159acdd3394ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c94cc14f4a5da9fc5c63e85ee98a998a

SHA1
dee7fd2d6c2a58e920764230a16e785f418043b3

SHA256
756c4945489ff4dec8cabc08de9cdf03020eab0f6e28aeb563318a48fb140765

SHA512
421e53541bfbffe63cdc9883ce0507396fbb5b27cc13b957fae0f2f218452866e0864fd34b212673b8c20c3df7107d35760bd1b9449633c7fc16bd97b0a6c3c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b2b682f3e62acdd81acd1fc971797377

SHA1
2ef86adf9fe89ac4126e7f583719b98b856764c5

SHA256
01053f0c07dbf601685c9beee74236a28a52f4203edac9f1b878a41963f48a40

SHA512
f62d4fe994d0a594e3331e6718011166b64f8e627194ae54355b890176ec743dd69b6215ee6e5cbef4176a5cb86e3b85f3286474641a1d73dd51738937e043b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4e8addea5681da0a6f05e7640eedace3

SHA1
68944422a176bc4c2fee94f9ebf74b36af8b56f6

SHA256
5ed6264345fbc1b2615c35f53f4f652269500b3c266b1535d2e3d3539a0273c0

SHA512
389fdfc283ffd964fcbf9bc77879e86710084c44bbd87386b80ee6c3d0ef64d64a5531f434edf4d3ed1cdef1d898eda1c62e917b0e45a3d9340670d524e2f4eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6563876f1bd9d0cc96b690e4ffea5df2

SHA1
53891ba9949bb28798d12c3ebcfcbb19f534c4f8

SHA256
75f469f1dca72ee3e385369825baacae6ae39d07d1fd3faf888cf9983b0bfe25

SHA512
676477d7de852134a51a1080b82e57dfc7d0c15ad39d81721e39db81787f6371527d32f9b3a2ea46bd880ebc69994939e7e0fa38591ed8aacf3cd7a67fa32e7e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b49c8bc6683058c85847fbd8e184d138

SHA1
135aa66cb5d05e583bf11469aa07cae888b8cf58

SHA256
013b95dbe5c2a42468340633403dd4f662f09c769c1b60051c1b52982997f43a

SHA512
7187a5572ca615c75d4a2e9effeec198d77cfb909f7c7831c3432a3c990e53f132018ef4909347502a5d4f0c1f7f051ec90975c4ea8dcc8000737d97ba979cb2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aa12860f1851fa9aa922c5dd85339576

SHA1
338a053d2b934522ae2a020feafdad939ee90b31

SHA256
dfa21de8ad33225ab35bb96cf477fc6e129e2473a38e46c5ca2bbfff790664c7

SHA512
9dffcf425d433742de91c14bee1acfc54c8a0169861cfef109421d32bc083b18650fddd89cea315e860a30a4391312a10649de5fb17103d1c537cd26cbea465b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f1ca3bcfefb2b6998e86985c9e4657a1

SHA1
a65c73c03642fce42a1e61ad01d971551fb9d590

SHA256
fb620256949f3cf817b0eaeeca74810b5ed705c60fdba54b11670a80d64a44ae

SHA512
744ea3231dffa4159058f97d6e62f1e3640c589fbc05752b00395857f7a2cd14f44fcdcde3545a607ac212ffbddd2c0dc007b5736087f82c90c5d1bec63ad23d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
44114110550395676bb7bef04e724834

SHA1
d1d4a854535d51e4b832dc68c0aa27929a9e6e50

SHA256
f5d4403dce144a48ed5c5a0f66ef8d72a5709272dcd142f3fa2021a70801ed48

SHA512
7be9f497309ebdfc5615fa097829185677f63d27e541140ad139594a0c45c1251b0c047deb19233b92970cf0ff21d147cb4fc3cf03525500f618b7150f80c052

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
acc410adcb185224eadd7212f19ab2e9

SHA1
13bbcad5c37969d34d38305e89fcc95647c5076a

SHA256
baa9497b9b1966a2fadb65a2c5381997bc4bc187e8796d8ef0441da8f41af804

SHA512
7f8bf16c7fe976f7ef20d5b9280625b009f8a99e8489f3f104f78b4a7e9d84364f854d28375599f7240edacf258cc430f884bcba5fe6036af20cb2303c7c71a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
de29924e8b2b752f3839f9abad7dac45

SHA1
27d3e2d33f40e56e4966336f346569d323f59cfb

SHA256
d4ab351ff17aaab73bfa9ade5bb7b6803ec56dfbbc01b6bdec7258af52aa6cb5

SHA512
646c4acc853a28f5942e5a72ef7b69ebb2971d11ada8507876936875dbf1ca585586f5f6ae8ec07c339f389df049c9aa6e1f2dc9a0d660cefbcf7b2d6b48aa08

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
12f2e3ae8892fdeaa83d11437a4d3e55

SHA1
38bd8f9084c6f90155476de9a6274112e619072d

SHA256
6221a03b84b0f215947e7c4acec556c1fd97674e18c63d0ad139547faf7e8e2c

SHA512
5a16c2a3198f0b8c4f3e0c6317189a0ead34e7f4911466077da4b91d89fcfce5448273ae3ebc12c709da75fbede82c06908cebf37e5f5f69b80882dbf686b446

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1a8ecdc80237c9ded7cc9234ac1e0fa6

SHA1
49af8df9c3cd0ca5a09031320edd045fc9f24b33

SHA256
89f6a11c5251b5b4d9893d227239ab95f0477185841324ad6eb2997ab894c803

SHA512
623b0c9efe38447effedc7245bc625a62e61605f3667f5d15d627613b3c1cc44cd8c166ddbff42d6a7bd336fc0429ee7cad33473b6c70c16cd95cd8c6ed82a42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ab01cbc6c524b51a3d2e1c981a3f98db

SHA1
f5c4d31436f97148212898f386fa8079db209f7b

SHA256
89953aaea4ea3473b92ffcc2f948861a664f2b5887317347fe2f8ca6c2087bcd

SHA512
1c345c068bb857837d44fdffcc91e83bb21ba75270aeb266e40fb6a88040db15ed9ffd5402f5dfc47fe26d13c921a72803fa681d0208f5ed5ddd2cf725f8ff26

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
3c46e69241aa266c168e273379c9ce80

SHA1
278378bec7f0faf6900524957764631621545700

SHA256
894902035ffa2076043f7d6c4f64961cf6bb4527d4b40c9436fcc453c4d15c35

SHA512
0715f7de30970c907f85d23d2ebe39dcca4dab2147d1b16601c2ac5b5c2a0f9f37f099a1efe47aed563f95b90fc51f691d3719b155478ff653019598cfc90e4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\93RJTU0O\www.avira[1].xml

Filesize
437B

MD5
70ca03d0a2d0cae4698df3e36143c732

SHA1
aa325aa165613bea621d83a2a836afdaaab286ad

SHA256
c8b62c4b41afc40ea1b9f757e6b06e4df2b7f782a61978ef390ad8912af284e4

SHA512
c9bdb13bd2c7ec3c39638a7e72fb0a2b585e2d5554bac5cabf6929b33fe678ba73ba32e6080ddee2c0231ac2e5aa5c9033e0eda9c47add69abd490d41cc90e0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\93RJTU0O\www.avira[1].xml

Filesize
575B

MD5
ece6d347b9b542e763efb0d04f03dcc5

SHA1
3157ae88f29175e5c524b68ad9b29c876c498701

SHA256
af97550ade953e4369b9b9bbda298beb5d7f95c3cd4b79195021bdec6875e242

SHA512
b5151b39eeb50e6983977fc1a6e456a36683f2c930f3aaed7ee2afbae203fb6c2e6263746624dd3e4e25f8c29155c295afd8e37bdf8fccc586536aa3363f30b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\93RJTU0O\www.avira[1].xml

Filesize
224B

MD5
e3bbf2ec310a4beb41216d9bf30ccdcc

SHA1
a2e0c1a5a75cfcf0f1a690367f7823f66395d512

SHA256
3fb0f31389c3262006238486b499b277bdbc2954e9fd1bf8661b69693ad2d9b1

SHA512
156f07d947d3af6e2e7e065a105c248f09994aa59dedb2ce56f904ed7ff53a532d638fa45df4a1803408fe5cc7fb9778779b4396ab5cbff329533c468b3cc800

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\melo7gx\imagestore.dat

Filesize
1KB

MD5
b9e232fb68c49499b8e37f7c9e2a12ab

SHA1
a7d40f04949dac2d00507c006c05fe605b88fd52

SHA256
b1a9ffd07d72443b1757970fad719f4214277fa3f1f16de0df5cd586bc4792cf

SHA512
e7176091a736b1971ac024dd96d71f83a1fca1b8287007bf5d00cc51f9306b6db87acc63c4e811371928cf6026f9c8a34917f68c6dbdeba5d0da781a779d21cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8P9TO0C6\favicon-32x32[1].png

Filesize
1KB

MD5
13e4a579c3cfa586f665ecd794e0462c

SHA1
b629b7170f76734c495630191e665b6a88024268

SHA256
a961b4999fbb3ea58527df10b36cfd5c6ac7cf9fd12a0ecede32a8f7f48fec30

SHA512
813d424cb854ecda3bd1cb73e87af2e1072364e5e6345e2a7ff0c93cdac34628146786f1f5fbfa869b95d72ff0071414af13c4453545e76b3f627c1343cbdc8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2963.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2976.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\KTWG024M.txt

Filesize
220B

MD5
964ad9205d6c37fdd634826d6598cb0d

SHA1
f08565a6c4168691faed5f729d8beb9670d1f584

SHA256
5c3eb75417c3287a6d40f0c47e2b2f43a46a26a7ecfa103cba6035ef73049527

SHA512
9ab2414ad784d33f5e9ca33729b4307487e20a5edb4c5b7cfa0e32d2a12537334cdd86596d58599eb31746ed7e2ee15d1202fc4c31eda2ee8054f09a8d562054

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\O0BZ1CWY.txt

Filesize
583B

MD5
7912922d3968f581f4489a2d5ffe237a

SHA1
a2444c427188492289ac3584736a83e0b9fbb0a7

SHA256
49ecc8debe612ac4beef4a4e42a17113120e5e11181303692ed5b968317173d5

SHA512
b31e7f2eb80658842b0491dd1ce9993915074ec4455f122b8758a43d1efa491594b02c03538a4f7c022d56fd8d9f945a275ac55544dac8d5c7fd21571b77829c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\QDC8FID1.txt

Filesize
394B

MD5
92aacdc4b79e4790ed3fc60b0c62f6e6

SHA1
31cef5553ae02744204427094e5270c69e472371

SHA256
89a7c146cfb68c2b5f4581f072eaa6218a8c4572c56c682a08b8a41f319d8f87

SHA512
6cc7932ce56ec30088212edd3e32590e700a41fdc2bf048bd3f1ba34e764c55291212f80ccfd030d45d27de598cc7528f2233ea9dbfb4afc6c50dddf3380bcd3

Download Submit
C:\Windows\setupact.log

Filesize
49KB

MD5
f822e85333b3a823ec275445603cd215

SHA1
6c27aa552e0908b5d969df97ee4a9a53f604acb5

SHA256
80530f45b07fb90428d5931de09f296f14f27af429e7454c66938a0914c92b31

SHA512
25ed51645d4b34f3336cbb59c17c4d7d3a1d38dc95efe01bdb70c25eb1f2033f1e1678a7ccd35ee127d1f5f4591b00f0563747639f8a5341f425fe3e37de84c6

Download Submit
memory/1356-362-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1356-109-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1356-4-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1356-125-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1356-2403-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download