ramnit | 98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc

Analysis

max time kernel
203s
max time network
174s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
24/11/2022, 00:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe
Size

144KB
MD5

271bc35816c049f57f12524f67116d70
SHA1

f923ae7fb613ffb86c5775121926f5731e7179f4
SHA256

98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc
SHA512

8bf573809bc5032f1bc4ab48c79398e789a2abaff447ef4314b8e01ccc6d703979edccda9e1f73c94b0743469e4ee58b8d2d599e855825048208313592c8a97f
SSDEEP

3072:Zje+a3JfFKqmROzoTq0+RO7IwnY1321bHCPe:s+a5fF7YkdNwBS3i7Ie

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 5 IoCs

pid	Process
764	Logo1_.exe
1768	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe
284	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fcSrv.exe
1912	DesktopLayer.exe
1764	DesktopLayer.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000900000001399c-63.dat	upx
behavioral1/files/0x000900000001399c-65.dat	upx
behavioral1/files/0x000900000001399c-67.dat	upx
behavioral1/files/0x0008000000013a02-70.dat	upx
behavioral1/files/0x0008000000013a02-72.dat	upx
behavioral1/files/0x0008000000013a02-74.dat	upx
behavioral1/files/0x000800000001414c-75.dat	upx
behavioral1/files/0x000800000001414c-77.dat	upx
behavioral1/files/0x000800000001414c-78.dat	upx
behavioral1/memory/1768-82-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/284-81-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/files/0x000800000001414c-83.dat	upx
behavioral1/files/0x000800000001414c-84.dat	upx
behavioral1/files/0x000800000001414c-76.dat	upx
behavioral1/memory/1912-87-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/520-88-0x0000000000280000-0x00000000002BD000-memory.dmp	upx

Deletes itself 1 IoCs

pid	Process
520	cmd.exe

Loads dropped DLL 4 IoCs

pid	Process
520	cmd.exe
1768	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe
1768	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe
284	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fcSrv.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\F:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\locale\tet\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\More Games\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fcSrv.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\misc\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Photo Viewer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Photo Viewer\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kn\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Media Player\Visualizations\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Internet Explorer\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATER\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe
File created	C:\Windows\Logo1_.exe	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe

Modifies Internet Explorer settings 1 TTPs 54 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376031766"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{99F53021-6BB6-11ED-9BCE-5E5304B417C2} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{99F55731-6BB6-11ED-9BCE-5E5304B417C2} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

pid	Process
2020	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe
2020	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe
2020	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe
2020	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe
2020	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe
2020	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe
2020	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe
2020	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe
2020	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe
2020	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe
2020	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe
2020	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe
2020	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe
764	Logo1_.exe
764	Logo1_.exe
764	Logo1_.exe
764	Logo1_.exe
764	Logo1_.exe
764	Logo1_.exe
764	Logo1_.exe
764	Logo1_.exe
764	Logo1_.exe
764	Logo1_.exe
764	Logo1_.exe
764	Logo1_.exe
764	Logo1_.exe
1912	DesktopLayer.exe
1912	DesktopLayer.exe
1764	DesktopLayer.exe
1764	DesktopLayer.exe
1912	DesktopLayer.exe
1912	DesktopLayer.exe
1764	DesktopLayer.exe
1764	DesktopLayer.exe
764	Logo1_.exe
764	Logo1_.exe
764	Logo1_.exe
764	Logo1_.exe
764	Logo1_.exe
764	Logo1_.exe
764	Logo1_.exe
764	Logo1_.exe
764	Logo1_.exe
764	Logo1_.exe
764	Logo1_.exe
764	Logo1_.exe
764	Logo1_.exe
764	Logo1_.exe
764	Logo1_.exe
764	Logo1_.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1500	iexplore.exe
276	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1500	iexplore.exe
1500	iexplore.exe
276	iexplore.exe
276	iexplore.exe
428	IEXPLORE.EXE
1852	IEXPLORE.EXE
1852	IEXPLORE.EXE
428	IEXPLORE.EXE
1852	IEXPLORE.EXE
1852	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 1848	2020	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe	28
PID 2020 wrote to memory of 1848	2020	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe	28
PID 2020 wrote to memory of 1848	2020	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe	28
PID 2020 wrote to memory of 1848	2020	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe	28
PID 1848 wrote to memory of 432	1848	net.exe	30
PID 1848 wrote to memory of 432	1848	net.exe	30
PID 1848 wrote to memory of 432	1848	net.exe	30
PID 1848 wrote to memory of 432	1848	net.exe	30
PID 2020 wrote to memory of 520	2020	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe	31
PID 2020 wrote to memory of 520	2020	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe	31
PID 2020 wrote to memory of 520	2020	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe	31
PID 2020 wrote to memory of 520	2020	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe	31
PID 2020 wrote to memory of 764	2020	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe	33
PID 2020 wrote to memory of 764	2020	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe	33
PID 2020 wrote to memory of 764	2020	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe	33
PID 2020 wrote to memory of 764	2020	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe	33
PID 764 wrote to memory of 1600	764	Logo1_.exe	34
PID 764 wrote to memory of 1600	764	Logo1_.exe	34
PID 764 wrote to memory of 1600	764	Logo1_.exe	34
PID 764 wrote to memory of 1600	764	Logo1_.exe	34
PID 520 wrote to memory of 1768	520	cmd.exe	35
PID 520 wrote to memory of 1768	520	cmd.exe	35
PID 520 wrote to memory of 1768	520	cmd.exe	35
PID 520 wrote to memory of 1768	520	cmd.exe	35
PID 1600 wrote to memory of 852	1600	net.exe	37
PID 1600 wrote to memory of 852	1600	net.exe	37
PID 1600 wrote to memory of 852	1600	net.exe	37
PID 1600 wrote to memory of 852	1600	net.exe	37
PID 1768 wrote to memory of 284	1768	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe	38
PID 1768 wrote to memory of 284	1768	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe	38
PID 1768 wrote to memory of 284	1768	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe	38
PID 1768 wrote to memory of 284	1768	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe	38
PID 284 wrote to memory of 1764	284	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fcSrv.exe	40
PID 284 wrote to memory of 1764	284	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fcSrv.exe	40
PID 284 wrote to memory of 1764	284	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fcSrv.exe	40
PID 284 wrote to memory of 1764	284	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fcSrv.exe	40
PID 1768 wrote to memory of 1912	1768	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe	39
PID 1768 wrote to memory of 1912	1768	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe	39
PID 1768 wrote to memory of 1912	1768	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe	39
PID 1768 wrote to memory of 1912	1768	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe	39
PID 1912 wrote to memory of 1500	1912	DesktopLayer.exe	41
PID 1912 wrote to memory of 1500	1912	DesktopLayer.exe	41
PID 1912 wrote to memory of 1500	1912	DesktopLayer.exe	41
PID 1912 wrote to memory of 1500	1912	DesktopLayer.exe	41
PID 1764 wrote to memory of 276	1764	DesktopLayer.exe	42
PID 1764 wrote to memory of 276	1764	DesktopLayer.exe	42
PID 1764 wrote to memory of 276	1764	DesktopLayer.exe	42
PID 1764 wrote to memory of 276	1764	DesktopLayer.exe	42
PID 276 wrote to memory of 428	276	iexplore.exe	45
PID 276 wrote to memory of 428	276	iexplore.exe	45
PID 276 wrote to memory of 428	276	iexplore.exe	45
PID 276 wrote to memory of 428	276	iexplore.exe	45
PID 1500 wrote to memory of 1852	1500	iexplore.exe	44
PID 1500 wrote to memory of 1852	1500	iexplore.exe	44
PID 1500 wrote to memory of 1852	1500	iexplore.exe	44
PID 1500 wrote to memory of 1852	1500	iexplore.exe	44
PID 764 wrote to memory of 2004	764	Logo1_.exe	46
PID 764 wrote to memory of 2004	764	Logo1_.exe	46
PID 764 wrote to memory of 2004	764	Logo1_.exe	46
PID 764 wrote to memory of 2004	764	Logo1_.exe	46
PID 2004 wrote to memory of 1576	2004	net.exe	48
PID 2004 wrote to memory of 1576	2004	net.exe	48
PID 2004 wrote to memory of 1576	2004	net.exe	48
PID 2004 wrote to memory of 1576	2004	net.exe	48

C:\Users\Admin\AppData\Local\Temp\98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe
"C:\Users\Admin\AppData\Local\Temp\98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Windows\SysWOW64\net.exe
  net stop "Kingsoft AntiVirus Service"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1848
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
    3⤵
    PID:432
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\$$aEFDC.bat
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:520
- - C:\Users\Admin\AppData\Local\Temp\98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe
    "C:\Users\Admin\AppData\Local\Temp\98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1768
  - - C:\Users\Admin\AppData\Local\Temp\98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fcSrv.exe
      C:\Users\Admin\AppData\Local\Temp\98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fcSrv.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of WriteProcessMemory
      PID:284
    - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
        
        "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1764
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:276
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:276 CREDAT:275457 /prefetch:2
        7⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:428
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1912
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1500
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1500 CREDAT:275457 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1852
- C:\Windows\Logo1_.exe
  C:\Windows\Logo1_.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:764
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1600
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:852
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2004
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:1576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d8fcfeec2c4917a7c7b6ff62d0246f3d

SHA1
9b50bee4b3c987fc84b3627405ed6ba6f91e7a5e

SHA256
3bb86e25f50c626c6252ffcfb68b497c45929e8393561e11013465fdde718997

SHA512
c9b3c46d72712cd2613f7591752586faa71c3ec71228870d100189fc69cfe0ced5cc389f241fd9f290b9018d2df2f39746967a009f285f01177d2cf5b81e5656

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{99F53021-6BB6-11ED-9BCE-5E5304B417C2}.dat

Filesize
4KB

MD5
6dd9be56abfe00805a8980d0ae3c627b

SHA1
7ad9124b050b3939e6ffc5731d3be6dd1aedddb4

SHA256
8d520d8fd3be4b8d75bd6385a1a1413c6c695d17d8728e4595e741bbef1bbae3

SHA512
da8ec176aeee861fdfc38314bf13745b9367c04eb6c00db838832a0c65e9535a38dd613a76ef660bd6ea4f9c15b5959764fc4e707d828fde8f6ea49375200ce6

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aEFDC.bat

Filesize
722B

MD5
1409d33166d61a577104a3fc571a4e34

SHA1
49f28faa65899f899ba39e8037ee9b5fa21d06c2

SHA256
052ad212515b647d9e68b779cddbe8e44095d06fa3d39384a2d97651e31bea3a

SHA512
1f170d31df094bdec685801ee23ae76fae628f85f8207b6c3159ebcd3db1cef3d8152b0fc9a41484ce5f4d7dc4a755232e328fa5a1e3d5956815b481fec5aace

Download Submit
C:\Users\Admin\AppData\Local\Temp\98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe

Filesize
111KB

MD5
c6961a78c1b76fffb4e6a09fe65cac21

SHA1
b0bcea68ca61d862fcc76ffdf29fdded08e739b1

SHA256
090d2fdb0c92cd287e43a21462ed656c52bd77c366edb35ebf436185d73e59eb

SHA512
fce8a32a1f02473cda2b7fa2dcc0c812979392f0e674fc9e107badd744541a7edd8e8089b74f4df817b8cd5a69f712283b410348442aa49b336b7a3d261c7665

Download Submit
C:\Users\Admin\AppData\Local\Temp\98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe.exe

Filesize
111KB

MD5
c6961a78c1b76fffb4e6a09fe65cac21

SHA1
b0bcea68ca61d862fcc76ffdf29fdded08e739b1

SHA256
090d2fdb0c92cd287e43a21462ed656c52bd77c366edb35ebf436185d73e59eb

SHA512
fce8a32a1f02473cda2b7fa2dcc0c812979392f0e674fc9e107badd744541a7edd8e8089b74f4df817b8cd5a69f712283b410348442aa49b336b7a3d261c7665

Download Submit
C:\Users\Admin\AppData\Local\Temp\98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fcSrv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fcSrv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\J08INF39.txt

Filesize
608B

MD5
0f8736151b39bedb33cf029f6c9579e9

SHA1
b581ae716523458257c726613216ae8f2943ab8d

SHA256
89ded94892ed6bd36a7c3bd4845e06ae8779da91a8157b7a5fd224a80ebc308d

SHA512
468bfcc9e3aea90d1d1331afca54507d741760d871b71b502058086e23577ed23c1c2d7e7a3533e613a1783ddac77167c5423b55eb2f1daeb3b3428f0d286be9

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
cbd156bd1052b4f0b5f27cf950500e88

SHA1
336196bc049b95d4462879dd3129bd04680162d9

SHA256
2d781db76c1cefd719a71d815a55494cc4d7b165137a31874eebee8e3baade3f

SHA512
d83e47e1810f0c40dc7dc51f9a3934b71b880303386c9a083ca3a1b3e319cf652e72f8a85e41f51ff37cd830862c6990cba00e48802c049e7726fac6008c7666

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
cbd156bd1052b4f0b5f27cf950500e88

SHA1
336196bc049b95d4462879dd3129bd04680162d9

SHA256
2d781db76c1cefd719a71d815a55494cc4d7b165137a31874eebee8e3baade3f

SHA512
d83e47e1810f0c40dc7dc51f9a3934b71b880303386c9a083ca3a1b3e319cf652e72f8a85e41f51ff37cd830862c6990cba00e48802c049e7726fac6008c7666

Download Submit
C:\Windows\rundl132.exe

Filesize
33KB

MD5
cbd156bd1052b4f0b5f27cf950500e88

SHA1
336196bc049b95d4462879dd3129bd04680162d9

SHA256
2d781db76c1cefd719a71d815a55494cc4d7b165137a31874eebee8e3baade3f

SHA512
d83e47e1810f0c40dc7dc51f9a3934b71b880303386c9a083ca3a1b3e319cf652e72f8a85e41f51ff37cd830862c6990cba00e48802c049e7726fac6008c7666

Download Submit
\Program Files (x86)\Microsoft\DesktopLayer.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Program Files (x86)\Microsoft\DesktopLayer.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Users\Admin\AppData\Local\Temp\98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe

Filesize
111KB

MD5
c6961a78c1b76fffb4e6a09fe65cac21

SHA1
b0bcea68ca61d862fcc76ffdf29fdded08e739b1

SHA256
090d2fdb0c92cd287e43a21462ed656c52bd77c366edb35ebf436185d73e59eb

SHA512
fce8a32a1f02473cda2b7fa2dcc0c812979392f0e674fc9e107badd744541a7edd8e8089b74f4df817b8cd5a69f712283b410348442aa49b336b7a3d261c7665

Download Submit
\Users\Admin\AppData\Local\Temp\98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fcSrv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/284-81-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/520-88-0x0000000000280000-0x00000000002BD000-memory.dmp

Filesize
244KB

Download
memory/520-96-0x0000000000280000-0x00000000002BD000-memory.dmp

Filesize
244KB

Download
memory/764-90-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/764-97-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1768-89-0x0000000000230000-0x000000000025E000-memory.dmp

Filesize
184KB

Download
memory/1768-98-0x0000000000230000-0x000000000025E000-memory.dmp

Filesize
184KB

Download
memory/1768-91-0x0000000000240000-0x000000000026E000-memory.dmp

Filesize
184KB

Download
memory/1768-68-0x00000000765A1000-0x00000000765A3000-memory.dmp

Filesize
8KB

Download
memory/1768-82-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1912-87-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2020-61-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2020-55-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download