b1d31c902186539b2eb39e87aca817447a6e61747abda0e8b82de3cc88d4ff4e

Analysis

max time kernel
11s
max time network
0s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
11/08/2024, 23:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

venom_cleaner.exe
Size

3.0MB
MD5

b5171ffa77f44270c3979165ec797df1
SHA1

625625196353920ef6cad543ad83d6038cb9c442
SHA256

0a30913f417c499108b490cd121f895b9e1f3d7b387a8eacb238a8032a7045f8
SHA512

1181a844603eb8917c29f29034452d6f6ed7876da5ded558d79358a798de5ba408ee9f68b59fe5b6a4622fbe39792a550aa6a288da88b9080181d5b55c60a0c7
SSDEEP

49152:XwutH7zfAqCUtFXqFLknKGrqqcmig4qSvFkfQg35/e0e/JTzUbc:XltbTUUQL4HrqqHigj4k4gk0iJTzUQ

Score

10^/10

defense_evasion discovery evasion execution impact persistence privilege_escalation ransomware spyware stealer themida trojan

Malware Config

Signatures

Deletes NTFS Change Journal 2 TTPs 1 IoCs

The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.

ransomware

Inhibit System Recovery

T1490

Data Destruction

T1485

pid	Process
2704	fsutil.exe

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	venom_cleaner.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	venom_cleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	venom_cleaner.exe

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	venom_cleaner.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2236-0-0x000000013F780000-0x000000013FFA9000-memory.dmp	themida
behavioral1/memory/2236-2-0x000000013F780000-0x000000013FFA9000-memory.dmp	themida
behavioral1/memory/2236-3-0x000000013F780000-0x000000013FFA9000-memory.dmp	themida
behavioral1/memory/2236-4-0x000000013F780000-0x000000013FFA9000-memory.dmp	themida
behavioral1/memory/2236-510-0x000000013F780000-0x000000013FFA9000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	venom_cleaner.exe

Drops desktop.ini file(s) 45 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	iexplore.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	iexplore.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Ringtones\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Public\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	venom_cleaner.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	venom_cleaner.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2236	venom_cleaner.exe

Drops file in Windows directory 23 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Prefetch\SETUPUGC.EXE-E3C49C28.pf	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\TASKHOST.EXE-7238F31D.pf	venom_cleaner.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\CONHOST.EXE-1F3E9D7E.pf	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\PfSvPerfStats.bin	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\NTOSBOOT-B00DFAAD.pf	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-2CD59FDD.pf	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\CLRGC.EXE-5D5B90F5.pf	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\DRVINST.EXE-4CB4314A.pf	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\MSCORSVW.EXE-245ED79E.pf	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\MSCORSVW.EXE-90526FAC.pf	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\NETSH.EXE-F1B6DA12.pf	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-860C49A4.pf	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\AgGlFgAppHistory.db	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\AgRobust.db	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\BFSVC.EXE-9C7A4DEE.pf	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\CMD.EXE-4A81B364.pf	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\REG.EXE-E7E8BD26.pf	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-863AA78D.pf	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\AgAppLaunch.db	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\AgGlFaultHistory.db	venom_cleaner.exe
File opened for modification	C:\Windows\Prefetch\AgGlGlobalHistory.db	venom_cleaner.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sdiagnhost.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0\ProcessorNameString	venom_cleaner.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor	venom_cleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\ProcessorNameString	venom_cleaner.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	venom_cleaner.exe

Enumerates system info in registry 2 TTPs 24 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	venom_cleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	venom_cleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate	venom_cleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVendor	venom_cleaner.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	venom_cleaner.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	venom_cleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion	venom_cleaner.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS\BIOSVendor	venom_cleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	venom_cleaner.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	venom_cleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	venom_cleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	venom_cleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	venom_cleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer	venom_cleaner.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS\BIOSReleaseDate	venom_cleaner.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	venom_cleaner.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	venom_cleaner.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	venom_cleaner.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "1551a8f0-091eeaa3-3"	venom_cleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	venom_cleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardVersion	venom_cleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	venom_cleaner.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS\SystemManufacturer	venom_cleaner.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS\SystemProductName	venom_cleaner.exe

Gathers network information 2 TTPs 8 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1036	ipconfig.exe
1284	ipconfig.exe
220	ipconfig.exe
2680	ipconfig.exe
2736	ipconfig.exe
948	ipconfig.exe
3028	ipconfig.exe
1276	ipconfig.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2736	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 49 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LinksBar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\User Preferences\2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81 = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043174f1aa2314a47aa677ebd5ad1f6c7000000000200000000001066000000010000200000003a7d5797f46ce1c63264d17f7efd06814ec5772b2ae3cc109a9c4857bac2b844000000000e800000000200002000000099c4f5e3c4fa16e0c467aad769ed408f2126a82fa7010abc443249f731c4a37310000000fe7f8dcc8bbb37a52a313e07dc972efa400000001a3e6617d2b8bf7f3dbceff36b5e246032a52370b11f754251ae17219808e1fd55b1b78bc0604385c752d74920922325a05de23dabc702899b8cbea425314cc4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Setup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\User Preferences\88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977 = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043174f1aa2314a47aa677ebd5ad1f6c7000000000200000000001066000000010000200000006cd98381e7a870d06b12fc67d11b5a751b1bf8538d26427a5fed8734c370a77f000000000e8000000002000020000000c4baf8b2f43056a141ba385ab72784ea9a088dfee2378b347aeaa02b57e85b965000000050fda43bd73ecb86569ff680ae6321d75611a3541c3a5c1be77c803debc98e9095ed59f6cb005a30c6795aa1d8caba86ca3ae36e92d5b3ecd353be2ddfaa054a8f42948bcc998de83d66e8e044d3bcd2400000007cad8de2bee5b6b571d3d6fa465123d0e7fb3ea5973baf127c050b1dd62712f85bf87614630c56fda3cba800f913bb8642726b2d937cc4154bc47a68c15df769	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Setup\UrlHistoryMigrationTime = c04d685a43ecda01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\SearchScopes\KnownProvidersUpgradeTime = a002945d43ecda01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043174f1aa2314a47aa677ebd5ad1f6c700000000020000000000106600000001000020000000a33d1523bbf7f394cad50033d57e0b15eaa1582ea4d8f178d036471f9d255756000000000e80000000020000200000007d6c76c9030ca19a1fd1bc2f432a797eb21783506c181c922c4ac5c8713d3ec0900000000ea9da3fa27682133a2522f8c6ddc96aa09c30db4094795a72023bfe45fe2ba56e3098c560bcf8215259bd0d4cd1fc7b194ab36a455dc593e821457b8508ba69195bf91510414029feb4e690681404a3253a18b91cdc85e9c5d438fbfe6723ecc7dcd93e6c3211c801484bafaa39389ef8e3368319ec3d1a5ad1cdea0cdb4ae5a9174ca799d234047682f0a43645317b4000000063c9459ce0edf0936a2f29b7887b0caceb8df94d9ed4104e5d78633498b768d10ea547be2ef734215ee0afbd1268a9665a3d77352658df393f8a1001512b6ca3	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043174f1aa2314a47aa677ebd5ad1f6c70000000002000000000010660000000100002000000085d725ab87044e2ef449884dcaa12e6a077e5e6d95a7debc6385353c796d3315000000000e8000000002000020000000012abdbd33a3c90ca54e49eda692415b5c7eed1e9fc9decc2be297046fb18ecd200000006af97236c6601c299dbd82bf21c0bcc5a086ff99eebf265c04598acfb6a320a740000000275cd2bc3353866d69d3f4a13a0bb6177626eb64011292fe45a88b35ed1490fb31f58e2a1e8320ae5a94d58ff54277a6d7aa0c9549dda6ecb313f3f405fd96a8	iexplore.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Migration\IE Installed Date = e078ead1926074af	venom_cleaner.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LinksBar\LinksFolderMigrate = 40e9975a43ecda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Suggested Sites	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LinksBar\MarketingLinksMigrate = 40e9975a43ecda01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\User Preferences	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{97E53D21-5836-11EF-BC8E-E6140BA5C80C} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Suggested Sites\DataStreamEnabledState = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Suggested Sites\MigrationTime = e087955a43ecda01	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Suggested Sites\SlicePath = "C:\\Users\\Admin\\Favorites\\Links\\Suggested Sites.url"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a036a95f43ecda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2236	venom_cleaner.exe
2236	venom_cleaner.exe
2236	venom_cleaner.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	2568	vssvc.exe
Token: SeRestorePrivilege	2568	vssvc.exe
Token: SeAuditPrivilege	2568	vssvc.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2344	iexplore.exe
2872	msdt.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2344	iexplore.exe
2344	iexplore.exe
2040	IEXPLORE.EXE
2040	IEXPLORE.EXE
2040	IEXPLORE.EXE
2040	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2344	2236	venom_cleaner.exe	31
PID 2236 wrote to memory of 2344	2236	venom_cleaner.exe	31
PID 2236 wrote to memory of 2344	2236	venom_cleaner.exe	31
PID 2344 wrote to memory of 2040	2344	iexplore.exe	32
PID 2344 wrote to memory of 2040	2344	iexplore.exe	32
PID 2344 wrote to memory of 2040	2344	iexplore.exe	32
PID 2344 wrote to memory of 2040	2344	iexplore.exe	32
PID 2236 wrote to memory of 2820	2236	venom_cleaner.exe	34
PID 2236 wrote to memory of 2820	2236	venom_cleaner.exe	34
PID 2236 wrote to memory of 2820	2236	venom_cleaner.exe	34
PID 2820 wrote to memory of 2704	2820	cmd.exe	36
PID 2820 wrote to memory of 2704	2820	cmd.exe	36
PID 2820 wrote to memory of 2704	2820	cmd.exe	36
PID 2040 wrote to memory of 2872	2040	IEXPLORE.EXE	35
PID 2040 wrote to memory of 2872	2040	IEXPLORE.EXE	35
PID 2040 wrote to memory of 2872	2040	IEXPLORE.EXE	35
PID 2040 wrote to memory of 2872	2040	IEXPLORE.EXE	35
PID 2236 wrote to memory of 2860	2236	venom_cleaner.exe	37
PID 2236 wrote to memory of 2860	2236	venom_cleaner.exe	37
PID 2236 wrote to memory of 2860	2236	venom_cleaner.exe	37
PID 2860 wrote to memory of 2736	2860	cmd.exe	38
PID 2860 wrote to memory of 2736	2860	cmd.exe	38
PID 2860 wrote to memory of 2736	2860	cmd.exe	38
PID 2236 wrote to memory of 772	2236	venom_cleaner.exe	44
PID 2236 wrote to memory of 772	2236	venom_cleaner.exe	44
PID 2236 wrote to memory of 772	2236	venom_cleaner.exe	44
PID 772 wrote to memory of 1316	772	cmd.exe	45
PID 772 wrote to memory of 1316	772	cmd.exe	45
PID 772 wrote to memory of 1316	772	cmd.exe	45
PID 1316 wrote to memory of 1788	1316	net.exe	46
PID 1316 wrote to memory of 1788	1316	net.exe	46
PID 1316 wrote to memory of 1788	1316	net.exe	46
PID 2236 wrote to memory of 2784	2236	venom_cleaner.exe	48
PID 2236 wrote to memory of 2784	2236	venom_cleaner.exe	48
PID 2236 wrote to memory of 2784	2236	venom_cleaner.exe	48
PID 2784 wrote to memory of 1320	2784	cmd.exe	49
PID 2784 wrote to memory of 1320	2784	cmd.exe	49
PID 2784 wrote to memory of 1320	2784	cmd.exe	49
PID 2236 wrote to memory of 3032	2236	venom_cleaner.exe	50
PID 2236 wrote to memory of 3032	2236	venom_cleaner.exe	50
PID 2236 wrote to memory of 3032	2236	venom_cleaner.exe	50
PID 3032 wrote to memory of 3028	3032	cmd.exe	51
PID 3032 wrote to memory of 3028	3032	cmd.exe	51
PID 3032 wrote to memory of 3028	3032	cmd.exe	51
PID 2236 wrote to memory of 2032	2236	venom_cleaner.exe	52
PID 2236 wrote to memory of 2032	2236	venom_cleaner.exe	52
PID 2236 wrote to memory of 2032	2236	venom_cleaner.exe	52
PID 2032 wrote to memory of 1276	2032	cmd.exe	53
PID 2032 wrote to memory of 1276	2032	cmd.exe	53
PID 2032 wrote to memory of 1276	2032	cmd.exe	53
PID 2236 wrote to memory of 2028	2236	venom_cleaner.exe	54
PID 2236 wrote to memory of 2028	2236	venom_cleaner.exe	54
PID 2236 wrote to memory of 2028	2236	venom_cleaner.exe	54
PID 2028 wrote to memory of 1036	2028	cmd.exe	55
PID 2028 wrote to memory of 1036	2028	cmd.exe	55
PID 2028 wrote to memory of 1036	2028	cmd.exe	55
PID 2236 wrote to memory of 2464	2236	venom_cleaner.exe	56
PID 2236 wrote to memory of 2464	2236	venom_cleaner.exe	56
PID 2236 wrote to memory of 2464	2236	venom_cleaner.exe	56
PID 2464 wrote to memory of 1284	2464	cmd.exe	57
PID 2464 wrote to memory of 1284	2464	cmd.exe	57
PID 2464 wrote to memory of 1284	2464	cmd.exe	57
PID 2236 wrote to memory of 1636	2236	venom_cleaner.exe	58
PID 2236 wrote to memory of 1636	2236	venom_cleaner.exe	58

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\venom_cleaner.exe
"C:\Users\Admin\AppData\Local\Temp\venom_cleaner.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Drops startup file
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://venomcheats.net/
  2⤵
  - Drops desktop.ini file(s)
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2344 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2040
  - - C:\Windows\SysWOW64\msdt.exe
      -modal 393746 -skip TRUE -path C:\Windows\diagnostics\system\networking -af C:\Users\Admin\AppData\Local\Temp\NDFCA80.tmp -ep NetworkDiagnosticsWeb
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      PID:2872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c fsutil usn deletejournal /d C:
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Windows\system32\fsutil.exe
    fsutil usn deletejournal /d C:
    3⤵
    - Deletes NTFS Change Journal
    PID:2704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin delete shadows /All /Quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:2736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop winmgmt /Y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:772
- - C:\Windows\system32\net.exe
    net stop winmgmt /Y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1316
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop winmgmt /Y
      4⤵
      PID:1788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh winsock reset
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\system32\netsh.exe
    netsh winsock reset
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:1320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ipconfig /release
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3032
- - C:\Windows\system32\ipconfig.exe
    ipconfig /release
    3⤵
    - Gathers network information
    PID:3028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ipconfig /renew
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Windows\system32\ipconfig.exe
    ipconfig /renew
    3⤵
    - Gathers network information
    PID:1276
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ipconfig /flushdns
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Windows\system32\ipconfig.exe
    ipconfig /flushdns
    3⤵
    - Gathers network information
    PID:1036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ipconfig /renew
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Windows\system32\ipconfig.exe
    ipconfig /renew
    3⤵
    - Gathers network information
    PID:1284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh int ip reset
  2⤵
  PID:1636
- - C:\Windows\system32\netsh.exe
    netsh int ip reset
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh winsock reset
  2⤵
  PID:2840
- - C:\Windows\system32\netsh.exe
    netsh winsock reset
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:2912
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh interface ipv4 reset
  2⤵
  PID:2668
- - C:\Windows\system32\netsh.exe
    netsh interface ipv4 reset
    3⤵
    PID:2412
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh interface ipv6 reset
  2⤵
  PID:2192
- - C:\Windows\system32\netsh.exe
    netsh interface ipv6 reset
    3⤵
    PID:2696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh interface tcp reset
  2⤵
  PID:2336
- - C:\Windows\system32\netsh.exe
    netsh interface tcp reset
    3⤵
    PID:1468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh int reset all
  2⤵
  PID:1500
- - C:\Windows\system32\netsh.exe
    netsh int reset all
    3⤵
    PID:2016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ipconfig /release
  2⤵
  PID:212
- - C:\Windows\system32\ipconfig.exe
    ipconfig /release
    3⤵
    - Gathers network information
    PID:220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ipconfig /renew
  2⤵
  PID:232
- - C:\Windows\system32\ipconfig.exe
    ipconfig /renew
    3⤵
    - Gathers network information
    PID:2680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ipconfig /flushdns
  2⤵
  PID:2620
- - C:\Windows\system32\ipconfig.exe
    ipconfig /flushdns
    3⤵
    - Gathers network information
    PID:2736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ipconfig /renew
  2⤵
  PID:800
- - C:\Windows\system32\ipconfig.exe
    ipconfig /renew
    3⤵
    - Gathers network information
    PID:948
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c WMIC PATH WIN32_NETWORKADAPTER WHERE PHYSICALADAPTER=TRUE CALL DISABLE >nul 2>&1
  2⤵
  PID:908
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC PATH WIN32_NETWORKADAPTER WHERE PHYSICALADAPTER=TRUE CALL DISABLE
    3⤵
    PID:1352

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2568

C:\Windows\SysWOW64\sdiagnhost.exe
C:\Windows\SysWOW64\sdiagnhost.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Windows Management Instrumentation

T1047

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Data Destruction

T1485

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024081123.000\NetworkDiagnostics.0.debugreport.xml

Filesize
7KB

MD5
b38c3a23761dbd09d1625c2e593089f1

SHA1
ce44fd4b1c3a429040b340c9870b988fc648008f

SHA256
58037f820a21d6c16a57a12661331c916ade6a7e376c87b658ae72324c49eb9f

SHA512
f9e2351dd7b5b6ac1f14b09f080df7a389b5b41e381167323acf52fe1ec9bec91517070c90be66fe89e9727d82e777f43fab2e12d7a12276146acafd14e5dbc1

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024081123.000\ResultReport.xml

Filesize
34KB

MD5
5c410f3204d6cf24096f7358d89b472b

SHA1
2caeab97a17d911566022728bf94e311d26a9040

SHA256
48b3c2107184bbd28c3c895888c8afe4b986237b39bbec00948e301ec48b13bb

SHA512
402c8c0e70ba20278d14fad3d178db0dc301101f2bc08b3f24bc06bd8f7b5bb5a93ce6f399ee3d66e7a1fd48fc70de6ae7e6bdc2694cb6a96e2789ad6990b587

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024081123.000\results.xml

Filesize
253B

MD5
840b413cbf5e57a93deecff7e76cf260

SHA1
cdcb54b73ea2acbfaa16e9355b347c2548411026

SHA256
de5825ee63dd98ca86f86652ff81ac75380b3ac4d880ab44d8984b8bf531ffae

SHA512
2130c9f55a3b28492c698def50cf92d805ccee1334c95ca8f9f776f6ceeee91884e751fac42510088a262dd82de01dcd6aaac5186db4a97a221bd8289a72c3a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms

Filesize
7KB

MD5
4e76489bdeb5b3075c33e7a2c84820da

SHA1
6757b723e1ba53e0dae1778e6f8abe59f47054ab

SHA256
4f9a73237dfc156ade9f539ee7ed69b46f9ad6172a72b8a63919f93e462f394d

SHA512
1ab048f285cb99ad104f771dc3d58d076aebed1a204437db34d67b811310a9a9eec47e4d2fb83d472ad01e054ff13e9c05dcbb757e8a9f5586bf305c16eaa5b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms

Filesize
28KB

MD5
1c43c0cd4f3d7a196738af66e09530e2

SHA1
3fd16ff2c718820805d0d44c2bcb7d0088db0a8d

SHA256
068865e3731d4025a0d320acf05928abb3ae3aa9da62fd122965a7896d1558d5

SHA512
168b1b75e86f898d14bed733e286888584e58837b58144f22f892965df0d3beee695ee3a97e8a029e37763a82158907919c9f142ec4de98f517cffaef4548926

Download Submit
C:\Users\Admin\AppData\Local\Temp\NDFCA80.tmp

Filesize
3KB

MD5
9c3046682753835471b5353c5402a498

SHA1
facd2dbaea265865ecd71b0d9f9d006479348a62

SHA256
70aecc843fc65a46852a08505757d649cb4f7f068b6d48aa35d28a165e202661

SHA512
83a65e983a35af7dc1882c60dd7fc2e5cfa4b822cdd4bcafada8d6c77e4fede673f198a53058a13f7999475873a456e8d989a1e5f96974acfa0590b11687e110

Download Submit
C:\Users\Admin\AppData\Local\Temp\PLA1436.tmp

Filesize
142B

MD5
2c4d5f60842ca57dd4460178a84d8f52

SHA1
f56b89a05559674a307087db8db3d0682d178b0e

SHA256
81e97a47d5f7b3b08fd26df0a54f12c50a4e327fb369a101d8ff5f5ab078e4e4

SHA512
b18d60d8a1ec38027eb93e2c3bea1070bfa6a590313842cec7d68525426dc367fd3268dba48b04a997a93a22e76d082d88427b639bd3ea629ea5fb04b1db5985

Download Submit
C:\Users\Admin\Favorites\Links\desktop.ini

Filesize
80B

MD5
3c106f431417240da12fd827323b7724

SHA1
2345cc77576f666b812b55ea7420b8d2c4d2a0b5

SHA256
e469ed17b4b54595b335dc51817a52b81fcf13aad7b7b994626f84ec097c5d57

SHA512
c7391b6b9c4e00494910303e8a6c4dca5a5fc0c461047ef95e3be1c8764928af344a29e2e7c92819174894b51ae0e69b5e11a9dc7cb093f984553d34d5e737bb

Download Submit
C:\Windows\TEMP\SDIAG_37584a0b-b1fc-491b-b986-6502bc090e02\NetworkDiagnosticsTroubleshoot.ps1

Filesize
23KB

MD5
1d192ce36953dbb7dc7ee0d04c57ad8d

SHA1
7008e759cb47bf74a4ea4cd911de158ef00ace84

SHA256
935a231924ae5d4a017b0c99d4a5f3904ef280cea4b3f727d365283e26e8a756

SHA512
e864ac74e9425a6c7f1be2bbc87df9423408e16429cb61fa1de8875356226293aa07558b2fafdd5d0597254474204f5ba181f4e96c2bc754f1f414748f80a129

Download Submit
C:\Windows\TEMP\SDIAG_37584a0b-b1fc-491b-b986-6502bc090e02\UtilityFunctions.ps1

Filesize
52KB

MD5
2f7c3db0c268cf1cf506fe6e8aecb8a0

SHA1
fb35af6b329d60b0ec92e24230eafc8e12b0a9f9

SHA256
886a625f71e0c35e5722423ed3aa0f5bff8d120356578ab81a64de2ab73d47f3

SHA512
322f2b1404a59ee86c492b58d56b8a6ed6ebc9b844a8c38b7bb0b0675234a3d5cfc9f1d08c38c218070e60ce949aa5322de7a2f87f952e8e653d0ca34ff0de45

Download Submit
C:\Windows\TEMP\SDIAG_37584a0b-b1fc-491b-b986-6502bc090e02\UtilitySetConstants.ps1

Filesize
2KB

MD5
0c75ae5e75c3e181d13768909c8240ba

SHA1
288403fc4bedaacebccf4f74d3073f082ef70eb9

SHA256
de5c231c645d3ae1e13694284997721509f5de64ee5c96c966cdfda9e294db3f

SHA512
8fc944515f41a837c61a6c4e5181ca273607a89e48fbf86cf8eb8db837aed095aa04fc3043029c3b5cb3710d59abfd86f086ac198200f634bfb1a5dd0823406b

Download Submit
C:\Windows\TEMP\SDIAG_37584a0b-b1fc-491b-b986-6502bc090e02\en-US\LocalizationData.psd1

Filesize
5KB

MD5
dc9be0fdf9a4e01693cfb7d8a0d49054

SHA1
74730fd9c9bd4537fd9a353fe4eafce9fcc105e6

SHA256
944186cd57d6adc23a9c28fc271ed92dd56efd6f3bb7c9826f7208ea1a1db440

SHA512
92ad96fa6b221882a481b36ff2b7114539eb65be46ee9e3139e45b72da80aac49174155483cba6254b10fff31f0119f07cbc529b1b69c45234c7bb61766aad66

Download Submit
C:\Windows\Temp\SDIAG_37584a0b-b1fc-491b-b986-6502bc090e02\DiagPackage.dll

Filesize
478KB

MD5
4dae3266ab0bdb38766836008bf2c408

SHA1
1748737e777752491b2a147b7e5360eda4276364

SHA256
d2ff079b3f9a577f22856d1be0217376f140fcf156e3adf27ebe6149c9fd225a

SHA512
91fb8abd1832d785cd5a20da42c5143cd87a8ef49196c06cfb57a7a8de607f39543e8a36be9207842a992769b1c3c55d557519e59063f1f263b499f01887b01b

Download Submit
C:\Windows\Temp\SDIAG_37584a0b-b1fc-491b-b986-6502bc090e02\en-US\DiagPackage.dll.mui

Filesize
13KB

MD5
1ccc67c44ae56a3b45cc256374e75ee1

SHA1
bbfc04c4b0220ae38fa3f3e2ea52b7370436ed1f

SHA256
030191d10ffb98cecd3f09ebdc606c768aaf566872f718303592fff06ba51367

SHA512
b67241f4ad582e50a32f0ecf53c11796aef9e5b125c4be02511e310b85bdfa3796579bbf3f0c8fe5f106a5591ec85e66d89e062b792ea38ca29cb3b03802f6c6

Download Submit
C:\Windows\Temp\SDIAG_37584a0b-b1fc-491b-b986-6502bc090e02\result\ResultReport.xml

Filesize
34KB

MD5
68a4afef70a6fbe15e44e5151a868292

SHA1
846ef3e206317b1405ac4cc92e36ce45d462acb8

SHA256
f3c5cbdf1e8bec212fa8b8088f5d22a4d1b8b15b79c5de1a6494cecb87965487

SHA512
3764872ffb9dc6e33cef0415ca4b6429817677cb6bf18afe11c05516529488579c3882f8bea24506600b34ff5cdaf05475f5b3c52c14cfe78baed65f23e79887

Download Submit
C:\Windows\Temp\SDIAG_37584a0b-b1fc-491b-b986-6502bc090e02\result\results.xsl

Filesize
47KB

MD5
310e1da2344ba6ca96666fb639840ea9

SHA1
e8694edf9ee68782aa1de05470b884cc1a0e1ded

SHA256
67401342192babc27e62d4c1e0940409cc3f2bd28f77399e71d245eae8d3f63c

SHA512
62ab361ffea1f0b6ff1cc76c74b8e20c2499d72f3eb0c010d47dba7e6d723f9948dba3397ea26241a1a995cffce2a68cd0aaa1bb8d917dd8f4c8f3729fa6d244

Download Submit
memory/2236-4-0x000000013F780000-0x000000013FFA9000-memory.dmp

Filesize
8.2MB

Download
memory/2236-3-0x000000013F780000-0x000000013FFA9000-memory.dmp

Filesize
8.2MB

Download
memory/2236-2-0x000000013F780000-0x000000013FFA9000-memory.dmp

Filesize
8.2MB

Download
memory/2236-0-0x000000013F780000-0x000000013FFA9000-memory.dmp

Filesize
8.2MB

Download
memory/2236-1-0x00000000772D0000-0x00000000772D2000-memory.dmp

Filesize
8KB

Download
memory/2236-510-0x000000013F780000-0x000000013FFA9000-memory.dmp

Filesize
8.2MB

Download