ramnit | 1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4

Analysis

max time kernel
144s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28-09-2024 19:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe
Size

2.6MB
MD5

693d588667850d58b0257906ef0c08ce
SHA1

cb4366dd06a62bd35549722b282e86f0dcdde60a
SHA256

1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4
SHA512

aab2d29d59c9caaabfc40e0b4b04a5ff835975e571d4bef121fdb5b9e25eb213658a77609595339b00f3059a3367d54965650060beaafb4833357300b34a62a7
SSDEEP

49152:igTUS7p9aBZbTChxKCnFnQXBbrtgb/iQvu0UHOi:uZ6hxvWbrtUTrUHOi

Score

10^/10

ramnit renamer banker discovery persistence spyware stealer trojan upx worm

Malware Config

Signatures

Detects Renamer worm. 1 IoCs

Renamer aka Grename is worm written in Delphi.

resource	yara_rule
behavioral2/files/0x000700000002349a-140.dat	family_renamer

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Renamer, Grenam
Renamer aka Grenam is a worm written in Delphi.
worm renamer

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	@AEDD50.tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	WdExt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	launch.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Paint.lnk	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe

Executes dropped EXE 8 IoCs

pid	Process
3552	@AEDD50.tmp.exe
3036	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe
4976	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4Srv.exe
1040	DesktopLayer.exe
1200	WdExt.exe
4420	launch.exe
1288	wtmps.exe
1956	mscaps.exe

Loads dropped DLL 2 IoCs

pid	Process
3552	@AEDD50.tmp.exe
1200	WdExt.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender Extension = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Defender\\launch.exe\""	launch.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\autorun.inf	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe
File opened for modification	F:\autorun.inf	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\mscaps.exe	wtmps.exe
File opened for modification	C:\Windows\SysWOW64\mscaps.exe	wtmps.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4976-152-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/files/0x000800000002349c-151.dat	upx
behavioral2/memory/4976-174-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/1040-175-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Integration\Integrator.exe	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\SmartTagInstall.exe	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\vOSE.ico	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\RCX3A18.tmp	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe
File created	C:\Program Files\Mozilla Firefox\crashreporter.exe	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vuninstall.exe	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-ES\TabTip.exe.mui	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\eqnedt32.exe	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe
File opened for modification	C:\Program Files\7-Zip\vUninstall.exe	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-1000-0000000FF1CE}\misc.exe	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-1000-0000000FF1CE}\RCX39BA.tmp	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe
File created	C:\Program Files\Java\jre-1.8\bin\vjabswitch.ico	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe
File opened for modification	C:\Program Files\7-Zip\v7z.exe	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe
File created	C:\Program Files\Java\jdk-1.8\bin\vjavapackager.ico	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\vchrome_proxy.exe	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\vchrome.exe.sig	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\RCX394B.tmp	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-1000-0000000FF1CE}\vmisc.exe	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe
File opened for modification	C:\Program Files\7-Zip\RCX6C1.tmp	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-ES\ShapeCollector.exe.mui	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\RCX27B1.tmp	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\vDW20.ico	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-1000-0000000FF1CE}\vmisc.exe	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe
File created	C:\Program Files\VideoLAN\VLC\uninstall.exe	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe
File created	C:\Program Files\Google\Chrome\Application\vchrome.ico	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe
File created	C:\Program Files\Java\jdk-1.8\bin\vjavadoc.ico	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TabTip.exe.mui	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\vSQLDumper.exe	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\vOSE.EXE	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\RCX1B96.tmp	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\ShapeCollector.exe.mui	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\vCLVIEW.EXE	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxE84D.tmp	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4Srv.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\RCX3B35.tmp	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\vcreatedump.exe	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe
File created	C:\Program Files\Java\jdk-1.8\bin\vjar.ico	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\vSQLDumper.ico	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe
File opened for modification	C:\Program Files\7-Zip\RCX8B6.tmp	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\vLICLUA.ico	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\vsetup.ico	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe
File created	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-1000-0000000FF1CE}\misc.exe	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\it-IT\ShapeCollector.exe.mui	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\bfsvc.exe	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@AEDD50.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4Srv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wtmps.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WdExt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	launch.exe

Modifies Internet Explorer settings 1 TTPs 30 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31134172"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2501238384"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31134172"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2551235918"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434316651"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{C058D584-7DCF-11EF-8D5B-DEB7298358C0} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31134172"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2501238384"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
3552	@AEDD50.tmp.exe
3552	@AEDD50.tmp.exe
1040	DesktopLayer.exe
1040	DesktopLayer.exe
1040	DesktopLayer.exe
1040	DesktopLayer.exe
1040	DesktopLayer.exe
1040	DesktopLayer.exe
1040	DesktopLayer.exe
1040	DesktopLayer.exe
1200	WdExt.exe
1200	WdExt.exe
4420	launch.exe
4420	launch.exe
4420	launch.exe
4420	launch.exe
4420	launch.exe
4420	launch.exe
4420	launch.exe
4420	launch.exe
4420	launch.exe
4420	launch.exe
4420	launch.exe
4420	launch.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1564	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1564	iexplore.exe
1564	iexplore.exe
2104	IEXPLORE.EXE
2104	IEXPLORE.EXE
2104	IEXPLORE.EXE
2104	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 4168 wrote to memory of 3980	4168	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe	85
PID 4168 wrote to memory of 3980	4168	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe	85
PID 4168 wrote to memory of 3980	4168	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe	85
PID 4168 wrote to memory of 3980	4168	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe	85
PID 4168 wrote to memory of 3980	4168	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe	85
PID 3980 wrote to memory of 3552	3980	explorer.exe	86
PID 3980 wrote to memory of 3552	3980	explorer.exe	86
PID 3980 wrote to memory of 3552	3980	explorer.exe	86
PID 3980 wrote to memory of 3036	3980	explorer.exe	87
PID 3980 wrote to memory of 3036	3980	explorer.exe	87
PID 3980 wrote to memory of 3036	3980	explorer.exe	87
PID 3036 wrote to memory of 4976	3036	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe	88
PID 3036 wrote to memory of 4976	3036	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe	88
PID 3036 wrote to memory of 4976	3036	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe	88
PID 4976 wrote to memory of 1040	4976	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4Srv.exe	89
PID 4976 wrote to memory of 1040	4976	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4Srv.exe	89
PID 4976 wrote to memory of 1040	4976	1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4Srv.exe	89
PID 1040 wrote to memory of 1564	1040	DesktopLayer.exe	90
PID 1040 wrote to memory of 1564	1040	DesktopLayer.exe	90
PID 3552 wrote to memory of 4316	3552	@AEDD50.tmp.exe	91
PID 3552 wrote to memory of 4316	3552	@AEDD50.tmp.exe	91
PID 3552 wrote to memory of 4316	3552	@AEDD50.tmp.exe	91
PID 3552 wrote to memory of 2816	3552	@AEDD50.tmp.exe	93
PID 3552 wrote to memory of 2816	3552	@AEDD50.tmp.exe	93
PID 3552 wrote to memory of 2816	3552	@AEDD50.tmp.exe	93
PID 1564 wrote to memory of 2104	1564	iexplore.exe	95
PID 1564 wrote to memory of 2104	1564	iexplore.exe	95
PID 1564 wrote to memory of 2104	1564	iexplore.exe	95
PID 4316 wrote to memory of 1200	4316	cmd.exe	96
PID 4316 wrote to memory of 1200	4316	cmd.exe	96
PID 4316 wrote to memory of 1200	4316	cmd.exe	96
PID 1200 wrote to memory of 5092	1200	WdExt.exe	101
PID 1200 wrote to memory of 5092	1200	WdExt.exe	101
PID 1200 wrote to memory of 5092	1200	WdExt.exe	101
PID 5092 wrote to memory of 4420	5092	cmd.exe	103
PID 5092 wrote to memory of 4420	5092	cmd.exe	103
PID 5092 wrote to memory of 4420	5092	cmd.exe	103
PID 4420 wrote to memory of 220	4420	launch.exe	105
PID 4420 wrote to memory of 220	4420	launch.exe	105
PID 4420 wrote to memory of 220	4420	launch.exe	105
PID 220 wrote to memory of 1288	220	cmd.exe	107
PID 220 wrote to memory of 1288	220	cmd.exe	107
PID 220 wrote to memory of 1288	220	cmd.exe	107
PID 1288 wrote to memory of 1956	1288	wtmps.exe	110
PID 1288 wrote to memory of 1956	1288	wtmps.exe	110
PID 1288 wrote to memory of 1956	1288	wtmps.exe	110

C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe
"C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4168
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3980
- - C:\Users\Admin\AppData\Local\Temp\@AEDD50.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\@AEDD50.tmp.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3552
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4316
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1200
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin2.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5092
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe" /i 1200
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\wtmps.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wtmps.exe"
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1288
        
        C:\Windows\SysWOW64\mscaps.exe
        
        "C:\Windows\system32\mscaps.exe" /C:\Users\Admin\AppData\Local\Temp\wtmps.exe
        10⤵
        Executes dropped EXE
        
        PID:1956
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2816
- - C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe
    "C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Drops autorun.inf file
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3036
  - - C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4Srv.exe
      C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4Srv.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4976
    - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
        
        "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1040
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1564
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1564 CREDAT:17410 /prefetch:2
        7⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk-1.8\bin\vjavaws.ico

Filesize
4KB

MD5
38b41d03e9dfcbbd08210c5f0b50ba71

SHA1
2fbfde75ce9fe8423d8e7720bf7408cedcb57a70

SHA256
611f2cb2e03bd8dbcb584cd0a1c48accfba072dd3fc4e6d3144e2062553637f5

SHA512
ec97556b6ff6023d9e6302ba586ef27b1b54fbf7e8ac04ff318aa4694f13ad343049210ef17b7b603963984c1340589665d67d9c65fec0f91053ff43b1401ba9

Download Submit
C:\Program Files\Microsoft Office 15\ClientX64\vIntegratedOffice.ico

Filesize
4KB

MD5
3ea9bcbc01e1a652de5a6fc291a66d1a

SHA1
aee490d53ee201879dff37503a0796c77642a792

SHA256
a058bfd185fe714927e15642004866449bce425d34292a08af56d66cf03ebe6c

SHA512
7c740132f026341770b6a20575786da581d8a31850d0d680978a00cc4dfca1e848ef9cdc32e51bae680ea13f6cc0d7324c38765cb4e26dcb2e423aced7da0501

Download Submit
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-1000-0000000FF1CE}\vmisc.ico

Filesize
4KB

MD5
fc27f73816c9f640d800cdc1c9294751

SHA1
e6c3d8835d1de4e9606e5588e741cd1be27398f6

SHA256
3cc5043caa157e5f9b1870527b8c323850bdae1e58d6760e4e895d2ab8a35a05

SHA512
9e36b96acc97bc7cd45e67a47f1ae7ab7d3818cc2fdaad147524ce9e4baedfaac9cd012923ec65db763bfd850c65b497376bb0694508bee59747f97bf1591fd4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
e81809e35464c6a8ccffb00fa7424f8a

SHA1
aca926d8ab54a834b33db7c5fb4355287d2cd2a7

SHA256
01c74bfb667bcffad25fd994026261a336a8e8dcf85ad629a75c87e838fcf744

SHA512
d807413cf4356a8861ae6bbfe5fd2792bdb5b81ec9fe64f6d567e505d001c847d8eeb4bc730599a5428afcf561d35ddf022d1d3079036d65a0e382d4737d5c28

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
d0f0cff67f92369aa674a265f4d2742f

SHA1
9614f812ae2f5b9c9cac2e73081ab8463032367b

SHA256
cd4e301d8a56ce461220d69fc05508286a0a0e7fca8f497f606109df68f5fe13

SHA512
29e7b18d1570b7a2bebe64e19a7a8d7021be9b476b2b694f81dce44c3962447db030ae37228eae05c7d4ee9d867666e11a77272510adcd4f9a4c41ab9defc171

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KQ3665LB\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe

Filesize
881KB

MD5
5bb650aca3ad2efe1df6eb5957e87f00

SHA1
6d0ab5953d40cce00e72f1498365c7c1c142dc8c

SHA256
7db4f594e3006fe39339ee65a4bd0daf9c8e4547dd83849fcba4818656877fdc

SHA512
2728fe0676ac15b278ad97c053b78f32540c268f2682bbc37e2c51eda214a2a41359676fb1cd583b2bfa25ffb392ec48a9caa19d7de2dcd54a9ec54604930c9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4Srv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\361E.tmp

Filesize
406B

MD5
37512bcc96b2c0c0cf0ad1ed8cfae5cd

SHA1
edf7f17ce28e1c4c82207cab8ca77f2056ea545c

SHA256
27e678bf5dc82219d6edd744f0b82567a26e40f8a9dcd6487205e13058e3ed1f

SHA512
6d4252ab5aa441a76ce2127224fefcb221259ab4d39f06437b269bd6bfdaae009c8f34e9603ec734159553bc9f1359bdd70316cd426d73b171a9f17c41077641

Download Submit
C:\Users\Admin\AppData\Local\Temp\@AEDD50.tmp.exe

Filesize
1.7MB

MD5
6ed8f908231b1c2082cc5e5f962ef9f9

SHA1
292ecfa4067298705c113a1a2172816ae9d3c49b

SHA256
ef41806462f78adebc7d8979ab31a3aae2025eed2dcf444d91793cc385025b4e

SHA512
43cb80133c3aa8cf706e44a389532c3cbb7408ccea6a3ed619a6cd6e64e145232a3274d48e2797a7578f48f2b28e89ce6d0e390fca50621e38bd3b493e612609

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF9E3.tmp

Filesize
120KB

MD5
f558c76b0376af9273717fa24d99ebbf

SHA1
f84bcece5c6138b62ef94e9d668cf26178ee14cc

SHA256
01631353726dc51bcea311dbc012572cf96775e516b1c79a2de572ef15954b7a

SHA512
2092d1e126d0420fec5fc0311d6b99762506563f4890e4049e48e2d87dde5ac3e2e2ecc986ab305de2c6ceb619f18879a69a815d3241ccf8140bc5ea00c6768d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFB2C.tmp

Filesize
126KB

MD5
02ae22335713a8f6d6adf80bf418202b

SHA1
4c40c11f43df761b92a5745f85a799db7b389215

SHA256
ae5697f849fa48db6d3d13455c224fcf6ceb0602a1e8ac443e211dd0f32d50f4

SHA512
727d16102bfc768535b52a37e4e7b5d894f5daa268d220df108382c36dcce063afdbc31fd495a7a61305263ec4cd7e92713d894faa35b585c0b379217a1d929c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFC18.tmp

Filesize
99KB

MD5
9a27bfb55dd768ae81ca8716db2da343

SHA1
55da0f4282bd838f72f435a5d4d24ac15b04482b

SHA256
5ec8093ef5939d1abce1c576097b584fb600b94ad767c1da897f7cb7f0063d26

SHA512
d9bb49d2f282ed09c351a1d8eb2540781e6a7fb39265473fd59d146bfc162f27a4ab1405301ed7395c12929a80551a399437d7d794d7ac48650e9037b60eb69c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFC58.tmp

Filesize
172KB

MD5
2634fa3a332c297711cb59d43f54ffce

SHA1
8e2b68d0ee4e792efb1945ba86eceb87f07087d2

SHA256
27c945ccb84aa024f1f063701327e829a7ef3a7ede4a43b2febbb1dddbdf8740

SHA512
84e4799b9b18a7cc7be685c793a9b4fb135ea331d1d235fe823e1d7091130f131ab2fbad1da4dea795e82547aa16b00f4e2a9faaa96cb522d795f9abfda2fc53

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFD04.tmp

Filesize
276KB

MD5
e07c6a9e595f045fadc463dfda44ab16

SHA1
e6b199272ade02613f2003c365a4cb1487431e23

SHA256
d2fa6f9686386a92253a9c5ea25ace702a111483540b60c1300789235cea7fdc

SHA512
f3c630ae8381b99519aeeadbc2918810e7fb09a909f73ee6c46f4e9d3cf8c5051a5cf763db6a775d6cd8713ccf95a63b18df9ed756fa28276e8d7ab6a47f2cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\wtmps.exe

Filesize
276KB

MD5
75c1467042b38332d1ea0298f29fb592

SHA1
f92ea770c2ddb04cf0d20914578e4c482328f0f8

SHA256
3b20c853d4ca23240cd338b8cab16f1027c540ddfe9c4ffdca1624d2f923b373

SHA512
5c47c59ad222e2597ccdf2c100853c48f022e933f44c279154346eacf9e7e6f54214ada541d43a10424035f160b56131aab206c11512a9fd6ea614fbd3160aa0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe

Filesize
172KB

MD5
daac1781c9d22f5743ade0cb41feaebf

SHA1
e2549eeeea42a6892b89d354498fcaa8ffd9cac4

SHA256
6a7093440420306cf7de53421a67af8a1094771e0aab9535acbd748d08ed766c

SHA512
190a7d5291e20002f996edf1e04456bfdff8b7b2f4ef113178bd42a9e5fd89fe6d410ae2c505de0358c4f53f9654ac1caaa8634665afa6d9691640dd4ee86160

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe

Filesize
1.7MB

MD5
be4ebd867150b684cda9432431982a95

SHA1
2da879810521efe1f28555a6c9b33831d317070a

SHA256
0602a66eadaef98e2ea191dcaa9da7899d1b546b8aef9704b8a38b0d7e284260

SHA512
5456fbdc52debe5770b54c5066a0dbe16b5502665178f6a6b8181d03a2ca331352f7f4d1d49a729385654f75f02d81ccc1d6634eabef5e688ec30f45b7b9e1be

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat

Filesize
129B

MD5
d1073c9b34d1bbd570928734aacff6a5

SHA1
78714e24e88d50e0da8da9d303bec65b2ee6d903

SHA256
b3c704b1a728004fc5e25899d72930a7466d7628dd6ddd795b3000897dfa4020

SHA512
4f2b9330e30fcc55245dc5d12311e105b2b2b9d607fbfc4a203c69a740006f0af58d6a01e2da284575a897528da71a2e61a7321034755b78feb646c8dd12347f

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat

Filesize
196B

MD5
aab6073086c52bff71f323fa82d0e78e

SHA1
6ba8b4877d1eab5fa562a47472dd9e950c798884

SHA256
267d48b31756e59ebdf6f74bba99746f9dff49c2de0fbefa8b64fce06355bce2

SHA512
39532902f296d250252253b0e5e3fedd4a8537115fd3dbea20e23a424a165401a28bf25ec43e60a3915a9f6a68321fdec8fcbfea3f5d8cd74f96a498122350e8

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat

Filesize
102B

MD5
aca8fb2d8abe1a36a06584a491e51af1

SHA1
fd989834258db1e2637365f1dd47bd0e1aa0194f

SHA256
00e5f00b8ea8adfa2ebc74110fa32c920b25ce8d447dc65f367f5eae12458942

SHA512
717f665916a1347a7b2671afd8b328539d70d15d5c0bb6a788fa20d65dfa000f2ed00a40b791d4b3d9960071b98f47fb79cb8f0e0d16eda610666d3de12bc090

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Admin2.bat

Filesize
126B

MD5
b08abd3e0b82b0b4e0cfd4b8bcffbd6d

SHA1
e7950fcbd9134d7967bbf0428a530cd525d99738

SHA256
26acb987324ff3ea9fb9ae7d42df38976d58077cd6d42d77098bc0d021c6d2f0

SHA512
addb2a7d69f84b888375ee0325421c7e156e47dbc979dadd1530c5eaca3484a714e7d4df12ad8be898b30e78b4723e9b24287fb8987780e9162defd34bf848c7

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\mydll.dll

Filesize
388KB

MD5
8d7db101a7211fe3309dc4dc8cf2dd0a

SHA1
6c2781eadf53b3742d16dab2f164baf813f7ac85

SHA256
93db7c9699594caa19490280842fbebec3877278c92128b92e63d75fcd01397a

SHA512
8b139d447068519997f7bbc2c7c2fe3846b89ae1fba847258277c9ab92a93583b28fae7ffa444768929ed5852cc914c0270446cbf0bd20aca49bde6b6f809c83

Download Submit
C:\Windows\SysWOW64\mscaps.exe

Filesize
200KB

MD5
78d3c8705f8baf7d34e6a6737d1cfa18

SHA1
9f09e248a29311dbeefae9d85937b13da042a010

SHA256
2c4c9ec8e9291ba5c73f641af2e0c3e1bbd257ac40d9fb9d3faab7cebc978905

SHA512
9a3c3175276da58f1bc8d1138e63238c8d8ccfbfa1a8a1338e88525eca47f8d745158bb34396b7c3f25e4296be5f45a71781da33ad0bbdf7ad88a9c305b85609

Download Submit
F:\autorun.inf

Filesize
102B

MD5
5513829683bff23161ca7d8595c25c72

SHA1
9961b65bbd3bac109dddd3a161fc30650e8a7096

SHA256
94e323bd9071db7369ade16f45454e7a0dbfb6a39efddc1234c4719d1f7ee4c2

SHA512
308c84446106cda0a71e37b0de46aaf4b7361f9ddcc3c4c29f8e87da8acb606525dce8a42caf9d74e708c56b31c524f9535a2f5f4757c6c357401da1c495ddb6

Download Submit
memory/1040-173-0x0000000000490000-0x0000000000491000-memory.dmp

Filesize
4KB

Download
memory/1040-175-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3036-305-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/3036-485-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/3036-147-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/3036-286-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/3036-564-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/3552-12-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/3980-0-0x0000000000403000-0x0000000000405000-memory.dmp

Filesize
8KB

Download
memory/4976-174-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4976-152-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download