226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-11-2024 08:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
Size

8.9MB
MD5

9c34eb64f458f748970b157de4c27770
SHA1

47c16397efbab09835b1ebe9e04b698882e0bbe4
SHA256

226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e
SHA512

a2e6477c8814109580c58f60fca7d1bd991e14052dbc51544b868a66b9757470130ddcb64035e53dcc03118f46876acd87d3f85bfe2d49bd66d5f980ca4dc0ee
SSDEEP

196608:63qCEEkDhSQd4zgdFpcHPHpjooIC93qCEEkDhSQd4zgdFpcHPHpjooICw3qCEEkZ:63qEEuHpjooIW3qEEuHpjooIL3qEEuH4

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\drivers\gm.dls	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File created	C:\WINDOWS\SysWOW64\drivers\gmreadme.txt	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File created	C:\WINDOWS\SysWOW64\drivers\wimmount.sys	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe

Manipulates Digital Signatures 1 IoCs

Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\wintrust.dll	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\FirewallAPI.dll	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File created	C:\WINDOWS\SysWOW64\mswsock.dll	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File created	C:\WINDOWS\SysWOW64\proquota.exe	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File created	C:\WINDOWS\SysWOW64\ucmhc.dll	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File created	C:\WINDOWS\SysWOW64\resmon.exe	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File created	C:\WINDOWS\SysWOW64\sysprtj.sep	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File created	C:\WINDOWS\SysWOW64\framedynos.dll	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File created	C:\WINDOWS\SysWOW64\Magnify.exe	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File opened for modification	C:\WINDOWS\SysWOW64\mfc110ita.dll	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File created	C:\WINDOWS\SysWOW64\mfmjpegdec.dll	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File created	C:\WINDOWS\SysWOW64\MsCtfMonitor.dll	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File created	C:\WINDOWS\SysWOW64\NAPCLCFG.MSC	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File created	C:\WINDOWS\SysWOW64\nlmsprep.dll	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File created	C:\WINDOWS\SysWOW64\themeui.dll	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File created	C:\WINDOWS\SysWOW64\acppage.dll	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File created	C:\WINDOWS\SysWOW64\kbd103.DLL	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File created	C:\WINDOWS\SysWOW64\KBDLT.DLL	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File created	C:\WINDOWS\SysWOW64\kbdnec.DLL	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File created	C:\WINDOWS\SysWOW64\SearchFolder.dll	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File created	C:\WINDOWS\SysWOW64\apphelp.dll	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File created	C:\WINDOWS\SysWOW64\autofmt.exe	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File created	C:\WINDOWS\SysWOW64\dhcpcore.dll	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File created	C:\WINDOWS\SysWOW64\KBDLT2.DLL	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File created	C:\WINDOWS\SysWOW64\msident.dll	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File created	C:\WINDOWS\SysWOW64\ocsetapi.dll	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File created	C:\WINDOWS\SysWOW64\systray.exe	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File created	C:\WINDOWS\SysWOW64\win32spl.dll	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File created	C:\WINDOWS\SysWOW64\C_857.NLS	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File created	C:\WINDOWS\SysWOW64\fltLib.dll	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File created	C:\WINDOWS\SysWOW64\gpscript.dll	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File created	C:\WINDOWS\SysWOW64\msfeedssync.exe	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File created	C:\WINDOWS\SysWOW64\intl.cpl	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File created	C:\WINDOWS\SysWOW64\KBDSYR2.DLL	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File created	C:\WINDOWS\SysWOW64\QSVRMGMT.DLL	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File created	C:\WINDOWS\SysWOW64\ieetwproxystub.dll	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File created	C:\WINDOWS\SysWOW64\photowiz.dll	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File created	C:\WINDOWS\SysWOW64\Vault.dll	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File created	C:\WINDOWS\SysWOW64\WindowsCodecs.dll	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File created	C:\WINDOWS\SysWOW64\cryptsvc.dll	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File created	C:\WINDOWS\SysWOW64\format.com	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File created	C:\WINDOWS\SysWOW64\RPCNDFP.dll	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File created	C:\WINDOWS\SysWOW64\slmgr.vbs	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File created	C:\WINDOWS\SysWOW64\mprmsg.dll	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File created	C:\WINDOWS\SysWOW64\provthrd.dll	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File created	C:\WINDOWS\SysWOW64\spopk.dll	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File created	C:\WINDOWS\SysWOW64\StructuredQuery.dll	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File created	C:\WINDOWS\SysWOW64\C_720.NLS	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File created	C:\WINDOWS\SysWOW64\encapi.dll	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File created	C:\WINDOWS\SysWOW64\KBDCZ2.DLL	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File created	C:\WINDOWS\SysWOW64\KBDUR1.DLL	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File created	C:\WINDOWS\SysWOW64\WsmTxt.xsl	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File created	C:\WINDOWS\SysWOW64\Faultrep.dll	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File created	C:\WINDOWS\SysWOW64\api-ms-win-core-xstate-l2-1-0.dll	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File created	C:\WINDOWS\SysWOW64\NlsLexicons004e.dll	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File created	C:\WINDOWS\SysWOW64\WPDShServiceObj.dll	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File created	C:\WINDOWS\SysWOW64\C_21025.NLS	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File created	C:\WINDOWS\SysWOW64\D3DCompiler_47.dll	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File created	C:\WINDOWS\SysWOW64\DevicePairingHandler.dll	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File created	C:\WINDOWS\SysWOW64\htui.dll	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File created	C:\WINDOWS\SysWOW64\SubRange.uce	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File created	C:\WINDOWS\SysWOW64\subst.exe	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File created	C:\WINDOWS\SysWOW64\wshelper.dll	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File created	C:\WINDOWS\SysWOW64\C_1253.NLS	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File created	C:\WINDOWS\SysWOW64\DDACLSys.dll	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe

Drops file in Windows directory 26 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\PFRO.log	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File opened for modification	C:\WINDOWS\Starter.xml	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File opened for modification	C:\WINDOWS\WindowsUpdate.log	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File created	C:\WINDOWS\bfsvc.exe	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File created	C:\WINDOWS\hh.exe	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File created	C:\WINDOWS\mib.bin	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File opened for modification	C:\WINDOWS\TSSysprep.log	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File created	C:\WINDOWS\twunk_16.exe	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File created	C:\WINDOWS\twunk_32.exe	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File created	C:\WINDOWS\WMSysPr9.prx	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File opened for modification	C:\WINDOWS\DtcInstall.log	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File opened for modification	C:\WINDOWS\msdfmap.ini	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File opened for modification	C:\WINDOWS\system.ini	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File opened for modification	C:\WINDOWS\setupact.log	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File created	C:\WINDOWS\splwow64.exe	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File created	C:\WINDOWS\twain.dll	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File created	C:\WINDOWS\twain_32.dll	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File opened for modification	C:\WINDOWS\Ultimate.xml	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File created	C:\WINDOWS\fveupdate.exe	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File created	C:\WINDOWS\HelpPane.exe	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File created	C:\WINDOWS\notepad.exe	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File created	C:\WINDOWS\winhlp32.exe	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File created	C:\WINDOWS\write.exe	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File created	C:\WINDOWS\explorer.exe	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File opened for modification	C:\WINDOWS\setuperr.log	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
File opened for modification	C:\WINDOWS\win.ini	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 60 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "8"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "8"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "233"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a7e3310a2b0e6e498bd88e48ec67abf6000000000200000000001066000000010000200000009fbfecd997a7c363fbeabc30f4d02cfc805386a24d5978dcbc5dccf2f104b69f000000000e80000000020000200000005ff845fc09bcda840e2e7b00d6c9aa31924623d43799489fcf8c2a15b04748c72000000024d8e0b95b1efaf7bb80d45627ec66d7753ec85b63ece9894faf0c39e5b5c6524000000006af09937eed4cb5159a7d6f65ea9162bf722708a583024202580291eb96b49424b2bcfb1cb5d9e510e7f11c03c0ceea6421d613425b1ad6fda9d0852aff22c4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "100"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "118"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "255"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "255"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "118"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "290"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{25CE1191-A7E5-11EF-86F5-E699F793024F} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "255"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "290"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0814afcf13bdb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "290"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "233"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "8"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "100"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "118"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "233"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a7e3310a2b0e6e498bd88e48ec67abf60000000002000000000010660000000100002000000027c15320f1c27a74c311c56f237cae736af7184ae0be3886428af95f2f35bd24000000000e8000000002000020000000306ff12efe8c66c02066c7d86a121523456896f7b0dae211802df01e7f36b5f790000000e351b008dc3c27e3132202846482063c96f094358b345f82193138214d84e768e170615a708b951b2ea0a8768d1354d33d624a5aa84860c7336775da2e8e77582caa915704af1e4513e7829c16e69f45137fc63c49f1b07a309d3941e8c60ce59f5ea97a82d186c91f56157f5472bda1ba8950c0160be2a6b48419007ceb559622e8a8402faec016b529c4df797719cf4000000081ac56ba40603b6d1d3469ba0e3780b1ab9b38159606fde44cfcf9fb8285c42c601a3a4fc96468f5d892c62ce6c8ffa6fd9b5b429df6b20f09da87e6fb5a0bb9	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "100"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: 33	2212	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2212	AUDIODG.EXE
Token: 33	2212	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2212	AUDIODG.EXE
Token: 33	1536	IEXPLORE.EXE
Token: SeIncBasePriorityPrivilege	1536	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2368	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2368	iexplore.exe
2368	iexplore.exe
1536	IEXPLORE.EXE
1536	IEXPLORE.EXE
1536	IEXPLORE.EXE
1536	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 2368	2932	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe	29
PID 2932 wrote to memory of 2368	2932	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe	29
PID 2932 wrote to memory of 2368	2932	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe	29
PID 2932 wrote to memory of 2368	2932	226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe	29
PID 2368 wrote to memory of 1536	2368	iexplore.exe	30
PID 2368 wrote to memory of 1536	2368	iexplore.exe	30
PID 2368 wrote to memory of 1536	2368	iexplore.exe	30
PID 2368 wrote to memory of 1536	2368	iexplore.exe	30

C:\Users\Admin\AppData\Local\Temp\226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe
"C:\Users\Admin\AppData\Local\Temp\226a37c77701922a65f62a1710076d1015da36077fa9a73e5cfb9543118d475e.exe"
1⤵
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.freeav.com/
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2368 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1536

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x5b0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6da9710417c3ffcccee646a7aeb6c731

SHA1
beb3bb7d252baed34a7952295f9dc4b548216fc0

SHA256
52dad6575c2afe5b4e29de391ceb1797099857902bae6e162119038566691602

SHA512
378612eec2be0b815463ef44b52f4f6553e0151b2e9b7eb0cd22cfc5647f3afe61cc361c47a1e064cbe1590b751e951785971688f686b660784b98900a3fdb71

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
86caa772a3b9ac12d4240690d789d27e

SHA1
33591c471149df5d328faef2480767bd9cf22a12

SHA256
4f1f534eec5196869ef388c81bc856213ecaf85f26804133b3e833abda3b75f2

SHA512
eef057c7f516c3e421e816ad8dcf6657fdd167164dbf90d8a4e43209ed7f69c2f9b46a745e32a5d7b7c6ff7489334387dcb927eade55dab8daae8d58b270076f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
204f770f692c766ba8474114ddc06a15

SHA1
c470aba64d1dea88d48979192fe63ce8033cfa5e

SHA256
2ebfeebed00762d27ddd1f1a84567ae1285c193ce6c4a56316ecc8722de47998

SHA512
2cf0fa5d9047cdd992da49fb32bcac4030af5753ed117627acc99e936862834d6ac613ee8c7526aeee863e21bd9bdf571b60b2ea93a7da413f11e61659d76fbd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
437206cd7df3d5ec5a76b7c3a7ac6e3d

SHA1
3ca43a897d9fa771f075155925618abb78702a44

SHA256
269bdd13e90f98a11394292c3cec0b632199f9a3ca60e9666fc4bac8b8c1edc2

SHA512
d2c9e637b80155aebde51dcd0346a11579a0b462d4cf645fa4304cda73ccd21af9fccc9762804a68409c21efaac7a3c75a58200f516a1033bff3495003308d96

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9626e97defcac5e7bf672bc9ffe3a39f

SHA1
6a4d97a2f3e6c8ffb269654f5e59308e12c2c650

SHA256
80a7cbdf0a19785222200fab44f33e458761dc0c3ad96b7acab5c9089d053c55

SHA512
f103b055dc804d9af0ff5808520a3ea2cef31fbb38d85b0553a86bdcf028c6c998a4f8415a12022983455facc49eea767d5bff86b82a51431e56014660a3e7a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eef6b49ca47eee63a3d9e6000aa8cf89

SHA1
b1990d4e133a6d5eb56a80ea1306f955742d9411

SHA256
a080de6f538106f8cab6da1bea30f0701f347c1ccc344af4fa20011ec7285b86

SHA512
606d373dadc799318cd6dedad27673e019c78d9932fb6ecb6e6f3fe9821d5fd77b3d174328c18a463d944f92934f2d391a3a36756ba81cd5cfe5e40ea2dfe6c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1c68c1348d45286e152081c144706fb0

SHA1
35b6b8fa57f872970dca3c60a78eedae786092bd

SHA256
98e17c91972ae735e748e4879ccf0a56c2900d764e949b5018839a0bd7cfcc2f

SHA512
fef7eccbcdd0ce09ca518fb1d8071b7ec25d8f3866b65efeb82f9a994e580f0ae545fda4d68ec1a4595deca35623ff9b512eee74e158345296e71fb148615854

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ce984254760ad001bd855f6d0e5392ab

SHA1
843953739a972d95151ec5a56029ecb8e07e6d1d

SHA256
040e345d142efc2db1b9c5c787ca66a7e82f81c4784d2693510ed86573b4a16a

SHA512
a6ebf99e853927918bbe78f30b03c21fc7bd758ade6bcda10aa537b3d3d27b04367913541d79711ae56c2adc13cd423b26c96708b43653705011fb8b82fab7eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d19c50a9f98bf5bdd313067518c58b55

SHA1
92a11f9f8ea6c52e8fc20be23a45086da905e65b

SHA256
90289556dc94da0f330c3c142b0c1516f6668749e132d3f70cf4d16800d83bf4

SHA512
11c12101233086a0cb93acc5861e66f94a985b4f8c6ecb4a49ec2bf32abb0c50eacd0dce6ce8a6942d0778f6f5ff6b9e6e2eff65a256efafb199df953ff0370a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8ecb55abc4780cbe7434cff576e9f19d

SHA1
8c43e2242e2f1f2c065c6f7cd0db4c792c2cd3d3

SHA256
08d5e62ed74b80e1d30ba2494cb07d7a2e6bf8948bc85892b5d90e6bcc987ca3

SHA512
1f3028a7c49acb230bf825a71cb636dc6fc587c56701d0b482b454051b74e6f5300f3fc05f3c43c1893ac7e707ea5581d8e7583e2d9041fd6cbde4fc45c1d54e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0d1539c87425c6a57a24332477366fa1

SHA1
dc8c4b8d9cadd2681351b3990d897bbedd8b6981

SHA256
dfa354f9644af1111a91e13f69e636b725cbd440a787949fafe8a20836a84f23

SHA512
ed5bfb1121e89f1502d4d0a2d42d30f5520a91967977740c138a54ec2ab8c217f67d63aa7e9cec2651fbd0b2a485d51003976f6b6fa1e5142367f5359f2c890b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
beb13531af998db3a3ba97aa7f65d051

SHA1
4cc0ea6cfb1d4444b4891b9c180262563a452c40

SHA256
d557f3e47f230cdb29b82b5bb5e417ac76b4c4029d17b41e51d1ca1610665a4e

SHA512
1867ae9a944479636de11757503128f1d8da1135c8d85249afeba5c525b79374decadc01dc3a0f335a8b238cefae565445790db1fa1809745dd2bb0aa3412878

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ba49b5632d387780b640e9381c56d48c

SHA1
1a9497784b51a45eac5b1a020069e5588e1bfaca

SHA256
6bf22a8be8184559e0ea1f91cbc5cbfe45668178bb2d517980f68eaa25f509c9

SHA512
eafee527235fde166966befe9dfa226af8a89bc33dab147f7ad7b0a74334a59b6f54a07aa824e69307f3928020a99ce7a0edb3a26b0ead71213847ea17818a91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
20fa0fc82536641259ee28028e21fec5

SHA1
431a6ff5d442bb5c6ef4594f9aa19a41a33273f2

SHA256
3f7a1b8c37e5a82102fcd5afbf525bbfb11e1d924d744069f88624bbd58617bf

SHA512
a2927c5fe2e5987ea501552b543f8bd16af0958faa6f1eb02da2b177529f0bf3fac8350074e1701c5b3ad09b5dab210ba00d9562f926822829411ea111d5b19a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
162f550f80ba263c60e624fb839c4ef5

SHA1
33f11440bda3a582fcecc692068b995be7385bc8

SHA256
edb983aebca00e0ea8f5a1a8a25f28be867e85535756f8224a3a6b5a08428fe5

SHA512
2329fb51ecae66de5715757a8ef5b7352f82cbdc0182de4ad30e0d3c6729bb68c02e99eded6ddb6ad093a5dbfbee47fdacd8190ac3c103f2f92a8475ea0f3df8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d651561651335f39871e0e10daf8ea52

SHA1
26cac9c33c671e692caaad8b5e3d28e24cf1c19a

SHA256
e91b4e1799286887ef8d3df58c3b39d5542893912b1ada49b98c1c014b786bc2

SHA512
178b7b1c3c1811ea0cac7bc402f3b779aa9878889581ddd9d7d66b538aebaa3e4160b5c19d6cddb67ae47f591e598fd9be1a452e62f45ce1fde18934d3e465f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4cf996b1f62488a8b1714f27595ba3cc

SHA1
b7fb93d3e03de4063ed0ba1f10bbd7cec6aa12de

SHA256
f9f5136b219ab7a7735e17ebd6c8ae2f2fddb5803f83edbab8965243612a701c

SHA512
fbed49f7909902b7dc8d9de1f93f86e98f469b9d2bc8ceab86aa6a57f49b94aac159c4b3c8dfa2cf413d27c308ac80c37f4d8bd8e6bbaea1648064a01127b84f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dabe29dd656a39813cfc60d6c5a932a3

SHA1
239d9ab386d5a081741d1335f92cc1fee85ed749

SHA256
77e55e75f0e17da742f6d6175a5926c169af9df5d498fd77d63417b322be0859

SHA512
a1c18ec5185eeecd3452a19aa34b43a7a587fb5a3fada96693dcc47f43d55ff3507270367166244f827843fe01a60304b01f3080ab8a8cfbab1adb6266690649

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bd60b3df45a2c66fa8306e1ceffddabf

SHA1
d8c575c0651f9de213abd07d844d04ab9bea5ff1

SHA256
6b91197bb3667d8769ea6c7bf0f1e00e87007f3a942c3427a9090455c5553fac

SHA512
6c17b6536c195b74cec12e6b428c34aada550cb2187a70d3716fa3b8c535049df2f535fb7bd943e8538b5bda30dd156ea765528b1bf3313bcecd33c4a30f739b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
437240ab6934f860e17d3d8731826be3

SHA1
a6597ae0f452657ab243fd2d45c0e094f09e210f

SHA256
b4d4279b7492cd4a7a5dabeb8bf1179348825dac7bdea5edb699e0e27f09240e

SHA512
db455aaf12c3c7d18866511dfa0f6d08ad9b096236690c75fc7c6637563ffdec29b35093c200e67c5c81227a20991fa12a3158be6e8cfe0597409f31e62bd1e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1c1bbe0d86be5dcdaa2058e72513a1d5

SHA1
4343fe591ad8090e3c1c388f2f5373debc16e66c

SHA256
2ba75c7f6e0c3eed2c7f35bfcb8ecdb68702e98680581e559e117e4e2a081d24

SHA512
42ca02c14889689468f76bd30211b53e7041a3055dbac03f2628ab3135f16fc9011e010001781d08c72eaa1783882eee49208d13b97c0cb0411746db434b8fef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cf0720f7f8d90b1a0648d42b1506f8ee

SHA1
9f27b6374f724cb42248d8289107f9dc5966532d

SHA256
0f21c0230ab0c045c0929acd44d1eb9aee8b0d36f4524182b1a22920bbf9d4d6

SHA512
c48a48d5c49fd2282cfe21195cbba31eb674337af4a6efb98ac6612d93ddbaafb36abeb269a13da9b510ae9640a69a7ba1fb6d4eb4547f59025c33e630070e68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\W0CKNJRQ\www.avira[1].xml

Filesize
575B

MD5
c0646229afddb38c8533b4e299eb8986

SHA1
f0c5441a8587fce8a377c26e1ac269f1063ee2d1

SHA256
6e8e2821cca6329ffdb3f178fd02c8c22cdea9e7eb6206f6114e8c8ae5a8361d

SHA512
950a491a9ef8a0e6a1ce2eb261b73ef10672397fa1bd49ef180c67fcea6e8a6403fa51bebd23fc220e1ffa000faf4ccce3adb3f5efaedf9440d87b9d93e1da84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\W0CKNJRQ\www.avira[1].xml

Filesize
224B

MD5
1d3322dd1e2bc2e2484a7eafce922b8b

SHA1
00c30d7adf28dc6ca52ba67e0e5efa74fadb0556

SHA256
76179a8da2ec1e26a692c00377510bc7728819f915837f177d6608f7b1b8e4a8

SHA512
c24b5d2fa42ef64acd36d9b83ee266b85862898b9a765d7272119ca7d36246eb6880823647edce925eb65a683fc6f8c74c1d90adf463636b694ec3402c8b9f08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\W0CKNJRQ\www.avira[1].xml

Filesize
437B

MD5
c9dc482ba366fae49b579abdde35b9d8

SHA1
ea5af74be222ee718645f59b7dffe9f3025047ff

SHA256
d75deee76831c09b70593599bf909a50f4aaa7c106f99be92d345f71b5adbd23

SHA512
5b9093b32604bd6e290e8c2f0ac9ee075b33e938194740f9a0ad5125bac021cb05480c548576efab5ee490854b0b640907df79c4f6ae0016bb3383f8d45fd562

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\gsz3hkd\imagestore.dat

Filesize
1KB

MD5
aacfc4dcc9878c7628f379df4dc4c5a9

SHA1
5a93b7682e2cafce6c9261c7ef4df0f097b332fd

SHA256
4ca4d196763d75e18c89fc07927a11707f80ebfc7ce679a9c064d6747782c44a

SHA512
cd30ebcdd5d203dfe620ba4f377a573ef6313488be1d7315d355777312f5b3f99b1921f1b19e27c50f76051fe706f2c51909c05e1988a0a4a8342d11617e0ace

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K3VL8XEP\favicon-32x32[1].png

Filesize
1KB

MD5
13e4a579c3cfa586f665ecd794e0462c

SHA1
b629b7170f76734c495630191e665b6a88024268

SHA256
a961b4999fbb3ea58527df10b36cfd5c6ac7cf9fd12a0ecede32a8f7f48fec30

SHA512
813d424cb854ecda3bd1cb73e87af2e1072364e5e6345e2a7ff0c93cdac34628146786f1f5fbfa869b95d72ff0071414af13c4453545e76b3f627c1343cbdc8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE8FA.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE90D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\setuperr.log

Filesize
27KB

MD5
2ea619a9d934ca992ca895dd96e882ad

SHA1
c6a701ce1b13fe7750b0ab8a78427e56829c2ef7

SHA256
f0fe3dbec0d6f91e2db7ad8aae584aa9dc4b962e3fcd45754c5ff6e17f0ece9c

SHA512
ec3e005c6fb425492bb261dd58a8e24038360f91e698077c240690d2c9416b23f143466df87fa052fe1645a1101bd10c2a5d80ff2a2f35e4cf4a2f972488797a

Download Submit
memory/2932-120-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2932-2-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2932-1884-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download