Malware Analysis Report

2024-11-16 13:23

Sample ID 240928-x6crlssenl
Target 1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4
SHA256 1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4
Tags
ramnit renamer banker discovery spyware stealer trojan upx worm persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4

Threat Level: Known bad

The file 1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4 was found to be: Known bad.

Malicious Activity Summary

ramnit renamer banker discovery spyware stealer trojan upx worm persistence

Ramnit

Renamer, Grenam

Detects Renamer worm.

Drops startup file

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Drops file in System32 directory

UPX packed file

Drops autorun.inf file

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-28 19:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-28 19:27

Reported

2024-09-28 19:30

Platform

win7-20240903-en

Max time kernel

140s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe"

Signatures

Detects Renamer worm.

Description Indicator Process Target
N/A N/A N/A N/A

Ramnit

trojan spyware stealer worm banker ramnit

Renamer, Grenam

worm renamer

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Paint.lnk C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\@AEBC8B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4Srv.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\FlickLearningWizard.exe.mui C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\vjarsigner.ico C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\7-Zip\v7z.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\InkWatson.exe.mui C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\vjrunscript.ico C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\DVD Maker\ja-JP\DVDMaker.exe.mui C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File created C:\Program Files\Microsoft Games\FreeCell\vFreeCell.ico C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\Windows Photo Viewer\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\jabswitch.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\RCXC394.tmp C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\vFreeCell.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\RCXC5D2.tmp C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\RCXC5E5.tmp C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\InputPersonalization.exe.mui C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\DVD Maker\en-US\DVDMaker.exe.mui C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome.exe.sig C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InkWatson.exe.mui C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\vjava-rmi.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Minesweeper\vMineSweeper.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\RCXC354.tmp C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\vjavadoc.ico C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File created C:\Program Files\Microsoft Games\Hearts\vHearts.ico C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\vjstack.ico C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File created C:\Program Files\Java\jre7\bin\jabswitch.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\vjavac.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\vjavac.ico C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\vSpiderSolitaire.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\vjavadoc.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\vjps.ico C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File created C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\7-Zip\vUninstall.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\PurblePlace.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\RCXC58E.tmp C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\FlickLearningWizard.exe.mui C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\msinfo32.exe.mui C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\vjrunscript.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\vHearts.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\vbckgzm.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\ShapeCollector.exe.mui C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\msinfo32.exe.mui C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\RCXC305.tmp C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\vjavah.ico C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\bfsvc.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4Srv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\@AEBC8B.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "433713524" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B7D061A1-7DCF-11EF-8673-F2BBDB1F0DCB} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2940 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe C:\Windows\SysWOW64\explorer.exe
PID 2940 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe C:\Windows\SysWOW64\explorer.exe
PID 2940 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe C:\Windows\SysWOW64\explorer.exe
PID 2940 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe C:\Windows\SysWOW64\explorer.exe
PID 2940 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe C:\Windows\SysWOW64\explorer.exe
PID 2940 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe C:\Windows\SysWOW64\explorer.exe
PID 2212 wrote to memory of 1604 N/A C:\Windows\SysWOW64\explorer.exe C:\Users\Admin\AppData\Local\Temp\@AEBC8B.tmp.exe
PID 2212 wrote to memory of 1604 N/A C:\Windows\SysWOW64\explorer.exe C:\Users\Admin\AppData\Local\Temp\@AEBC8B.tmp.exe
PID 2212 wrote to memory of 1604 N/A C:\Windows\SysWOW64\explorer.exe C:\Users\Admin\AppData\Local\Temp\@AEBC8B.tmp.exe
PID 2212 wrote to memory of 1604 N/A C:\Windows\SysWOW64\explorer.exe C:\Users\Admin\AppData\Local\Temp\@AEBC8B.tmp.exe
PID 2212 wrote to memory of 2400 N/A C:\Windows\SysWOW64\explorer.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe
PID 2212 wrote to memory of 2400 N/A C:\Windows\SysWOW64\explorer.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe
PID 2212 wrote to memory of 2400 N/A C:\Windows\SysWOW64\explorer.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe
PID 2212 wrote to memory of 2400 N/A C:\Windows\SysWOW64\explorer.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe
PID 2400 wrote to memory of 108 N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4Srv.exe
PID 2400 wrote to memory of 108 N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4Srv.exe
PID 2400 wrote to memory of 108 N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4Srv.exe
PID 2400 wrote to memory of 108 N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4Srv.exe
PID 108 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 108 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 108 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 108 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2092 wrote to memory of 1208 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2092 wrote to memory of 1208 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2092 wrote to memory of 1208 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2092 wrote to memory of 1208 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1208 wrote to memory of 568 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1208 wrote to memory of 568 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1208 wrote to memory of 568 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1208 wrote to memory of 568 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1604 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\@AEBC8B.tmp.exe C:\Windows\SysWOW64\cmd.exe
PID 1604 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\@AEBC8B.tmp.exe C:\Windows\SysWOW64\cmd.exe
PID 1604 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\@AEBC8B.tmp.exe C:\Windows\SysWOW64\cmd.exe
PID 1604 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\@AEBC8B.tmp.exe C:\Windows\SysWOW64\cmd.exe
PID 1604 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\@AEBC8B.tmp.exe C:\Windows\SysWOW64\cmd.exe
PID 1604 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\@AEBC8B.tmp.exe C:\Windows\SysWOW64\cmd.exe
PID 1604 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\@AEBC8B.tmp.exe C:\Windows\SysWOW64\cmd.exe
PID 1604 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\@AEBC8B.tmp.exe C:\Windows\SysWOW64\cmd.exe
PID 2172 wrote to memory of 1556 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe
PID 2172 wrote to memory of 1556 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe
PID 2172 wrote to memory of 1556 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe
PID 2172 wrote to memory of 1556 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe

"C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Users\Admin\AppData\Local\Temp\@AEBC8B.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\@AEBC8B.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe

"C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe"

C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4Srv.exe

C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4Srv.exe

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1208 CREDAT:275457 /prefetch:2

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat" "

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "

C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 windowsupdate.microsoft.com udp
US 8.8.8.8:53 api.bing.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

\Users\Admin\AppData\Local\Temp\@AEBC8B.tmp.exe

MD5 6ed8f908231b1c2082cc5e5f962ef9f9
SHA1 292ecfa4067298705c113a1a2172816ae9d3c49b
SHA256 ef41806462f78adebc7d8979ab31a3aae2025eed2dcf444d91793cc385025b4e
SHA512 43cb80133c3aa8cf706e44a389532c3cbb7408ccea6a3ed619a6cd6e64e145232a3274d48e2797a7578f48f2b28e89ce6d0e390fca50621e38bd3b493e612609

memory/1604-12-0x0000000010000000-0x0000000010015000-memory.dmp

\Users\Admin\AppData\Roaming\Temp\mydll.dll

MD5 7ff15a4f092cd4a96055ba69f903e3e9
SHA1 a3d338a38c2b92f95129814973f59446668402a8
SHA256 1b594e6d057c632abb3a8cf838157369024bd6b9f515ca8e774b22fe71a11627
SHA512 4b015d011c14c7e10568c09bf81894681535efb7d76c3ef9071fffb3837f62b36e695187b2d32581a30f07e79971054e231a2ca4e8ad7f0f83d5876f8c086dae

memory/2212-22-0x0000000002970000-0x0000000002A5A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe

MD5 5bb650aca3ad2efe1df6eb5957e87f00
SHA1 6d0ab5953d40cce00e72f1498365c7c1c142dc8c
SHA256 7db4f594e3006fe39339ee65a4bd0daf9c8e4547dd83849fcba4818656877fdc
SHA512 2728fe0676ac15b278ad97c053b78f32540c268f2682bbc37e2c51eda214a2a41359676fb1cd583b2bfa25ffb392ec48a9caa19d7de2dcd54a9ec54604930c9c

memory/2400-144-0x0000000000400000-0x00000000004EA000-memory.dmp

memory/2400-149-0x0000000000270000-0x000000000029E000-memory.dmp

memory/108-153-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

MD5 ff5e1f27193ce51eec318714ef038bef
SHA1 b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256 fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512 c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

memory/2092-163-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2092-162-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2092-160-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat

MD5 d1073c9b34d1bbd570928734aacff6a5
SHA1 78714e24e88d50e0da8da9d303bec65b2ee6d903
SHA256 b3c704b1a728004fc5e25899d72930a7466d7628dd6ddd795b3000897dfa4020
SHA512 4f2b9330e30fcc55245dc5d12311e105b2b2b9d607fbfc4a203c69a740006f0af58d6a01e2da284575a897528da71a2e61a7321034755b78feb646c8dd12347f

C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat

MD5 5c187c192720c59e31f73de419cde0d3
SHA1 72042f2df1a22dedf8733b5e9c31738b294433ca
SHA256 288a4132e9730d4296b71dda4cc6985f7125eb187771d4e5e75395f5182e1e7a
SHA512 c3cdac679144a76d08d26e3e1d5a5286a5cf5cff4fc2d97fb2322f17343720150660f598ca1da437e37b7fcb5695432930ac9fcb0f2401d43c47ace2c1cd9d0a

C:\Users\Admin\AppData\Roaming\Temp\mydll.dll

MD5 684c111c78f8bf6fcb5575d400e7669c
SHA1 d587894c0beffdff00ae6d358a5463ef18bcb485
SHA256 080fb4cd0b92884c89efab9161685f3ba0666cd9dab8de6c752bfe35e4e45716
SHA512 bcf748d21be502d7346f56ffc9ef13f3394d46c679d7cf17289d007e91b4ead2ec4035b3ccd5626eb378958cbb6ac371edfde8319433db9b709694595ae53e4f

\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe

MD5 05eb430f0de56440d16e0641512e10a7
SHA1 f74e1e66ef75ff6a68f6b65de3cddcb6e6380c2d
SHA256 cd56bb716ac665f1bacf63a2172b0833c111c5373127adef1c2e9b46deb1518a
SHA512 d703165f9bf1d679e17a95dd4b731e3a5d99af796474194980afda9b5c120fa18788ae3a3e647d1c9ea069758bb799760317d6fc871e9c5c0252825113c6afc1

memory/2400-284-0x0000000002150000-0x0000000002160000-memory.dmp

\Program Files\7-Zip\v7z.exe

MD5 9a1dd1d96481d61934dcc2d568971d06
SHA1 f136ef9bf8bd2fc753292fb5b7cf173a22675fb3
SHA256 8cebb25e240db3b6986fcaed6bc0b900fa09dad763a56fb71273529266c5c525
SHA512 7ac1581f8a29e778ba1a1220670796c47fa5b838417f8f635e2cb1998a01515cff3ee57045dacb78a8ec70d43754b970743aba600379fe6d9481958d32d8a5aa

\Program Files\7-Zip\v7zFM.exe

MD5 30ac0b832d75598fb3ec37b6f2a8c86a
SHA1 6f47dbfd6ff36df7ba581a4cef024da527dc3046
SHA256 1ea0839c8dc95ad2c060af7d042c40c0daed58ce8e4524c0fba12fd73e4afb74
SHA512 505870601a4389b7ed2c8fecf85835adfd2944cbc10801f74bc4e08f5a0d6ecc9a52052fc37e216304cd1655129021862294a698ed36b3b43d428698f7263057

\Program Files\7-Zip\vUninstall.exe

MD5 ad782ffac62e14e2269bf1379bccbaae
SHA1 9539773b550e902a35764574a2be2d05bc0d8afc
SHA256 1c8a77db924ebeb952052334dc95add388700c02b073b07973cd8fe0a0a360b8
SHA512 a1e9d6316ffc55f4751090961733e98c93b2a391666ff50b50e9dea39783746e501d14127e7ee9343926976d7e3cd224f13736530354d8466ea995dab35c8dc2

\Program Files\7-Zip\v7zG.exe

MD5 50f289df0c19484e970849aac4e6f977
SHA1 3dc77c8830836ab844975eb002149b66da2e10be
SHA256 b9b179b305c5268ad428b6ae59de10b4fe99cf0199bbc89b7017181905e97305
SHA512 877d852ea1062b90e2fd2f3c4dc7d05d9697e9a9b2929c830a770b62741f6a11e06de73275eb871113f11143faf1cb40d99f7c247862ffb778d26833ed5d7e38

\Program Files\Common Files\Microsoft Shared\OFFICE14\vMSOXMLED.EXE

MD5 f45a7db6aec433fd579774dfdb3eaa89
SHA1 2f8773cc2b720143776a0909d19b98c4954b39cc
SHA256 2bc2372cfabd26933bc4012046e66a5d2efc9554c0835d1a0aa012d3bd1a6f9a
SHA512 03a4b7c53373ff6308a0292bb84981dc1566923e93669bbb11cb03d9f58a8d477a1a2399aac5059f477bbf1cf14b17817d208bc7c496b8675ece83cdabec5662

\Program Files\Google\Chrome\Application\vchrome.exe

MD5 095092f4e746810c5829038d48afd55a
SHA1 246eb3d41194dddc826049bbafeb6fc522ec044a
SHA256 2f606012843d144610dc7be55d1716d5d106cbc6acbce57561dc0e62c38b8588
SHA512 7f36fc03bfed0f3cf6ac3406c819993bf995e4f8c26a7589e9032c14b5a9c7048f5567f77b3b15f946c5282fc0be6308a92eab7879332d74c400d0c139ce8400

\Program Files\Google\Chrome\Application\vchrome_proxy.exe

MD5 b65d7344b0a7faa207d2e1a7adaafb60
SHA1 755ad15b1745b0e730d658d4a92e2b754425b7db
SHA256 f4b91fbbcba8a46eefe4965e4a24c6ede3decbd1fec96e141a1953173efd1c92
SHA512 f17ac73c2df7c73a31b11ce0f533d6db91bdb0cdeea653dcd52ac72c3cf28da0c236b79586ddc7a6c825fdd171290722f888465e776f12ac2cae75be82726b22

\Program Files\Java\jdk1.7.0_80\bin\vjavah.exe

MD5 8ffd9b7406e8aecf1d6117606d2bd149
SHA1 edf1f0f2f1024cd0fb6b39dadca251c99ccdedcc
SHA256 dd6b65e78cb194055494bbb7736ef917d3d6da1863567afe50b8abfc8e51267d
SHA512 ee54a1bec20608477053e87c641cc59dfe3c5a77061395c9d41759c3c559d6d5e8761b75327f3a05e62c602031650ec0be375a1b2235a944048ab340efce7397

\Program Files\Java\jdk1.7.0_80\bin\vjavafxpackager.exe

MD5 cace8f27a66ffec4f9823aa258c307a9
SHA1 dc515d29aa43d2b6b7e157f05e97e87d5f785884
SHA256 3cf626dac6e91a03f688bf5ab674871a3e0411314f261bb2c69346a1c46bc733
SHA512 4a5d5b564bd483e1949826d388e41c63a7b056236c5972c76721fd98c9b704a79622ed4c1b045080e4470340a9953595df955148999e15677f0e38e529a6a5f7

\Program Files\Java\jdk1.7.0_80\bin\vjavadoc.exe

MD5 516f6320ae4d755b9ea0c7c8347f5801
SHA1 bfce7c2869725ec8f327b083be57d20671fcb2a2
SHA256 9e696aa5772e8cba27545b47b00be4a3b8fc888f8c83ca11939b753850feab14
SHA512 0e12bc2f01f2897df41e56cee150177a3cc09ca5e889b61fcb9dbe07391a6f2537454401a2ca2ad93c652303a8e5782fd9860ca83734401393e314570175a6f0

\Program Files\Java\jdk1.7.0_80\bin\vjavac.exe

MD5 000b77a2ed92887856174641dfb6f485
SHA1 7872d9768f3a4b0601b91bd0b55f08c8992819e6
SHA256 1100a8d298426491aeb34288f7d6e600622f2d94fc01bfeb093fcea3ac32a8e4
SHA512 cec8642269bee8162b8d317ba61777b4005cb2dae8e9837bfd336bc6fd633066cd52b878160f4496113c147a7d0374619367e9bb451e82f7a5a39f0db3fde152

\Program Files\Java\jdk1.7.0_80\bin\vjava.exe

MD5 641b4ed6ab90a6f52ee512ea88a64cd1
SHA1 28d014900accc98e6089d83d0b2a8cb8735ed101
SHA256 13590945a04037dfd15d61166e0771682c7809674fca42f53fdb3afdcbe21410
SHA512 00a588556196e305dbf1714e573a5c5516c2988356b984a7284ba017a78bacb8d576b590da35be40171d6dca73580c5b9ab06808c7246c2e13c8d9b816f2ca09

\Program Files\Java\jdk1.7.0_80\bin\vjava-rmi.exe

MD5 a5f4cccc602a42b4ddbd8acbcf34f158
SHA1 5f26277884b2f6cdac26267f9b582ac5a5d21b08
SHA256 2d9044e9265fc09680d5f0c054c4ccac7d8d14b3a4a42e803a2097108e0f1acc
SHA512 3cb0d0028468edb1687c6142ce3ed6b594428bd209bf8b85ab2315e7992af12c4d622f26e652d6be0718d51d0d6a171c0a881b36d2e67a199998442e91621149

\Program Files\Java\jdk1.7.0_80\bin\vjavap.exe

MD5 95cf3bf094a35c9e7434bc402c09630c
SHA1 2b4d21ee55666f0664a644ec443502a942b9e7d4
SHA256 4973b97a274648d53977499891b919f98684fdbebce10751d71ce4d2754f6622
SHA512 09db399afec354ab699701f4196e93178db613421beda9e695bc36414698f83084d05b70595d2b31fe2a0d757ba98640f7e3953defb8dd71df03e4c01391fe8e

\Program Files\Java\jdk1.7.0_80\bin\vjarsigner.exe

MD5 2f7770a34bb22b99f8f6966851331d82
SHA1 2a2860cde1482df656544e1983e957f815be4193
SHA256 f873c02b69408f905c2c0b35b188d2c0b0a7cccc98a59d18dd0c297f761d2ef7
SHA512 8611f8bace081711d6f5dcd41177f594314970c5b2f328755027383e4ad2a239bbd85e0cedf6d1a76d9d1f54afbd340c9bd4ab119bb87cfd5a11149a0cb71dfc

\Program Files\Java\jdk1.7.0_80\bin\vjar.exe

MD5 3eeb342d48cfaa4c568a93ffdfc847d0
SHA1 ed5fd565c4a1867ca554314f038fc20c7de01b90
SHA256 29e65344e34c2354da05e8de64b106aa0ec99d8c5c22b58797d0047e227879ff
SHA512 db5b84233d40139c44cb8fd1a43e1c8a41c967358641e1488cc19474a8de381c5aa2c84f61b10d69d019f0d7170177cccea47ce9460d409a480c8537232a2ef0

\Program Files\Java\jdk1.7.0_80\bin\vjabswitch.exe

MD5 502e87232756dfacda7d1686d4bc9ea4
SHA1 6e40897d0a957783b8b88f2a6487dba028954b22
SHA256 d230ada81f3add58fd8a646d25b8f25fe6271b3eed5edef9fdc8945baabd5631
SHA512 96366e76942f6da30c02e9f6cf7cdf0cb7550455c8cbaaae7358d15a2258e1f0b2bfa960d52cb774039f2070dc8c383c3df187805f4910d40601b853e4309d9b

\Program Files\Java\jdk1.7.0_80\bin\vidlj.exe

MD5 26b70aa2ab871a72a3fd30829f2f1f29
SHA1 73934bad6bf5ca22484a88e1a4b1263ae278c419
SHA256 4e11bf944fb0a34c5cf1871fec3c8f7473e1944642cadf89a86db2eed874d35f
SHA512 40cacfff6c7f47aa0703e8cb3186f8bacbff1d56dc0547d67c44e716fc0d28705995a439a88a02ce8a262628b33cf2f6ec6f0586cdc2fc86597e3da4fb6a1d84

\Program Files\Java\jdk1.7.0_80\bin\vextcheck.exe

MD5 1cb4c95888edfdedb61628680fffd415
SHA1 3336670c701c61bb8062d7620c4244dbc01756d1
SHA256 182d8ab5ec2ee2ec57d60c2d2d75df6c852810e74c50289aa9c2c99a6b050fc6
SHA512 24c8c05baef516fba5aa763c0abc603065a75e5816501c713b24ec8baddad4fc290b3973dad89ac65f09d0277c2fa72d8b00f0eb2871170dbd89a8d9062bacf3

\Program Files\Java\jdk1.7.0_80\bin\vapt.exe

MD5 407d2d7dab36cdea871d4c6b9c62b258
SHA1 86cd158ad810c6772c22a5799c7acf4b9d7c9f57
SHA256 3c040679ea4be0cc5ca20c9f24caf6c13d3002560347e7446dc963b611523bd9
SHA512 dcdb53a3ca2a3637216a9d8133d1dbda336a6d3a98c6b956af42f94adbc136dc5a0245e87512d0314f23dbf3cab4900bc40ac13c79ee93a677d93a89e0cd9e17

\Program Files\Java\jdk1.7.0_80\bin\vappletviewer.exe

MD5 c9aaf1247944e0928d6a7eae35e8cdc4
SHA1 af91d57336d495bb220d8f72dcf59f34f5998fd3
SHA256 05b153ba07dc1a262fb1013d42bfc24d9000ce607f07d227593c975cdf0bb25b
SHA512 bf3bc64135810948626105a8f76dc4439e68ee531f20d901c3082ae2155f2ea35f34d408de44b46ede61ded832fcc61ac1cb9719e432f0f07b49479c95847e51

\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\vsetup.exe

MD5 2161730a7ae00a1fb8c5020a43be949f
SHA1 8db6b820472cdfa266c874e0d3a9395412995aa1
SHA256 07e7896b2304e3b9966294a02d2ed32f41994ee7bd0a284e4160743edaeb9e15
SHA512 aa3659b6184f4273b7fcf1f7d2cd0a5a9129b8856d15e4ca8904b709e85cd432538ce0510ca9777760a1a9d5391671232a79908860e7d665260a54910f6fea5a

\Program Files\Google\Chrome\Application\106.0.5249.119\vnotification_helper.exe

MD5 81664a918656ecd5e8eca90cedba1150
SHA1 580d0eb98bb2c838ff89eb54efd86535ee8882f6
SHA256 2f664c756727c321a3a0fb6c6e68842ca1a5f20575a02312ea10675dbd5dc40e
SHA512 7a211a01c674aaa5e8052dd339b412892c452309b651e835f0b8e27f15ee3fed42c58f43910a202150ca90704f522499deb7bca055451f1e6c8515b2d491df3d

\Program Files\Google\Chrome\Application\106.0.5249.119\velevation_service.exe

MD5 ec6386b63c3a5ffe0577905e94262c3a
SHA1 8f8c428d0e7f32c9d733ca28384ded413a060588
SHA256 302c968ab3e1227d54df4e72f39088d7483d25eeb3037f0b16bc39cef2728fa4
SHA512 ddbefb759858493de1f9d7addc6ff4488c8be3164374e0a88c3cbe97751510005dfe6d91c5499fcbdc35aa33a8eda2d45591a66e54ab9462277dc833faef77c3

\Program Files\Google\Chrome\Application\106.0.5249.119\vchrome_pwa_launcher.exe

MD5 527e039ba9add8a7fac3a6bc30a6d476
SHA1 729a329265eda72cada039c1941e7c672addfc19
SHA256 4b8a72fc81b733ed2e6e70d4c5401f954002783dbf14927849ad579860780b94
SHA512 9e73e14e33a5f07a87e9c1fecfdaee09d1408471052aacfde3d1e877dad4d253b525ebefca6bddabc23cf81d8dcce0785aedcc2f135d171ecbb1feaeb922c449

C:\Program Files\Java\jdk1.7.0_80\bin\vjavaws.ico

MD5 38b41d03e9dfcbbd08210c5f0b50ba71
SHA1 2fbfde75ce9fe8423d8e7720bf7408cedcb57a70
SHA256 611f2cb2e03bd8dbcb584cd0a1c48accfba072dd3fc4e6d3144e2062553637f5
SHA512 ec97556b6ff6023d9e6302ba586ef27b1b54fbf7e8ac04ff318aa4694f13ad343049210ef17b7b603963984c1340589665d67d9c65fec0f91053ff43b1401ba9

\Program Files\Java\jdk1.7.0_80\bin\vjavaws.exe

MD5 bf91501c9b39c728ade2cf3788b647c8
SHA1 fbcb53c4ca9836f5bbfbb2b63e7a1a00a6bf10c6
SHA256 d602330327fd3630d625c9023131fd2318f677c67aa421631b8a4080dba38578
SHA512 01a6639a580bd418cc4d1dd2bd8794f356c08b6f7fa801245e9200c883d32c6b103aeac2615195868a8e63e3515911de2a9afcced21f62fc41edefdd0a66001c

\Program Files\Java\jdk1.7.0_80\bin\vjavaw.exe

MD5 0266d98252b6beee2e842d5e876031a8
SHA1 8d57c6d94835ac6b1b0f9a657af6baa4be25779d
SHA256 c5d59069dcaf86222c9c189c8ba8932ced66ab77b4baad485e1f0ac715e6037c
SHA512 7eebbff75a67a0408ff2f507d9f1b387dcfbe6765ccd4247fd78a64c2ea6090e88fd30f561e30f48bc107dd9378364fd18dba4ea22eedee76a1f993fbb1e9f32

\Program Files\Java\jdk1.7.0_80\bin\vjcmd.exe

MD5 36e8cb42bbfc16e1395a88d183caed83
SHA1 ca1c513aaa7d49adfe0f43ceec81e6d0c0ae67d8
SHA256 40ea55ebd7ef975135dafffb396871a8ab728abc24b42eaab76f08859994e996
SHA512 f7620b06a5d43d21a0d492b66b0e5bacea6918f1490fb0504e9440524b7ef02ba83d2ae3c2211113b478b8325a3a6b6c8f65939ef5a01b835451cce2e72de00f

\Program Files\Java\jdk1.7.0_80\bin\vjconsole.exe

MD5 805f6272e5e3a80aac3540cc5b42b08e
SHA1 437bee3476647f7b55a49630cb86ed4befc34293
SHA256 910dbe44d17bd60a295a956e98e18347080cc879ed7ef7241cd2d0edfc060551
SHA512 319f8f50dfca4adf148edf878fa7c83bc6e4f1053da0c7d412645fcae9c63e67b838c876838805d9a33b28067947d3844479c9ddab11eb9e760b9df285f27041

\Program Files\Java\jdk1.7.0_80\bin\vjdb.exe

MD5 0b5681808a793728fc658f1e9b94ec52
SHA1 05763b10f153447edcc08afeeeee71fa2f221033
SHA256 d18fab0d0e24e8f1d9551e2667f6b2c34fcd75232c39e85ce50660588174079f
SHA512 65e64980a30285b29888b9eeb66ec1c27c98a15effd67d761c3c62358e3ec008fbda61feda4fada8f9af8bce740b8f38236495c6f1b274d98c14209cd56b414c

\Program Files\Java\jdk1.7.0_80\bin\vjhat.exe

MD5 1dbd51882c2b82a5496106c31db425f1
SHA1 f47bee48a7d0da0c4930cccc6fe7a8d8600d4b05
SHA256 659fecc81e846405613c2080ac81a567df17c97449a9c2ba179ac216280223db
SHA512 81418b0510b58f782b843312069842aeeede8d35feb8f393807169398464896f281dc13bc82d51279a07adfbe97758b82143218cf9a56d653b3a9d11da62f50f

\Program Files\Java\jdk1.7.0_80\bin\vjinfo.exe

MD5 f499825b88d200d9348b5f97ff297ec7
SHA1 366adce5911c160fa26d6fdb4d65af357cf0e3bc
SHA256 8b2d599efa66da695e503b480f355fc5f22347fcf5c294100abaeb3e9a20c1f6
SHA512 3017bf630ba53ee0855d1e657df197732e4fe2fa6455fabad2085e5a24918589d487362fc2819fff85b3fcf7e684376d4b7a5bbc6e71ea57cc62ab397a87dba9

\Program Files\Java\jdk1.7.0_80\bin\vjmap.exe

MD5 30989429490b9ccbde4fae1fc6df84e4
SHA1 64c8cf20ebb4e8dc31521f0084eb046a9e3f0500
SHA256 aa98634e3668beae535738d25c2094a7ef0d855ebd9d945b484368f9e543bc0d
SHA512 9a78ed9cd8dcf333ea240ff309e24a2e5de39bbeba4e9291b55d51fdbc10ee672c674a9f4393b13819562a0d9bc99667eb03519cefed0218444874f15729eefe

\Program Files\Java\jdk1.7.0_80\bin\vjmc.exe

MD5 c8db7998995218d59addc586ce9679d6
SHA1 694f18eef5aa6dfe1aa607ad5a08980f9656ed07
SHA256 e3712cd917e4d41696165a98233443d63dbfb28560967de92ca4e707c50d7df2
SHA512 ba7bdfae350c4b98067a2875295a20fbee1b7e9cb1f1afde1a299ca1b8d6aab3996dec59119cd83214461018e5e4ff91894ad3f0e909359382cf5183811d3d12

\Program Files\Java\jdk1.7.0_80\bin\vjps.exe

MD5 4ce9dbe70ae911f1fef704e2c5594214
SHA1 3431c1d6fa21e04e79f0b2f48cd30b037ab009cb
SHA256 e45733934ff8c01f79a98ea2fd6b2a78fc5f0164e5d4fea7aef5119c7218a5fd
SHA512 291420138d84108ebbb8f3dc81bc4595206144b8eac0a459ae63754aa137a3d6789330dc764c6dafb5cecc76908166d93cccaecbcb3987d4cbba662980ee6359

\Program Files\Java\jdk1.7.0_80\bin\vjrunscript.exe

MD5 c77fa8599058f2f08f6f028ad1ba3d29
SHA1 ea42e7eed011b8b71f32d4d47827a5b56198d134
SHA256 db2beff59876773d223f4813c05c65a1e582604c420ae6d7f6f3844a0a060398
SHA512 f2834be1925ca448884877e7236d2febb72190ebf43a2dab29a76b71c4976360d56df17879966ec74c60b3d62dadd81d577e3034961ed64418c0300f9710f43f

\Program Files\Java\jdk1.7.0_80\bin\vjsadebugd.exe

MD5 da1c77dc8b88afc927144ac6814ffecc
SHA1 ff50b5fefd7275f3972f2e3f228384816fe22e63
SHA256 78d50c2ca489676456b3a0ccd1696dda0f1e1e144baacd26cdbc472869578b30
SHA512 02fbc972c889a71947b2671bcc7e22f9a0edce3e0462f332753d974d73035315aef7b4ae1069e309aa560f98065b792447b2ef8f1e8be1874969de916b2f3e25

\Program Files\Java\jdk1.7.0_80\bin\vjstack.exe

MD5 095d24917473c666b8906e45852378f7
SHA1 2ca5842715ad03982eb9094786832775926e4b4d
SHA256 3289a0fb8c701e7eae9fc792329c0eff6cd2a42ffbf1845f4e630a3e1a019529
SHA512 fba9fe4ca6498c9fcf0d251906b537286f2e7bdb2399293c71f9b0bce379c2684da14212231535a81889928fcbe0adf7354bc83e272a3f6d9082f125494cc50c

\Program Files\Java\jdk1.7.0_80\bin\vjstat.exe

MD5 f9ae41a829d457685c00b08ea9185e1d
SHA1 54eeb13931bfdd989decb7e807996b46b75f1cd6
SHA256 d122b3df7c2b81c5eee0d3165a6741fffbc2298a8eb41740dbe0092eecf3cd47
SHA512 fef83f2670a11536b57dc3a1d86d014b49b83c720976a5592bf6fef2ec45aeb62e269ce0759b150accfc77a94a28423c833b4ad0fbec6a7e0a4132a2b152a538

\Program Files\Java\jdk1.7.0_80\bin\vjstatd.exe

MD5 d33a2ad454c698dc6cc87ff9e484229d
SHA1 cdf4c8db79f2530bdfec32a1909be5d129a23058
SHA256 bf9aef8af2046c69ccc29ab1f9fa0f4b31cfcb1892158877c01e7b3a8c4eadb3
SHA512 682e0b292f0f0cb1613c634a99df53d242ba465f1f754058d508ba8506654ebcb35f79e6e6714a288c2018ab9cdb929ef48a544071bc3ffbf3d362bf3478a818

\Program Files\Java\jdk1.7.0_80\jre\bin\vjabswitch.exe

MD5 529a2a19485ba337e8c0b6970583e94e
SHA1 1cc15db40d7bbef978b74ada8aa308e2f1731c77
SHA256 e9c0f8e00e3f884edfb0b776e4d9bb336dd7fba12f0c6d5604b4530d7016861a
SHA512 30598f68560ce73d02a8683555bbba0c316c5f04f05543dc30a273e51fda19567f375d1855d33fb7b2aa66d0faec8d8b43b064cfb5debe4f0d3f06996a416158

F:\autorun.inf

MD5 5513829683bff23161ca7d8595c25c72
SHA1 9961b65bbd3bac109dddd3a161fc30650e8a7096
SHA256 94e323bd9071db7369ade16f45454e7a0dbfb6a39efddc1234c4719d1f7ee4c2
SHA512 308c84446106cda0a71e37b0de46aaf4b7361f9ddcc3c4c29f8e87da8acb606525dce8a42caf9d74e708c56b31c524f9535a2f5f4757c6c357401da1c495ddb6

memory/2400-574-0x0000000000400000-0x00000000004EA000-memory.dmp

memory/2400-575-0x0000000000270000-0x000000000029E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabDD28.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarDDC8.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a9d01e18c1241008a9936ba1c387228d
SHA1 9a1e7e79a22451b01bb5ec5b5230e79b2a48d14e
SHA256 3817403962723a4a03b4d464b46882019ffe6fe9ed81a4cb12adff7e4eedd1df
SHA512 395ae06640cbadde2f2a40377ff32fedfd201c9c4bd53718fd1807ff7b035b294d34813b31ed72337a7a43433cc6682498c13071fc99349ce02bb074eaa7b40c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ffca64610f06a38864cabbc6136c34cf
SHA1 12c3c29b8d3847fd13f6f394c9a536cf865ca5c6
SHA256 83bfa63b96cf5179cb141b01228df0f86e777e5970175d8e8c8b8791270cafee
SHA512 8bb71d55f10bfdd1858f47fba07bbceed544ba04c3eea70d57458775b9d4e8e9c97e7ceb58ed66d5f5e3cdcaf90bc5b7e43464fefa54f1073f1a171a2e6ae843

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ad02bfd8a8813a88f415830712ff570a
SHA1 75b650c622068d15a1cbb138a1bbaeabe0ba3d3a
SHA256 ee700ba4e0705aa3fb9df10569073f9da0a84b8f150727894c40189f8f95ff86
SHA512 0032db00771e2ac3bc60794e0275b73ead524772c33acb89b38a8e23802a7db6960294431af39d9a1e5c2771464adbf2c13f1aeb384d9bf4dcb4240e8737b864

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7e6cec03a6173b7b593d24d8bb4e4fcc
SHA1 fb52678f8e47838a477eb0ff697b1876e113c8e3
SHA256 7c2b50fc72b26f37bce904bbada85509e4c2a91d4ed07a71959a21b332aec2f8
SHA512 cb1684e3559d292bdb4979ceeebac450ec0cdd615f88a22e0d71349cd0d10debebff3dd7d80a62be629f836dce4b6676e76d2a8f1223f05b228cf31e6d22546c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a3c58574a0b4e3ff89e8036a31f6441d
SHA1 323dd7c987bf33ae8af99c10a3fea700279d9cd1
SHA256 2c5ada843fd7e417e83c9154c616bee62ba52e742e46b736e912a7af727e9130
SHA512 8379a6ed14d0274c7739b17f2ff09967ee873fdc0d4453101e0642ca4576078ee6021b8352f7b110813c05ea60a6d5afc48df29e6f781a2eb4480e10d86f6754

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 78ea09307bacd34960189b19943486a7
SHA1 01487dc40c19664be154690493fa5716227ecf7e
SHA256 059e7e056974153ac6412f3b13dab93cffa391c6ac106494481332074242f1fa
SHA512 6e80f87a247d82b527bfcbb7d8c79b7a754d9d710aec776e5dab0172f9d3f9d71d00037d57bd677ad2c1b9f9f177f0a6188056be47d30f45dbdee01053731388

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e3167892e9880a19ab05ff7da6b819d4
SHA1 a6e524c3085aee60b0f1f77aa7c282741c01e111
SHA256 7adc6566b638bd50f9f0f3b81b375f8ae77b8a52b3976fc4c7db8ec802b4f454
SHA512 157789061ff28fda54bd602e28462354135c50b65af156777728b0abc3ea177107738738859d73ad92730ac056539d4b9239573e2cf1b2d5d13ce56f098a2a9c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 644a08ba12ffe39728a3db45cd59baa4
SHA1 7ea7ba6bb869f2c21a41c58fe3c71fb389fd2c51
SHA256 fe1785faff2b9d1514bb0bd89982fa8453c792bd4ab332365c08b873f82921e0
SHA512 9244e44e2ad72842bf40c32ed295ab71eb8b11a59bd125994ca4872b886b02725be243aa334de323e2047f008db463fd67740b18ca9452dad37f5074def119d5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b2e9556300ddaad0bb0f417c931c256d
SHA1 f1e40eccf8f4e5d68e20fe938086ece1cdb430d6
SHA256 7e8d68fb9a1c35f83b655929e1f5df989b7cc86124f5685261913b4a1a11900d
SHA512 7d9231a6eed0be30be6bed1d88c862330a64b82466e91b7445d471ac6b76e992987fd341c72dd2f1e37eaad0bed26badb27d538216ffc17f108a88c4e56c91c6

memory/2400-1004-0x0000000000400000-0x00000000004EA000-memory.dmp

memory/2400-1005-0x0000000002150000-0x0000000002160000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8623cc392b75ccf618ad9fe5e555354d
SHA1 0c975d5adfaa5b2182f481330f2e9b754c05801e
SHA256 8b5228a78375d09319cefe9c702a3c1d8a25d5398eacdd981a13d87575f12151
SHA512 565e9be783ae010c0ca35780b5762665f02d7421f37c642436c509c73bc0c01731d6e095d6b80363eb809de293470233eed9e04215356e08c5cca85282afad1f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a44f4921f1a80adea80ff00575483159
SHA1 e5d9a088f167b726ea0ddf1022df89598039404c
SHA256 1b58ac9bf135e840d537b053790fcf99b602a920d83a111fa19f1789c833ef27
SHA512 904899ef31343b071387a889560e035cbb98eec68de96149c02909ff7abd78e0aa0f196133602999c374715b77feb8ac31acc95130ea61e4cb7314abf8721a49

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7f2361a1bd22537c178bafa69bc88aee
SHA1 10a1fe389caac48907eee42c6be9d8319aaa4f77
SHA256 a8778b28587a4068406d885c27d2f4fbfb44454faa4d18c4ff8d57c2d004359f
SHA512 e797c5ddae2ec46598db5d1aa711c580df35a3d1e39b3e6951b9ae1d9cac308f7510e3748b2e8aa9dc2800f571c2449bbb87298b807eb695413f6bb70203a178

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2e66a6e13b67e2d1bedc56b5450c483e
SHA1 fcb7dad7f5dcf67305a16dbe9ffcc4430a401cb6
SHA256 ec35d5a19d127c67d2cb680485dad48a843aff01872bc40b1e27fa36d9e24eed
SHA512 4966319db61a9977722babd52627c23d31c6b8766a256b6dfaea09e73935b627242c75b7f18f6c190f306d256af19914f8150b703332b48b5d9f1ebe62a09fdc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e0e6288068ba3fd9febcf3d58b85ecdf
SHA1 fb3a9493793aeed3a745f95bc351544941f5e0d5
SHA256 d1bacf27b2d26d0d1c02ab306c0e488baa9327ded72993d0341cf6614e318b9a
SHA512 f69d920dc447c8ed0017433fc7e548a2a9307c614f1360255c32f502d1f7fed4df7552401da896d9e93d3f2c26b13927e3c71bde7e2150dd5a68b336fcd55ab8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 051674015851bb9de4143c320e68d887
SHA1 6daba98db38215a6323d32605aa32ce84e89aad3
SHA256 1de6eac278a8b280d7b549f6d09f44599757bccd2a6e05e8f08ffa59f6dd353c
SHA512 097e76da2383b86aee85ba8f638fac8d0fcaf514c82832b832abb7bce98e4289cf8dabbedd4d3bb777c45c177518ad15793b4c9fc678574e413a0c827bf31fb2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 94412e18325a1e4737eafd7a9bc81016
SHA1 86ccfd13f4f4f3d55836cd7a06c9178ed6604f81
SHA256 5a87c47e4acd2fa26346e10c950905c4ed5140e7f2422943957067ad9e0c2cdd
SHA512 500a3dc9d3843b1f0c1a7efbce16a36cdadf154c5616d567dac6e6a08cf41c8b87bf44dcad93a3ea71d327bd692495dd5a9dedc4906cc76cbe9a1f0a61682ea2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 62f9b6be50048f6a808d942738758a7d
SHA1 b7b9bdd582922bb7bed34891986d16dc823f267d
SHA256 dbebc17f0f296e79b7d03ce5e6d5218e6e5851eb5819613435036f045220321a
SHA512 fba916f67b9a3b69d6149500e95822d0dda2fbf91c5570d94ea93df43542879b7c627a08a5778ed91d97cda2a40749442a5e636fd545bd3976ad57f2bc3ed26f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9b968af184e4ffc3dfb4abdf006cd736
SHA1 8bd3abe70c372d9a95fa44597f740184254c3790
SHA256 01f1d3c6da2ebf9b3add3c4f692ded3abed6d9af66a1281feb43247812ec9524
SHA512 ebbb7c226d74ad7b9be22b81ecb061103042b92f4943bef70f307c5bac23db5d8c5a3ffb8e13d5e7d87f3eda0a5a0eb553d931b82012b2a0f7ad5ca31bbb2911

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ed697bc7dd92f0e2b807a4625e819e18
SHA1 b327c2b02b118f57a6523f607628ef90bb8a998e
SHA256 93dbaff8bb18df891c73921bce04412fe481897d31b1d64e04be5c304d9f11a3
SHA512 ef59bc5d3fd71eb866f461dbbab23b069d4682b6e1fe4ab4b157c14db355850f912bdc350ab2c2f1dcc9850ad8e905af6228a83e688e751dfcbb6e782c8d4a5b

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-28 19:27

Reported

2024-09-28 19:30

Platform

win10v2004-20240802-en

Max time kernel

144s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe"

Signatures

Detects Renamer worm.

Description Indicator Process Target
N/A N/A N/A N/A

Ramnit

trojan spyware stealer worm banker ramnit

Renamer, Grenam

worm renamer

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\@AEDD50.tmp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Paint.lnk C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender Extension = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Defender\\launch.exe\"" C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\mscaps.exe C:\Users\Admin\AppData\Local\Temp\wtmps.exe N/A
File opened for modification C:\Windows\SysWOW64\mscaps.exe C:\Users\Admin\AppData\Local\Temp\wtmps.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Integration\Integrator.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\SmartTagInstall.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\vOSE.ico C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\RCX3A18.tmp C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File created C:\Program Files\Mozilla Firefox\crashreporter.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vuninstall.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\es-ES\TabTip.exe.mui C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\eqnedt32.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\7-Zip\vUninstall.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-1000-0000000FF1CE}\misc.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-1000-0000000FF1CE}\RCX39BA.tmp C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\vjabswitch.ico C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File created C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\7-Zip\v7z.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\vjavapackager.ico C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\vchrome_proxy.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\vchrome.exe.sig C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\RCX394B.tmp C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-1000-0000000FF1CE}\vmisc.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\7-Zip\RCX6C1.tmp C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\es-ES\ShapeCollector.exe.mui C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\RCX27B1.tmp C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jhat.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\vDW20.ico C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-1000-0000000FF1CE}\vmisc.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File created C:\Program Files\VideoLAN\VLC\uninstall.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File created C:\Program Files\Google\Chrome\Application\vchrome.ico C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\vjavadoc.ico C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TabTip.exe.mui C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\vSQLDumper.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\vOSE.EXE C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\RCX1B96.tmp C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ja-JP\ShapeCollector.exe.mui C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\vCLVIEW.EXE C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\pxE84D.tmp C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4Srv.exe N/A
File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\RCX3B35.tmp C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\vcreatedump.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\vjar.ico C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\vSQLDumper.ico C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\7-Zip\RCX8B6.tmp C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File created C:\Program Files\Common Files\microsoft shared\OFFICE16\vLICLUA.ico C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\vsetup.ico C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\extcheck.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-1000-0000000FF1CE}\misc.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\it-IT\ShapeCollector.exe.mui C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\bfsvc.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\@AEDD50.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4Srv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\wtmps.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31134172" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2501238384" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31134172" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2551235918" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434316651" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{C058D584-7DCF-11EF-8D5B-DEB7298358C0} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31134172" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2501238384" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\@AEDD50.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\@AEDD50.tmp.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4168 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe C:\Windows\SysWOW64\explorer.exe
PID 4168 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe C:\Windows\SysWOW64\explorer.exe
PID 4168 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe C:\Windows\SysWOW64\explorer.exe
PID 4168 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe C:\Windows\SysWOW64\explorer.exe
PID 4168 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe C:\Windows\SysWOW64\explorer.exe
PID 3980 wrote to memory of 3552 N/A C:\Windows\SysWOW64\explorer.exe C:\Users\Admin\AppData\Local\Temp\@AEDD50.tmp.exe
PID 3980 wrote to memory of 3552 N/A C:\Windows\SysWOW64\explorer.exe C:\Users\Admin\AppData\Local\Temp\@AEDD50.tmp.exe
PID 3980 wrote to memory of 3552 N/A C:\Windows\SysWOW64\explorer.exe C:\Users\Admin\AppData\Local\Temp\@AEDD50.tmp.exe
PID 3980 wrote to memory of 3036 N/A C:\Windows\SysWOW64\explorer.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe
PID 3980 wrote to memory of 3036 N/A C:\Windows\SysWOW64\explorer.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe
PID 3980 wrote to memory of 3036 N/A C:\Windows\SysWOW64\explorer.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe
PID 3036 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4Srv.exe
PID 3036 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4Srv.exe
PID 3036 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4Srv.exe
PID 4976 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 4976 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 4976 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1040 wrote to memory of 1564 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1040 wrote to memory of 1564 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3552 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\@AEDD50.tmp.exe C:\Windows\SysWOW64\cmd.exe
PID 3552 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\@AEDD50.tmp.exe C:\Windows\SysWOW64\cmd.exe
PID 3552 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\@AEDD50.tmp.exe C:\Windows\SysWOW64\cmd.exe
PID 3552 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\@AEDD50.tmp.exe C:\Windows\SysWOW64\cmd.exe
PID 3552 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\@AEDD50.tmp.exe C:\Windows\SysWOW64\cmd.exe
PID 3552 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\@AEDD50.tmp.exe C:\Windows\SysWOW64\cmd.exe
PID 1564 wrote to memory of 2104 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1564 wrote to memory of 2104 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1564 wrote to memory of 2104 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4316 wrote to memory of 1200 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe
PID 4316 wrote to memory of 1200 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe
PID 4316 wrote to memory of 1200 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe
PID 1200 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe C:\Windows\SysWOW64\cmd.exe
PID 1200 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe C:\Windows\SysWOW64\cmd.exe
PID 1200 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe C:\Windows\SysWOW64\cmd.exe
PID 5092 wrote to memory of 4420 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe
PID 5092 wrote to memory of 4420 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe
PID 5092 wrote to memory of 4420 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe
PID 4420 wrote to memory of 220 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe C:\Windows\SysWOW64\cmd.exe
PID 4420 wrote to memory of 220 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe C:\Windows\SysWOW64\cmd.exe
PID 4420 wrote to memory of 220 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe C:\Windows\SysWOW64\cmd.exe
PID 220 wrote to memory of 1288 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\wtmps.exe
PID 220 wrote to memory of 1288 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\wtmps.exe
PID 220 wrote to memory of 1288 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\wtmps.exe
PID 1288 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\wtmps.exe C:\Windows\SysWOW64\mscaps.exe
PID 1288 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\wtmps.exe C:\Windows\SysWOW64\mscaps.exe
PID 1288 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\wtmps.exe C:\Windows\SysWOW64\mscaps.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe

"C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Users\Admin\AppData\Local\Temp\@AEDD50.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\@AEDD50.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe

"C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe"

C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4Srv.exe

C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4Srv.exe

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat" "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1564 CREDAT:17410 /prefetch:2

C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin2.bat" "

C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe" /i 1200

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "

C:\Users\Admin\AppData\Local\Temp\wtmps.exe

"C:\Users\Admin\AppData\Local\Temp\wtmps.exe"

C:\Windows\SysWOW64\mscaps.exe

"C:\Windows\system32\mscaps.exe" /C:\Users\Admin\AppData\Local\Temp\wtmps.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 68.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 windowsupdate.microsoft.com udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 api.bing.com udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 67.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp

Files

memory/3980-0-0x0000000000403000-0x0000000000405000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\@AEDD50.tmp.exe

MD5 6ed8f908231b1c2082cc5e5f962ef9f9
SHA1 292ecfa4067298705c113a1a2172816ae9d3c49b
SHA256 ef41806462f78adebc7d8979ab31a3aae2025eed2dcf444d91793cc385025b4e
SHA512 43cb80133c3aa8cf706e44a389532c3cbb7408ccea6a3ed619a6cd6e64e145232a3274d48e2797a7578f48f2b28e89ce6d0e390fca50621e38bd3b493e612609

memory/3552-12-0x0000000010000000-0x0000000010015000-memory.dmp

C:\Users\Admin\AppData\Roaming\Temp\mydll.dll

MD5 8d7db101a7211fe3309dc4dc8cf2dd0a
SHA1 6c2781eadf53b3742d16dab2f164baf813f7ac85
SHA256 93db7c9699594caa19490280842fbebec3877278c92128b92e63d75fcd01397a
SHA512 8b139d447068519997f7bbc2c7c2fe3846b89ae1fba847258277c9ab92a93583b28fae7ffa444768929ed5852cc914c0270446cbf0bd20aca49bde6b6f809c83

C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4.exe

MD5 5bb650aca3ad2efe1df6eb5957e87f00
SHA1 6d0ab5953d40cce00e72f1498365c7c1c142dc8c
SHA256 7db4f594e3006fe39339ee65a4bd0daf9c8e4547dd83849fcba4818656877fdc
SHA512 2728fe0676ac15b278ad97c053b78f32540c268f2682bbc37e2c51eda214a2a41359676fb1cd583b2bfa25ffb392ec48a9caa19d7de2dcd54a9ec54604930c9c

memory/4976-152-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1dde3009cebda5c139c4ddf98574b2ac5cdc9a82b3e2402efaad66d0246bdee4Srv.exe

MD5 ff5e1f27193ce51eec318714ef038bef
SHA1 b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256 fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512 c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

memory/3036-147-0x0000000000400000-0x00000000004EA000-memory.dmp

memory/1040-173-0x0000000000490000-0x0000000000491000-memory.dmp

memory/4976-174-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1040-175-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat

MD5 d1073c9b34d1bbd570928734aacff6a5
SHA1 78714e24e88d50e0da8da9d303bec65b2ee6d903
SHA256 b3c704b1a728004fc5e25899d72930a7466d7628dd6ddd795b3000897dfa4020
SHA512 4f2b9330e30fcc55245dc5d12311e105b2b2b9d607fbfc4a203c69a740006f0af58d6a01e2da284575a897528da71a2e61a7321034755b78feb646c8dd12347f

C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe

MD5 be4ebd867150b684cda9432431982a95
SHA1 2da879810521efe1f28555a6c9b33831d317070a
SHA256 0602a66eadaef98e2ea191dcaa9da7899d1b546b8aef9704b8a38b0d7e284260
SHA512 5456fbdc52debe5770b54c5066a0dbe16b5502665178f6a6b8181d03a2ca331352f7f4d1d49a729385654f75f02d81ccc1d6634eabef5e688ec30f45b7b9e1be

C:\Users\Admin\AppData\Local\Temp\tmpF7FC.tmp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\tmpF9E3.tmp

MD5 f558c76b0376af9273717fa24d99ebbf
SHA1 f84bcece5c6138b62ef94e9d668cf26178ee14cc
SHA256 01631353726dc51bcea311dbc012572cf96775e516b1c79a2de572ef15954b7a
SHA512 2092d1e126d0420fec5fc0311d6b99762506563f4890e4049e48e2d87dde5ac3e2e2ecc986ab305de2c6ceb619f18879a69a815d3241ccf8140bc5ea00c6768d

C:\Users\Admin\AppData\Local\Temp\tmpFB2C.tmp

MD5 02ae22335713a8f6d6adf80bf418202b
SHA1 4c40c11f43df761b92a5745f85a799db7b389215
SHA256 ae5697f849fa48db6d3d13455c224fcf6ceb0602a1e8ac443e211dd0f32d50f4
SHA512 727d16102bfc768535b52a37e4e7b5d894f5daa268d220df108382c36dcce063afdbc31fd495a7a61305263ec4cd7e92713d894faa35b585c0b379217a1d929c

C:\Users\Admin\AppData\Local\Temp\tmpFC18.tmp

MD5 9a27bfb55dd768ae81ca8716db2da343
SHA1 55da0f4282bd838f72f435a5d4d24ac15b04482b
SHA256 5ec8093ef5939d1abce1c576097b584fb600b94ad767c1da897f7cb7f0063d26
SHA512 d9bb49d2f282ed09c351a1d8eb2540781e6a7fb39265473fd59d146bfc162f27a4ab1405301ed7395c12929a80551a399437d7d794d7ac48650e9037b60eb69c

C:\Users\Admin\AppData\Local\Temp\tmpFC58.tmp

MD5 2634fa3a332c297711cb59d43f54ffce
SHA1 8e2b68d0ee4e792efb1945ba86eceb87f07087d2
SHA256 27c945ccb84aa024f1f063701327e829a7ef3a7ede4a43b2febbb1dddbdf8740
SHA512 84e4799b9b18a7cc7be685c793a9b4fb135ea331d1d235fe823e1d7091130f131ab2fbad1da4dea795e82547aa16b00f4e2a9faaa96cb522d795f9abfda2fc53

C:\Users\Admin\AppData\Local\Temp\tmpFD04.tmp

MD5 e07c6a9e595f045fadc463dfda44ab16
SHA1 e6b199272ade02613f2003c365a4cb1487431e23
SHA256 d2fa6f9686386a92253a9c5ea25ace702a111483540b60c1300789235cea7fdc
SHA512 f3c630ae8381b99519aeeadbc2918810e7fb09a909f73ee6c46f4e9d3cf8c5051a5cf763db6a775d6cd8713ccf95a63b18df9ed756fa28276e8d7ab6a47f2cbf

C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat

MD5 aab6073086c52bff71f323fa82d0e78e
SHA1 6ba8b4877d1eab5fa562a47472dd9e950c798884
SHA256 267d48b31756e59ebdf6f74bba99746f9dff49c2de0fbefa8b64fce06355bce2
SHA512 39532902f296d250252253b0e5e3fedd4a8537115fd3dbea20e23a424a165401a28bf25ec43e60a3915a9f6a68321fdec8fcbfea3f5d8cd74f96a498122350e8

memory/3036-286-0x0000000000400000-0x00000000004EA000-memory.dmp

memory/3036-305-0x0000000000400000-0x00000000004EA000-memory.dmp

C:\Users\Admin\AppData\Roaming\Temp\Admin2.bat

MD5 b08abd3e0b82b0b4e0cfd4b8bcffbd6d
SHA1 e7950fcbd9134d7967bbf0428a530cd525d99738
SHA256 26acb987324ff3ea9fb9ae7d42df38976d58077cd6d42d77098bc0d021c6d2f0
SHA512 addb2a7d69f84b888375ee0325421c7e156e47dbc979dadd1530c5eaca3484a714e7d4df12ad8be898b30e78b4723e9b24287fb8987780e9162defd34bf848c7

C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe

MD5 daac1781c9d22f5743ade0cb41feaebf
SHA1 e2549eeeea42a6892b89d354498fcaa8ffd9cac4
SHA256 6a7093440420306cf7de53421a67af8a1094771e0aab9535acbd748d08ed766c
SHA512 190a7d5291e20002f996edf1e04456bfdff8b7b2f4ef113178bd42a9e5fd89fe6d410ae2c505de0358c4f53f9654ac1caaa8634665afa6d9691640dd4ee86160

C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat

MD5 aca8fb2d8abe1a36a06584a491e51af1
SHA1 fd989834258db1e2637365f1dd47bd0e1aa0194f
SHA256 00e5f00b8ea8adfa2ebc74110fa32c920b25ce8d447dc65f367f5eae12458942
SHA512 717f665916a1347a7b2671afd8b328539d70d15d5c0bb6a788fa20d65dfa000f2ed00a40b791d4b3d9960071b98f47fb79cb8f0e0d16eda610666d3de12bc090

C:\Users\Admin\AppData\Local\Temp\wtmps.exe

MD5 75c1467042b38332d1ea0298f29fb592
SHA1 f92ea770c2ddb04cf0d20914578e4c482328f0f8
SHA256 3b20c853d4ca23240cd338b8cab16f1027c540ddfe9c4ffdca1624d2f923b373
SHA512 5c47c59ad222e2597ccdf2c100853c48f022e933f44c279154346eacf9e7e6f54214ada541d43a10424035f160b56131aab206c11512a9fd6ea614fbd3160aa0

C:\Windows\SysWOW64\mscaps.exe

MD5 78d3c8705f8baf7d34e6a6737d1cfa18
SHA1 9f09e248a29311dbeefae9d85937b13da042a010
SHA256 2c4c9ec8e9291ba5c73f641af2e0c3e1bbd257ac40d9fb9d3faab7cebc978905
SHA512 9a3c3175276da58f1bc8d1138e63238c8d8ccfbfa1a8a1338e88525eca47f8d745158bb34396b7c3f25e4296be5f45a71781da33ad0bbdf7ad88a9c305b85609

C:\Program Files\Java\jdk-1.8\bin\vjavaws.ico

MD5 38b41d03e9dfcbbd08210c5f0b50ba71
SHA1 2fbfde75ce9fe8423d8e7720bf7408cedcb57a70
SHA256 611f2cb2e03bd8dbcb584cd0a1c48accfba072dd3fc4e6d3144e2062553637f5
SHA512 ec97556b6ff6023d9e6302ba586ef27b1b54fbf7e8ac04ff318aa4694f13ad343049210ef17b7b603963984c1340589665d67d9c65fec0f91053ff43b1401ba9

C:\Users\Admin\AppData\Local\Temp\361E.tmp

MD5 37512bcc96b2c0c0cf0ad1ed8cfae5cd
SHA1 edf7f17ce28e1c4c82207cab8ca77f2056ea545c
SHA256 27e678bf5dc82219d6edd744f0b82567a26e40f8a9dcd6487205e13058e3ed1f
SHA512 6d4252ab5aa441a76ce2127224fefcb221259ab4d39f06437b269bd6bfdaae009c8f34e9603ec734159553bc9f1359bdd70316cd426d73b171a9f17c41077641

memory/3036-485-0x0000000000400000-0x00000000004EA000-memory.dmp

C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-1000-0000000FF1CE}\vmisc.ico

MD5 fc27f73816c9f640d800cdc1c9294751
SHA1 e6c3d8835d1de4e9606e5588e741cd1be27398f6
SHA256 3cc5043caa157e5f9b1870527b8c323850bdae1e58d6760e4e895d2ab8a35a05
SHA512 9e36b96acc97bc7cd45e67a47f1ae7ab7d3818cc2fdaad147524ce9e4baedfaac9cd012923ec65db763bfd850c65b497376bb0694508bee59747f97bf1591fd4

C:\Program Files\Microsoft Office 15\ClientX64\vIntegratedOffice.ico

MD5 3ea9bcbc01e1a652de5a6fc291a66d1a
SHA1 aee490d53ee201879dff37503a0796c77642a792
SHA256 a058bfd185fe714927e15642004866449bce425d34292a08af56d66cf03ebe6c
SHA512 7c740132f026341770b6a20575786da581d8a31850d0d680978a00cc4dfca1e848ef9cdc32e51bae680ea13f6cc0d7324c38765cb4e26dcb2e423aced7da0501

F:\autorun.inf

MD5 5513829683bff23161ca7d8595c25c72
SHA1 9961b65bbd3bac109dddd3a161fc30650e8a7096
SHA256 94e323bd9071db7369ade16f45454e7a0dbfb6a39efddc1234c4719d1f7ee4c2
SHA512 308c84446106cda0a71e37b0de46aaf4b7361f9ddcc3c4c29f8e87da8acb606525dce8a42caf9d74e708c56b31c524f9535a2f5f4757c6c357401da1c495ddb6

memory/3036-564-0x0000000000400000-0x00000000004EA000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 d0f0cff67f92369aa674a265f4d2742f
SHA1 9614f812ae2f5b9c9cac2e73081ab8463032367b
SHA256 cd4e301d8a56ce461220d69fc05508286a0a0e7fca8f497f606109df68f5fe13
SHA512 29e7b18d1570b7a2bebe64e19a7a8d7021be9b476b2b694f81dce44c3962447db030ae37228eae05c7d4ee9d867666e11a77272510adcd4f9a4c41ab9defc171

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 e81809e35464c6a8ccffb00fa7424f8a
SHA1 aca926d8ab54a834b33db7c5fb4355287d2cd2a7
SHA256 01c74bfb667bcffad25fd994026261a336a8e8dcf85ad629a75c87e838fcf744
SHA512 d807413cf4356a8861ae6bbfe5fd2792bdb5b81ec9fe64f6d567e505d001c847d8eeb4bc730599a5428afcf561d35ddf022d1d3079036d65a0e382d4737d5c28

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KQ3665LB\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee