ramnit | 98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc

Analysis

max time kernel
150s
max time network
171s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24/11/2022, 00:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe
Size

144KB
MD5

271bc35816c049f57f12524f67116d70
SHA1

f923ae7fb613ffb86c5775121926f5731e7179f4
SHA256

98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc
SHA512

8bf573809bc5032f1bc4ab48c79398e789a2abaff447ef4314b8e01ccc6d703979edccda9e1f73c94b0743469e4ee58b8d2d599e855825048208313592c8a97f
SSDEEP

3072:Zje+a3JfFKqmROzoTq0+RO7IwnY1321bHCPe:s+a5fF7YkdNwBS3i7Ie

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 5 IoCs

pid	Process
1620	Logo1_.exe
4844	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe
3284	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fcSrv.exe
4616	DesktopLayer.exe
3584	DesktopLayerSrv.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0009000000022e4e-143.dat	upx
behavioral2/files/0x0009000000022e4e-145.dat	upx
behavioral2/memory/4844-146-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral2/files/0x0008000000022e41-149.dat	upx
behavioral2/files/0x0008000000022e41-150.dat	upx
behavioral2/files/0x0009000000022e5d-153.dat	upx
behavioral2/memory/4844-155-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral2/files/0x0009000000022e5d-157.dat	upx
behavioral2/files/0x0007000000022e60-158.dat	upx
behavioral2/files/0x0007000000022e60-159.dat	upx
behavioral2/memory/3284-160-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/4616-162-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral2/memory/3584-163-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\F:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\es-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\nb-no\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\kinit.exe	Logo1_.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\zh-cn\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_output\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\he-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\plugin2\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hr-hr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\en-gb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\plugins\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-cn\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nl-nl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\locale\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PROFILE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\16\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Mail\wab.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\security\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ar\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ko-kr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STRTEDGE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\ModifiableWindowsApps\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\QUAD\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kn\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\tnameserv.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Internet Explorer\SIGNUP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ca-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B11EF506-7DE1-455F-8E20-67264DD4AF60\root\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe
File created	C:\Windows\Logo1_.exe	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe

Modifies Internet Explorer settings 1 TTPs 55 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{7CE71B44-6BB6-11ED-89AC-F6A3911CAFFB} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30998467"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{7CE4B8A1-6BB6-11ED-89AC-F6A3911CAFFB} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1391115263"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1391428169"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30998467"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1391428169"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30998467"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{7CE4DFB1-6BB6-11ED-89AC-F6A3911CAFFB} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1391115263"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30998467"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376031725"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1444	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe
1444	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe
1444	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe
1444	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe
1444	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe
1444	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe
1444	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe
1444	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe
1444	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe
1444	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe
1444	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe
1444	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe
1444	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe
1444	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe
1444	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe
1444	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe
1444	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe
1444	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe
1444	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe
1444	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe
1444	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe
1444	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe
1444	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe
1444	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe
1444	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe
1444	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe
1620	Logo1_.exe
1620	Logo1_.exe
1620	Logo1_.exe
1620	Logo1_.exe
1620	Logo1_.exe
1620	Logo1_.exe
1620	Logo1_.exe
1620	Logo1_.exe
1620	Logo1_.exe
1620	Logo1_.exe
1620	Logo1_.exe
1620	Logo1_.exe
1620	Logo1_.exe
1620	Logo1_.exe
1620	Logo1_.exe
1620	Logo1_.exe
1620	Logo1_.exe
1620	Logo1_.exe
1620	Logo1_.exe
1620	Logo1_.exe
1620	Logo1_.exe
1620	Logo1_.exe
1620	Logo1_.exe
1620	Logo1_.exe
1620	Logo1_.exe
1620	Logo1_.exe
3284	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fcSrv.exe
3284	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fcSrv.exe
3284	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fcSrv.exe
3284	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fcSrv.exe
1620	Logo1_.exe
1620	Logo1_.exe
1620	Logo1_.exe
1620	Logo1_.exe
1620	Logo1_.exe
1620	Logo1_.exe
1620	Logo1_.exe
1620	Logo1_.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2344	iexplore.exe
3776	iexplore.exe
3008	iexplore.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
2344	iexplore.exe
2344	iexplore.exe
3776	iexplore.exe
3776	iexplore.exe
3008	iexplore.exe
3008	iexplore.exe
4216	IEXPLORE.EXE
4216	IEXPLORE.EXE
3428	IEXPLORE.EXE
3428	IEXPLORE.EXE
4208	IEXPLORE.EXE
4208	IEXPLORE.EXE
3428	IEXPLORE.EXE
3428	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 53 IoCs

description	pid	Process	procid_target
PID 1444 wrote to memory of 2276	1444	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe	80
PID 1444 wrote to memory of 2276	1444	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe	80
PID 1444 wrote to memory of 2276	1444	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe	80
PID 2276 wrote to memory of 1524	2276	net.exe	82
PID 2276 wrote to memory of 1524	2276	net.exe	82
PID 2276 wrote to memory of 1524	2276	net.exe	82
PID 1444 wrote to memory of 2264	1444	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe	83
PID 1444 wrote to memory of 2264	1444	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe	83
PID 1444 wrote to memory of 2264	1444	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe	83
PID 1444 wrote to memory of 1620	1444	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe	85
PID 1444 wrote to memory of 1620	1444	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe	85
PID 1444 wrote to memory of 1620	1444	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe	85
PID 1620 wrote to memory of 4240	1620	Logo1_.exe	86
PID 1620 wrote to memory of 4240	1620	Logo1_.exe	86
PID 1620 wrote to memory of 4240	1620	Logo1_.exe	86
PID 4240 wrote to memory of 4852	4240	net.exe	88
PID 4240 wrote to memory of 4852	4240	net.exe	88
PID 4240 wrote to memory of 4852	4240	net.exe	88
PID 2264 wrote to memory of 4844	2264	cmd.exe	89
PID 2264 wrote to memory of 4844	2264	cmd.exe	89
PID 2264 wrote to memory of 4844	2264	cmd.exe	89
PID 4844 wrote to memory of 3284	4844	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe	90
PID 4844 wrote to memory of 3284	4844	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe	90
PID 4844 wrote to memory of 3284	4844	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe	90
PID 4844 wrote to memory of 4616	4844	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe	91
PID 4844 wrote to memory of 4616	4844	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe	91
PID 4844 wrote to memory of 4616	4844	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe	91
PID 3284 wrote to memory of 3008	3284	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fcSrv.exe	92
PID 3284 wrote to memory of 3008	3284	98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fcSrv.exe	92
PID 1620 wrote to memory of 3024	1620	Logo1_.exe	93
PID 1620 wrote to memory of 3024	1620	Logo1_.exe	93
PID 1620 wrote to memory of 3024	1620	Logo1_.exe	93
PID 4616 wrote to memory of 3584	4616	DesktopLayer.exe	95
PID 4616 wrote to memory of 3584	4616	DesktopLayer.exe	95
PID 4616 wrote to memory of 3584	4616	DesktopLayer.exe	95
PID 3024 wrote to memory of 2456	3024	net.exe	96
PID 3024 wrote to memory of 2456	3024	net.exe	96
PID 3024 wrote to memory of 2456	3024	net.exe	96
PID 4616 wrote to memory of 2344	4616	DesktopLayer.exe	97
PID 4616 wrote to memory of 2344	4616	DesktopLayer.exe	97
PID 3584 wrote to memory of 3776	3584	DesktopLayerSrv.exe	98
PID 3584 wrote to memory of 3776	3584	DesktopLayerSrv.exe	98
PID 2344 wrote to memory of 3428	2344	iexplore.exe	99
PID 2344 wrote to memory of 3428	2344	iexplore.exe	99
PID 2344 wrote to memory of 3428	2344	iexplore.exe	99
PID 3776 wrote to memory of 4208	3776	iexplore.exe	100
PID 3776 wrote to memory of 4208	3776	iexplore.exe	100
PID 3776 wrote to memory of 4208	3776	iexplore.exe	100
PID 3008 wrote to memory of 4216	3008	iexplore.exe	101
PID 3008 wrote to memory of 4216	3008	iexplore.exe	101
PID 3008 wrote to memory of 4216	3008	iexplore.exe	101
PID 1620 wrote to memory of 3008	1620	Logo1_.exe	92
PID 1620 wrote to memory of 3008	1620	Logo1_.exe	92

C:\Users\Admin\AppData\Local\Temp\98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe
"C:\Users\Admin\AppData\Local\Temp\98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Windows\SysWOW64\net.exe
  net stop "Kingsoft AntiVirus Service"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
    3⤵
    PID:1524
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aAC71.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Users\Admin\AppData\Local\Temp\98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe
    "C:\Users\Admin\AppData\Local\Temp\98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4844
  - - C:\Users\Admin\AppData\Local\Temp\98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fcSrv.exe
      C:\Users\Admin\AppData\Local\Temp\98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fcSrv.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3284
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3008
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3008 CREDAT:17410 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:4216
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4616
    - - C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
        
        "C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3584
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3776
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3776 CREDAT:17410 /prefetch:2
        7⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:4208
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2344
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2344 CREDAT:17410 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:3428
- C:\Windows\Logo1_.exe
  C:\Windows\Logo1_.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4240
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:4852
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3024
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:2456

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

Filesize
111KB

MD5
c6961a78c1b76fffb4e6a09fe65cac21

SHA1
b0bcea68ca61d862fcc76ffdf29fdded08e739b1

SHA256
090d2fdb0c92cd287e43a21462ed656c52bd77c366edb35ebf436185d73e59eb

SHA512
fce8a32a1f02473cda2b7fa2dcc0c812979392f0e674fc9e107badd744541a7edd8e8089b74f4df817b8cd5a69f712283b410348442aa49b336b7a3d261c7665

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe

Filesize
111KB

MD5
c6961a78c1b76fffb4e6a09fe65cac21

SHA1
b0bcea68ca61d862fcc76ffdf29fdded08e739b1

SHA256
090d2fdb0c92cd287e43a21462ed656c52bd77c366edb35ebf436185d73e59eb

SHA512
fce8a32a1f02473cda2b7fa2dcc0c812979392f0e674fc9e107badd744541a7edd8e8089b74f4df817b8cd5a69f712283b410348442aa49b336b7a3d261c7665

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
e32d02ce684c01ef3af05fae9066160e

SHA1
29c7a6e8ed553ac2765634265d1db041d6d422ec

SHA256
b00322d178a6cfc206458c26b26d6c80596073bb3283dcc3fc4e33a4b5f29d71

SHA512
e4e3175fb131095e4681ecb76d14dc74d059c0beafb6340965516c6d3d0538deb314b36a3f09df03b491edac84d5c0580e764fed1d8bca9abd4e65cb56167148

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
340B

MD5
caba4896f0b5a7ec55dfb7770f8c2ab5

SHA1
bdada010eeda61850bed0ac2bd198328710927ea

SHA256
cb830b76bb9fb5897ac5d068b63b2005d379f9e2493dffad777f9b2be72d29a1

SHA512
6adf9788011094115d2a0f165e27c387a8b8e7aabec8dada090d272405e4be504018b245f484f272b8c8d951f59b1449be25b7ee556ff843c772a71f086b93b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
32d35354b754b898fae6a127d9a02a80

SHA1
35b62098701d7f6ed66f6e74c449517673b0ea9f

SHA256
032ac9155f4291eb9ad0e1ec58327940f63d670202da9c757ecb18edf4a9b431

SHA512
b39217581300ac6c0603e5ff8916c2861378860293763b8df3a6b8f58ec2b1d3654fbd465ed135fe6e974e39d60cd6b96db190c43805e31967b4310beac7dfbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7CE4B8A1-6BB6-11ED-89AC-F6A3911CAFFB}.dat

Filesize
5KB

MD5
d6059896318b678838e2be2bf645f318

SHA1
288dce3ddb17cc5821ca67990f070b43aaa3d456

SHA256
8ab7e671ff06b8f2af875efa8d5f8628c74f626f968bd49132710eccaf1d5f95

SHA512
2b4fae75de1e86ad05f82420e5ff309d8f05e9deafe0af9c7865760051be8472d8c7cb9d7c1433a95ef0ebd12e0b109cb9d5f3c0d842a4371a5c63b1619709f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7CE71B44-6BB6-11ED-89AC-F6A3911CAFFB}.dat

Filesize
4KB

MD5
6778d8e994590a26369c693148d93220

SHA1
3ae360b9bf7e228ed2ce8a0b7bd6bd32be295e94

SHA256
cf2e88a150b7d44cf5a05a754a3416b47f83212dd2038db2be511f8b165b771b

SHA512
17c3b9cf17e4f5855da0aabc0440d3ba3a3720dea1136d2a8452581f7f32cfb55ef3573c436897da501ddf8760e7d3be5e7e3f5587058b9ab51f4a62cbd2a5ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7CE71B44-6BB6-11ED-89AC-F6A3911CAFFB}.dat

Filesize
5KB

MD5
2b40a2274b0c318104a5c33f9bc00ed2

SHA1
71592f0d6e81364d53e1d2477af52577bff1a869

SHA256
152b7f0211ed01af4c7208ad87ca221c0565b81e9eb1604d7b486503c196fa5f

SHA512
e95a699f48ddb02c01004a0c3569a97bc76cd491eb51b10752f6b783eab76db1d8e2e8efa9676e96cb7b4370f58b949ebd4c49f58e605ffb3aaf5803a2b44815

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aAC71.bat

Filesize
722B

MD5
47e4250a8a3e0dd3cbd3a7cdd9587acd

SHA1
1b6cfbfe7574a6496f3220839365c47c72a6efbb

SHA256
f157941d5187d5b519fc35f4bd8911ddc26eaa331879e09f2b0dcc4004828178

SHA512
28e3cd5112d8b6a273df5ce2d2b1da73a7c902f8ea0e090a9c95fdb5499910c5ae197bee61ebfee23fe7e766d3432b1acc4ab03b601400783d423fa9f9689c06

Download Submit
C:\Users\Admin\AppData\Local\Temp\98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe

Filesize
111KB

MD5
c6961a78c1b76fffb4e6a09fe65cac21

SHA1
b0bcea68ca61d862fcc76ffdf29fdded08e739b1

SHA256
090d2fdb0c92cd287e43a21462ed656c52bd77c366edb35ebf436185d73e59eb

SHA512
fce8a32a1f02473cda2b7fa2dcc0c812979392f0e674fc9e107badd744541a7edd8e8089b74f4df817b8cd5a69f712283b410348442aa49b336b7a3d261c7665

Download Submit
C:\Users\Admin\AppData\Local\Temp\98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fc.exe.exe

Filesize
111KB

MD5
c6961a78c1b76fffb4e6a09fe65cac21

SHA1
b0bcea68ca61d862fcc76ffdf29fdded08e739b1

SHA256
090d2fdb0c92cd287e43a21462ed656c52bd77c366edb35ebf436185d73e59eb

SHA512
fce8a32a1f02473cda2b7fa2dcc0c812979392f0e674fc9e107badd744541a7edd8e8089b74f4df817b8cd5a69f712283b410348442aa49b336b7a3d261c7665

Download Submit
C:\Users\Admin\AppData\Local\Temp\98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fcSrv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\98fc29b7bc187d7d5619da44a9ed04773125bd85a76a65340509cca30bfa75fcSrv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
cbd156bd1052b4f0b5f27cf950500e88

SHA1
336196bc049b95d4462879dd3129bd04680162d9

SHA256
2d781db76c1cefd719a71d815a55494cc4d7b165137a31874eebee8e3baade3f

SHA512
d83e47e1810f0c40dc7dc51f9a3934b71b880303386c9a083ca3a1b3e319cf652e72f8a85e41f51ff37cd830862c6990cba00e48802c049e7726fac6008c7666

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
cbd156bd1052b4f0b5f27cf950500e88

SHA1
336196bc049b95d4462879dd3129bd04680162d9

SHA256
2d781db76c1cefd719a71d815a55494cc4d7b165137a31874eebee8e3baade3f

SHA512
d83e47e1810f0c40dc7dc51f9a3934b71b880303386c9a083ca3a1b3e319cf652e72f8a85e41f51ff37cd830862c6990cba00e48802c049e7726fac6008c7666

Download Submit
C:\Windows\rundl132.exe

Filesize
33KB

MD5
cbd156bd1052b4f0b5f27cf950500e88

SHA1
336196bc049b95d4462879dd3129bd04680162d9

SHA256
2d781db76c1cefd719a71d815a55494cc4d7b165137a31874eebee8e3baade3f

SHA512
d83e47e1810f0c40dc7dc51f9a3934b71b880303386c9a083ca3a1b3e319cf652e72f8a85e41f51ff37cd830862c6990cba00e48802c049e7726fac6008c7666

Download Submit
memory/1444-132-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1444-139-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1620-167-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1620-147-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3284-160-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3584-163-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4616-162-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4844-146-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4844-155-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download