babadeda | a424d4ad76806d261477a6117dc0fd2b0517357a826f9d0d7da22aac7c0f5ed3

Analysis

max time kernel
159s
max time network
167s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
11-11-2024 10:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

output/pentest_sample_15.exe
Size

129.3MB
MD5

9a2949ed34685809e0a23bdfea97271e
SHA1

1ada36a15cea1e1b6c70d155518d2b36a03c4e97
SHA256

f3fef8eac63444e364437305ba947e5b9e098ea15cf7e30458ab67d272fa1fab
SHA512

941486e979b1a9a08e61f3f4bb348224fc9a55c60a3ec6a6eadceb6d8ea0b00b5641f549616dd01b374d8ceaf3e05bc41cecaaca27d8e980232de1a84a8d21ef
SSDEEP

3145728:zR/5KgSAOsWBD4TABLmERk6WFQLnZLmzxPj9MDOC7vadxZA6NnArUwxS846PjsN3:zR/b

Score

10^/10

babadeda remcos sys32 crypter discovery loader rat

Malware Config

Extracted

Family

remcos

Botnet

Sys32

65.108.9.124:4783

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
Logs
keylog_path
%AppData%
mouse_option
false
mutex
Sys32-PI9IVT
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Babadeda
Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.
loader crypter babadeda

Babadeda Crypter 1 IoCs

resource	yara_rule
behavioral1/files/0x000500000001c86c-257.dat	family_babadeda

Babadeda family
babadeda
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Executes dropped EXE 3 IoCs

pid	Process
2244	pentest_sample_15.tmp
568	pentest_sample_15.tmp
2196	Mp3tag.exe

Loads dropped DLL 26 IoCs

pid	Process
2956	pentest_sample_15.exe
3032	pentest_sample_15.exe
568	pentest_sample_15.tmp
2196	Mp3tag.exe
2196	Mp3tag.exe
2196	Mp3tag.exe
2196	Mp3tag.exe
2196	Mp3tag.exe
2196	Mp3tag.exe
2196	Mp3tag.exe
2196	Mp3tag.exe
2196	Mp3tag.exe
2196	Mp3tag.exe
2196	Mp3tag.exe
2196	Mp3tag.exe
2196	Mp3tag.exe
2196	Mp3tag.exe
2196	Mp3tag.exe
2196	Mp3tag.exe
2196	Mp3tag.exe
2196	Mp3tag.exe
2196	Mp3tag.exe
2196	Mp3tag.exe
2196	Mp3tag.exe
2196	Mp3tag.exe
2196	Mp3tag.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pentest_sample_15.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mp3tag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pentest_sample_15.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pentest_sample_15.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pentest_sample_15.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b13190000000002000000000010660000000100002000000076f28858c8e82fd5c94edd7bc5b52c0b9cdf5fe6822e8e296cd75606b5b733d3000000000e800000000200002000000009c5420f917d443e3d689e32dd1f12f0982471426d063adc4d4176c8ceab5d1e20000000721261724f04537677eab864f8c037376088a7f1d1a6f466b6f84c1303b0fd9a400000007cf74d36df35dc5e018145dc876b350346ee5b4f1e5a2b9f70cfa8f41a588ddf88ec234f21c7add20886d308136ec9d5645edc2479cfee6e32b300368cce0908	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437482200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b1319000000000200000000001066000000010000200000000555a6622373c389ecc1752f6eec540a75dcb2a9b201fd6291a97ad9c9cc6155000000000e8000000002000020000000ba11e317dfd72d2ad21be26032fb6c92ecebb11d1ce807e827df010f3e96b6159000000060c94b698c44dc012f95af21e5a5870deea2c4f5bc9b42aabd6217d85ac48c2457ed931d69f99b8bd9cc3ff90ef5037a2123ae1d54e88fc831dd1390fce42cce0c003b8de446a3eba4c338547eb7298c09d4d82567d90e6fa55ce6137e7a07dedc734e20410ac73e9b21976ba197bb59f14370c1190505480d2bcd9887353d9d705d73064e64a8be7b400e09ccd84add400000007545145d24d979acfd461fd0abc6318ff6bbe01e16d29703c9d78efae3e81e6098cb7bf7eba567bef6d613186fd176771bf0cbf23add9bb44c1c5f3da92e9317	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{57C9AC31-A016-11EF-9D46-D6B302822781} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50e77e2e2334db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Mp3tag.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Mp3tag.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
568	pentest_sample_15.tmp
568	pentest_sample_15.tmp

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
568	pentest_sample_15.tmp
2196	Mp3tag.exe
1608	iexplore.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
2196	Mp3tag.exe
2196	Mp3tag.exe
1608	iexplore.exe
1608	iexplore.exe
2912	IEXPLORE.EXE
2912	IEXPLORE.EXE
2196	Mp3tag.exe
2912	IEXPLORE.EXE
2912	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 2244	2956	pentest_sample_15.exe	30
PID 2956 wrote to memory of 2244	2956	pentest_sample_15.exe	30
PID 2956 wrote to memory of 2244	2956	pentest_sample_15.exe	30
PID 2956 wrote to memory of 2244	2956	pentest_sample_15.exe	30
PID 2956 wrote to memory of 2244	2956	pentest_sample_15.exe	30
PID 2956 wrote to memory of 2244	2956	pentest_sample_15.exe	30
PID 2956 wrote to memory of 2244	2956	pentest_sample_15.exe	30
PID 2244 wrote to memory of 3032	2244	pentest_sample_15.tmp	31
PID 2244 wrote to memory of 3032	2244	pentest_sample_15.tmp	31
PID 2244 wrote to memory of 3032	2244	pentest_sample_15.tmp	31
PID 2244 wrote to memory of 3032	2244	pentest_sample_15.tmp	31
PID 2244 wrote to memory of 3032	2244	pentest_sample_15.tmp	31
PID 2244 wrote to memory of 3032	2244	pentest_sample_15.tmp	31
PID 2244 wrote to memory of 3032	2244	pentest_sample_15.tmp	31
PID 3032 wrote to memory of 568	3032	pentest_sample_15.exe	32
PID 3032 wrote to memory of 568	3032	pentest_sample_15.exe	32
PID 3032 wrote to memory of 568	3032	pentest_sample_15.exe	32
PID 3032 wrote to memory of 568	3032	pentest_sample_15.exe	32
PID 3032 wrote to memory of 568	3032	pentest_sample_15.exe	32
PID 3032 wrote to memory of 568	3032	pentest_sample_15.exe	32
PID 3032 wrote to memory of 568	3032	pentest_sample_15.exe	32
PID 568 wrote to memory of 2196	568	pentest_sample_15.tmp	33
PID 568 wrote to memory of 2196	568	pentest_sample_15.tmp	33
PID 568 wrote to memory of 2196	568	pentest_sample_15.tmp	33
PID 568 wrote to memory of 2196	568	pentest_sample_15.tmp	33
PID 2196 wrote to memory of 1608	2196	Mp3tag.exe	35
PID 2196 wrote to memory of 1608	2196	Mp3tag.exe	35
PID 2196 wrote to memory of 1608	2196	Mp3tag.exe	35
PID 2196 wrote to memory of 1608	2196	Mp3tag.exe	35
PID 1608 wrote to memory of 2912	1608	iexplore.exe	36
PID 1608 wrote to memory of 2912	1608	iexplore.exe	36
PID 1608 wrote to memory of 2912	1608	iexplore.exe	36
PID 1608 wrote to memory of 2912	1608	iexplore.exe	36

C:\Users\Admin\AppData\Local\Temp\output\pentest_sample_15.exe
"C:\Users\Admin\AppData\Local\Temp\output\pentest_sample_15.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Users\Admin\AppData\Local\Temp\is-NOL9M.tmp\pentest_sample_15.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-NOL9M.tmp\pentest_sample_15.tmp" /SL5="$30156,134703868,908288,C:\Users\Admin\AppData\Local\Temp\output\pentest_sample_15.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Users\Admin\AppData\Local\Temp\output\pentest_sample_15.exe
    "C:\Users\Admin\AppData\Local\Temp\output\pentest_sample_15.exe" /VERYSILENT
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3032
  - - C:\Users\Admin\AppData\Local\Temp\is-CGGME.tmp\pentest_sample_15.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-CGGME.tmp\pentest_sample_15.tmp" /SL5="$40156,134703868,908288,C:\Users\Admin\AppData\Local\Temp\output\pentest_sample_15.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:568
    - - C:\Users\Admin\AppData\Roaming\Strong Recovery Master\Mp3tag.exe
        
        "C:\Users\Admin\AppData\Roaming\Strong Recovery Master\Mp3tag.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies system certificate store
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2196
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://www.mp3tag.de/en/download.html
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1608 CREDAT:275457 /prefetch:2
        7⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
d311e87c9c8aa9ac680d7bd58ba7c42d

SHA1
55c6daa240097d43adac762b6995f6dbb04da053

SHA256
1d1f12761004fa59781234e63df2b127a41040c0c402e86c2fa1649e7f8b7dec

SHA512
7cd5b597883d967a28f4744f249392f342d7b997834376d1d3e9bb2911aad296771e221b0b7c2b3a22d8f69c5ca8b1402eb977cf05017543eda5ac628ba7275c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
f50c4941cd47228b9ab361e6d950f983

SHA1
06c79db85774744c264021d8fcfe4d00cb0436b2

SHA256
4b1aaa55f7cea79bc22dd823ab1f9025842b1a47c4ad0684f53089ed4ac3466f

SHA512
0f5f525afe1109508b3b26dcbbef382634f640ab1911b089fc723c783f5d480d79548b999274f432c4961304ff0a76ced6ac3a7e83b9fbbadce57f8ea29fb7f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b0f83d45037d2ea686d314b120616f29

SHA1
25538fb2b7303116e80485174ea7f0ce21e3fd7f

SHA256
cbb004650dcf1845432a6ddb20501984740d3d18c2767f60585d9a721ef2d76b

SHA512
fa38a27a47290623cf0ee666b86b19ad7adc339a22cf36a0aa64cfc495472ccde2bfb3ae86fb2299e6107ebe3e86c9b7e17ea5419cb0080cd9230a998f25f6a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
73823d49a555ce4bb5e9c12e06d01b05

SHA1
54ae3d853130e83837623c7e68b69a8c8974ee8e

SHA256
a7bd9cf8ad0eb3644286b813c611fc4062bc93d9bbc1f39530939a84ab1bd5c8

SHA512
99ae2de9dc738699ec05e6fa86e1ad9e41802e9711c53dbcfb4974bf721054e2efb9d683c02b647b85783d1cd81b81e150e21973118925f7ec35c78322455236

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
743d666d0b3e115c54c604e123f85100

SHA1
13acae0205572a2602fa6046c2781fb1c80d637a

SHA256
c7730e7dd5d2a4b06f46368a248ad9ac39406efb14f895647acf71b698a8738e

SHA512
b704f9f4cae5e23f9d9b97519807b9d8cfef30b18ee4503aabbb943fb09cfd0ba39ab1b22e5dee31f1d2ce389f9d0529ae64bf188cd4d93a8ae6bb7dc30c5152

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
69911248f88ea36f4955bdde81ef70bf

SHA1
642a7e2b71c74be0ef7f344da04d4dbfd4cdca36

SHA256
74acbfb0e14c5e1d70742dcf8d6f3b034bd03c4f29015220dc0d9524d50b709b

SHA512
4a7beac65d80954e6f12f00871d0995653473c425a213716569afd0b947dfad03d2801ebb226fc91f7637da07746e73be09cec403b343bd4383f4c3fc0a6aa00

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
49b511307bee16756a043432448b7844

SHA1
5387c514b92921ca7c11afaf48197e3f0e480d21

SHA256
030b949c19edac8c1bf66aaa12e329fbe0a4888fff50f0307203bc3f35d46bf5

SHA512
6a4162f9d0271a27d0c265824bec3c5fc7d505fdd4a1c1ec7ffee34cef33347c2bb439b5d28ddabdd21591403423967c8adb441ceaa379d61cb4632119b12f9d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
02d3f80ec0eb1d1139bc7f500be45090

SHA1
ab57be7811b3c534a28bdd7446a61cf4d6fdfabb

SHA256
5cc3c143c5bddb6903df225fe7a708c4c6f9933d4434245861892c0d61724f56

SHA512
1959ee82ae5d003d56d51216a9b37aa6f9a01e950231e568e438e77bc08b06ef408f8ac2bd2264b952b6294646f162388ebf5ba3aff99e6088414b14c0faf131

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
32920e4dda0caa9d6988e048074f23da

SHA1
77a0fbd268fcba825fcee5601f8efb51caf9aac2

SHA256
86ea9bc23d3524959769a6926eaa245b839d8189fcf6702dc8d10f9fa5eaf9a7

SHA512
45161a25ce03fb7c487381e8dc8470133dcd2881973db974bc49710d1aad321ae33c5a269a9999b8a1e9c42f0996ef91d908229fab94e42523a7c1d132ca7182

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fa6a524f0a8e2d14496534462a734509

SHA1
3f9313047d1bdf454ccd132207f7069c2af77ebd

SHA256
8663a1053e12f8f7d699eddfc122989504a240a53d7bb7b4a30bc6345a70653c

SHA512
d42c482a06922481bbcf2fda84932cbe954c0e71973abbb87d508bb0ceb3e07cc274d707072dda8800a0072ddb6018a9c29114821a5994ca14ff815b3c208835

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
90d77b5fb549169e7693090b8fe4fccc

SHA1
72130caf4d533eee5129663dc4f7637b50382c93

SHA256
1fd7fa481e978ea43689cc7e3c8f1e17fcc0ce5575c8f4ba78a5c77d7a8abf9c

SHA512
fd761d4546b78d309b6a8ed93bd73fc202b210c3c1da60923952e0353e39b540468ae99d5ce4adc939bc41cd017e30d5e6c8554a6997e8b400e0e3a99910d157

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bad16fcade99874b88f23390cb3fc34a

SHA1
0b93d2a68d31917bce3bb194da4beb45efa5bdf2

SHA256
be01b4bde500fb7bdf38b0537ceb4c085e1dd0b68e814d3d3099d5e3a340ac1b

SHA512
a526a2c5b66cec76783d337111a3dab2262d656b0b8f6869616fee4c4dcfa8dc06f7e50cc0165e97379f438791949e9ba799165a50f85b690721a299912c66e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2e236b710ced082fbc82d42c60ab2ad9

SHA1
80f251b64d406bf9bd8833bb38b578a04e7f5631

SHA256
f608266644cf1f6b9c603c5db128dc15fbd8d9ed20a318ce7b6fddf456b5d5a0

SHA512
3d98f79a4c9669643a7584e1611d9f0beaccda00f5f5e4fbb93a8411f3cb3bb470ed0980bd7b6e80e13e64a8ad5888a70dba255c718a0b904d3e81facd1cd47a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1429238d29b4d278f20f1da049c687ec

SHA1
057ef6cf118055ac9cd64dcda66b20ef24718f4d

SHA256
f81101d5eed2684c7d7603a2e75bb5c66241f67c3cb7631159ec9638e8be3c33

SHA512
2602759ac0e97fb67b77e72da2925302385acfc39af47afeb12b31c368127e0e7c9228ab57a01396773600de262b64d54679cbf39ab0493ae465716af8d458a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
26c92f1d71ec71f90b5c330b37dd5524

SHA1
3b6f56159857a5417626bea6289245893dd9c6c7

SHA256
ac83ff00ce420728a39833d3a8b4be80084dcfbf890364b52c6d86cc3c5930e1

SHA512
0bc6a1cffedaeeb6c36cb5f5f4f5ca2f836e6e893783bda9b08524f0c7af9d3c3b010bbc4a03e926e625b98b1347e4e1ee54679c52a05d254c6cd12f07f6aebe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
df58c00dd0f0e34b31d256cf229226ee

SHA1
5e14a36db4de202c9cc3cefffa55fad267e5d48d

SHA256
0c5af164a13c85fe6ec1cd0a80bc9ebeb5da817b247eb86bb68d1b4b0ff935d0

SHA512
c201a6a94664fde6e4804917ef90a2c25b5e647c0a587bb0fb21a553a315bcb8a1129f11805806db4dbff5afe578138ae56b874eef3462abcbf379aaf496cbaf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fdccb1fb5f133e751b7e274d60e733b4

SHA1
5a4e1f06740110a7ee5e8bd9e3428d61277b6ae2

SHA256
012ed4df90f2e9dd18f65bcafe30a152839926f8e9b47132f5fb056a99049970

SHA512
c2703814a58d198024831c813e0f63f3cb2b917e6438efb3bff0ae20f3fbf805286f370335d78efd7a0f67b256071605adc687a7539591f7085e15b53e121303

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5cb9d3236fba4f294a1289ef3cefc2a6

SHA1
22fbc5da3e4dcf3afa85fe874465f1a6e5e4f02b

SHA256
7e70693e84589b688eade42f07d268e80fcf0db0d8cac3e722a8c1bc0f2dd2bb

SHA512
9b4dc654a0c5e4d0f2f6714b6315648eccb79cad4aa1fc600b54ef1a53bffdddf0b1483c011cde453a451927a23f4f9afcea5638ee9675dfb08325293242fc82

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f0a6b5fec4cdff58ca68473fb4e0afb2

SHA1
eacc6248994537984c4e2ca41985bc1afcb1b690

SHA256
d3fbd73691c6c74a73f44b5df5aa1694ea544ba93204a0c528a7e6ddc3ac4091

SHA512
632896a82a9c3777fddc4c1875a5809930080c09cd549fc6d7516fd58b906c3fbe41cc5abccf5a43e572e7ac670d4054aa35cf4616bd00916106e7bef3a3979c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
51071b75c2d4ce60bac1f8b9ea5eae80

SHA1
d7179e04febe9ab3b97707bfddd3e86b9763f59e

SHA256
e93b196cd7b9915954ae44a8ad85378bcad84423b66eac5d77559eb7592fe285

SHA512
cab9af143a53f1a7be9ec528074ba129d81931c034349532939a5c34431be71da5c25eec4994964dd645558cadefa691456ae0bf5483444c11779305c21579da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e6bb2235bff9658b0d0d2a4df1ca1360

SHA1
8b09d119c337bbd5920aad2a84a02a80781230dd

SHA256
5a53a6f1abbbf2625539221aab0ded6a7e6e33560e605597691c39de4fb70abe

SHA512
a154406f4dc854c041e73a38b40597db0828732d9f39259b47c438f971144779d696a591b65fb04b9f857a8fb61470631f820aa7e40270a08423d6ea2ae3aa01

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e5a3dd1d0b0d557ec58ed47ab3e4a94a

SHA1
aae3d78cf542507e7c4e49a1e515641bf7cffdfb

SHA256
518cea583966b22b1479f0e76f3d459ec7394760bc161c07fceff6c57208cac5

SHA512
91e2fd8cb31c249821171268753f91492a6e68152e1ca363dd40cfc7b1c4d6fe6490e6b1f73bad7a1f3c6e999d54d2b16a4fdcfccb69090daeb6c8fdc9adfc9d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8c4cff5b9570e0cd7d39fde509c98afd

SHA1
b462b07a298348d648ad00c1379b44cde1018c79

SHA256
cddad2982a9027ea84d77bb732a3682a36bfaf9ad44c78908a5eaaf56d4ea8fd

SHA512
66760d057e7deecc61bcdc0904da624890e1ae193b9766a4592e02c97d3b0efa61af543d8f9117ed967e43d0d078e380053add3842112f89575caca0769e7719

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f488633a3a2b5b47f0e5fdcef62564f6

SHA1
95f1aecd6a03bb06d2aa0488fca6ad625136a0f3

SHA256
1f5acfda2484868efb8922e7fe8a63248efe55e3048ea0d22035416c9fe61f6f

SHA512
a8b9481fa4f3e788e391bc762560325f06de4b32f428622de56fcbdd52652e739dbad56635215f885ae1550d2d5bd0535e079feeb4eaed99f2ae80bbc9f63ab0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
328d2cc9c37ed38d409b41201102135b

SHA1
1b3fc8645f89a23606f54587b98c899df5ee392b

SHA256
5aeec090f20b6eb9fb6d409e61d100b451950d9a44d8582bfb3becd4f3cdd1ee

SHA512
9964a5a2406e6136b3dd402f9b99d0f76818d5a0f3cc3dc4df96861dd720da357f6a4949cd5c95318643fa8f03cce22b365b181226d4cf53d461fe35e8494561

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
3182fdda2f22d1e34ee64099d01c1a95

SHA1
541e2670e9def90c3ab6fdce5090986ccb95f6d2

SHA256
ccb4a9d01bada6127afb8e50a169af255e24e1abdc5e4cf4edb279da70dd029b

SHA512
a792eaea229771815914c4e07f8e7b95f6ce5180d3176146b5520a95db636485ed7e9f78a311add5b7b770585b04b3f248d08a6a75a1b23e5c34a10b02d3dc8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DUME8XYE\favicon-32x32[1].png

Filesize
2KB

MD5
6e91ca8e818f981a1ae3f9166f8047a8

SHA1
cfe29fbd74dab1be961f763a7496e7a5c5dc0ec4

SHA256
1dde4d031564589958a25b6accc410c701917ea8c02780ff268ee8d1aae0fb58

SHA512
2447f3f59fde7cd84c14d1799cee7ea23bf7a5ae71c08fce14b1092f93aff542e41f1fa55419988ce3127c7556170c9847b69456d821a85f3daf48e5fcfc6e44

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2230.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3F05.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\logs.dat

Filesize
188B

MD5
2a4e20f262440ab8f4a49122bccba92e

SHA1
462322600f664c8010d17f27bcb25e47b9a01423

SHA256
afb2ffa2b556bb2417dc06ea79b2d6ea854781c82eec04c83046282f6d590b04

SHA512
629b87b491338ee9d322652ffe39848aed03643b3702dfed2c04b1a3eae1fc0dcd184b7bc8a5d03c63bde2c889f2feec555ffdd6a3df45bda25611828f322af7

Download Submit
C:\Users\Admin\AppData\Roaming\Strong Recovery Master\MSVCP140.dll

Filesize
428KB

MD5
fdd04dbbcf321eee5f4dd67266f476b0

SHA1
65ffdfe2664a29a41fcf5039229ccecad5b825b9

SHA256
21570bcb7a77e856f3113235d2b05b2b328d4bb71b4fd9ca4d46d99adac80794

SHA512
04cfc3097fbce6ee1b7bac7bd63c3cffe7dca16f0ec9cd8fe657d8b7ebd06dcba272ff472f98c6385c3cfb9b1ac3f47be8ca6d3ea80ab4aeed44a0e2ce3185dd

Download Submit
C:\Users\Admin\AppData\Roaming\Strong Recovery Master\VCRUNTIME140.dll

Filesize
77KB

MD5
ba65db6bfef78a96aee7e29f1449bf8a

SHA1
06c7beb9fd1f33051b0e77087350903c652f4b77

SHA256
141690572594dbd3618a4984712e9e36fc09c9906bb845ce1a9531ac8f7ad493

SHA512
ca63eeac10ef55d7e2e55479b25cf394e58aef1422951f361f762ab667f72a3454f55afc04e967e8cdd20cf3eebe97083e0438ea941916a09e7d091818ea830e

Download Submit
C:\Users\Admin\AppData\Roaming\Strong Recovery Master\api-ms-win-core-file-l1-2-0.dll

Filesize
11KB

MD5
86279521328398e87699d248628eb13a

SHA1
e4d4c39bda90635f1f5c2fc58b1304e2daac9caf

SHA256
3c9b67616fd0ceb3dd92e605918b08556683ebab5537aa76dff300fbd54b0337

SHA512
2cc328955611ad8369ff9facf9c1aabe99a20c3ded2977ad86c69e0f54acd78fa6f572ed688625c8c63016826a10b3578e3c186ef2b39c4bf393ab5e399913a6

Download Submit
C:\Users\Admin\AppData\Roaming\Strong Recovery Master\api-ms-win-core-file-l2-1-0.dll

Filesize
11KB

MD5
422adad24e8da100f85bf3de86b5f302

SHA1
7004b3ed8663b5890cd25e1a7899a766be912728

SHA256
e04642684dc7376839c570bc11e9b46cae14420f1a85f7562fd2c4d656a22956

SHA512
e689ecb1a1cb1e7735cb6a961fd054d87bcad01acf76950b14a3bf4e08ddb7a8d31805c203374ee081a4ec13c40b25b3dc83b3895b9bfbd9c135673e98e6ee63

Download Submit
C:\Users\Admin\AppData\Roaming\Strong Recovery Master\api-ms-win-core-localization-l1-2-0.dll

Filesize
13KB

MD5
602a35b140d9d68d7b3e488896158365

SHA1
f1ba615abb54ff786ddbc74dffffd56394bfc892

SHA256
43b98f74476c86107c8317749f54a107e2955696e4f79d3d02683dd7034d1d52

SHA512
4388947f90838cae8b5f8137c9ed2a099028b4341da8c574d536c6ad096bad0e217e105f0367750c70e3d3ca4857255b674955c71ecff0fda9c47a4b1951b8b6

Download Submit
C:\Users\Admin\AppData\Roaming\Strong Recovery Master\api-ms-win-core-synch-l1-2-0.dll

Filesize
11KB

MD5
ed215daa7493bf93c5eadef178a261e0

SHA1
b20c8dc7ba00f98a326f5f4fd55329b72f8e5699

SHA256
8b7c8fc657e0dab0f2506001ca4bb76e675ffd18a2b4d9c1e03b876e008a7a26

SHA512
3ed052eada11c3dc44f81f330bd2a2526170515bc6a90281872a93ee49f9add8c9ad36b9a9e9185e251d664c1694d06625e0148e113addc32e53d705d2655f03

Download Submit
C:\Users\Admin\AppData\Roaming\Strong Recovery Master\api-ms-win-core-timezone-l1-1-0.dll

Filesize
11KB

MD5
a9c7db516186c8e367fed757e238c61a

SHA1
1318d6496e7146e773aca85be6d0e9b87a09e284

SHA256
ded52bac23633a03341969c5b98b0d94d24fa3284c1ddd0c489e453b39cec659

SHA512
6aad003287afe86abccf34f6b15338c0c7380f4837805d919064a26380d2f3f7698515f927c148e618c12f0943d3621184bebc70a8b07eed64ad88689fbcc5cb

Download Submit
C:\Users\Admin\AppData\Roaming\Strong Recovery Master\api-ms-win-crt-convert-l1-1-0.dll

Filesize
15KB

MD5
c6385b316bb04ca36d76b077eeb9a61e

SHA1
fc376f68798fecd41fb1c936eed1bce3f2ee6bef

SHA256
060636cfc58587b4344a6d0ff4f44dd77266f2bbdb877cb50cb1b44a7e3969bc

SHA512
bddf0f34bedb17ecf1d270a0613f27d174ae04f920192d7d1af6c15245175318b29691e748c36e2ce0a3027495b2f5a0bb688ae16095fad9dcd8c283b6d1b1d4

Download Submit
C:\Users\Admin\AppData\Roaming\Strong Recovery Master\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
13KB

MD5
10731d3320c12abb62d3866d7e728cce

SHA1
df4e131c825d1ca5cd14e00e5c04785d6ca508f7

SHA256
9f3eb90963916194f167e98e049707b14fa84a3f11cb8cc7b940d95956601700

SHA512
7eeef98682872fd95a38a03435546349c8488607e59870086b486b807e8b53893603175d9ad0f3b80c1924381daca8d14868a6079988a944b005783b4e2e358e

Download Submit
C:\Users\Admin\AppData\Roaming\Strong Recovery Master\api-ms-win-crt-heap-l1-1-0.dll

Filesize
12KB

MD5
cf5f256e8cd76ba85e6c3047f078814a

SHA1
b7cde77313ceaae76a46c1111b33b3d8f47c4214

SHA256
9382fc8d5cbcc23c5d05e6f48f4188af3f96efbbdc5a7ec05b37e252440ecfc1

SHA512
856eff4fff1d11a725af9c3e5ceac6d02a89297a16e97edec171839aa12c468fc37d60ec5df06d507cee695f71b7fbd4bc0ba51b7934d886e66a43b249e62da5

Download Submit
C:\Users\Admin\AppData\Roaming\Strong Recovery Master\api-ms-win-crt-math-l1-1-0.dll

Filesize
21KB

MD5
78dfcb76dc8b42411dbc682f78f5c6eb

SHA1
e50f6719fee44c70518cf8442737a688b5f45e62

SHA256
8673dd898f899de831fc3052c8b8254b7b85ee7f2b9b6c422736668689c9b14f

SHA512
968bb3bc952f4057f74c9c8825fcc2db34b9c56166ee39db3bab3d4ecf51fb65af250a8a65340274a1a0c0eed73b6c8962df5d2fce586c1ef4e19706edd5e6e1

Download Submit
C:\Users\Admin\AppData\Roaming\Strong Recovery Master\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
15KB

MD5
8bd7a27e6ca969d3eb46086d411ce05d

SHA1
3bbf6f55853b1487debca58d7cb5c877d0abd517

SHA256
8edc95578b8c9ca93a65907e428fa2b57fef8370b902912689332bc61094904c

SHA512
fee8359398efe6a995a214d4e47de43aba12d33bb9cb1de18659d332d94ef83a4a77618b6caa9f455b0c6da4c10ab459209d483b9e778d9b522771ca692ca454

Download Submit
C:\Users\Admin\AppData\Roaming\Strong Recovery Master\api-ms-win-crt-string-l1-1-0.dll

Filesize
17KB

MD5
00446e48d60abf044acc72b46d5c3afb

SHA1
0ccc0c5034ac063e1d4af851b0de1f4ea99aff97

SHA256
82d26998b4b3c26dbc1c1fff9d6106109a081205081d3c0669e59d20d918bc5a

SHA512
69114f0efb3c853bffb55c15e5ad1b7919057a676056d57634a6a39916e232cde2dcdc49ea0f9751ddea6550ffa58f84b1f8918b3c9fd7e88c8b8f7eb4afeaf2

Download Submit
C:\Users\Admin\AppData\Roaming\Strong Recovery Master\api-ms-win-crt-time-l1-1-0.dll

Filesize
13KB

MD5
376b4a7a02f20ed3aede05039ec3daf0

SHA1
c9149b37f85cfc724bedc0ecd543d95280055de1

SHA256
b0b8fc7de3641c3f23d30a4792c8584db33db6133ee29135c70bb504e80e4a2c

SHA512
ff7fba7cd8c9b55c1c87104d7d9074ef0eed524b02480ecf2c80e5cd489c568e1ed63bc62699a03272cab3dcbf20e6437e1f47ce112bcb3336d27ed2790430c5

Download Submit
C:\Users\Admin\AppData\Roaming\Strong Recovery Master\api-ms-win-crt-utility-l1-1-0.dll

Filesize
11KB

MD5
6376bf5bac3f0208f0a5d11415ccd444

SHA1
c3fe96e51c3f3e622dcedd2ddf8d23f9442361b8

SHA256
e36763df57cd26ec2b4d52e27de51a4ca6f18caf86cbac8307bf4817705f9a0e

SHA512
9614e423c850bdb584f18555825214d42106966b1ee71e75ba7407591aa5de407b43909ce972e1923df82e9a0e953597fe19646296962194ebeb1579493d91c2

Download Submit
C:\Users\Admin\AppData\Roaming\Strong Recovery Master\language\Chinese-H.ico

Filesize
1KB

MD5
1fc48b93562b46e428a2db1d4ea4a099

SHA1
772bc0d8527c5a0450fc0ff8ce525fca240564a5

SHA256
0b29a27f3d2ab4379cd99e9e7a93f6e40a0fe12cb73d1e6f3d296ec2c7e38a58

SHA512
55634f207c835a4dfd90ea1501a9ea5a0c406940def5f3b690d8b67085da8e61e890b29be679da61e8ce58a6f176b9f8927c02b81dea25a9de5561e1ea054a58

Download Submit
C:\Users\Admin\AppData\Roaming\Strong Recovery Master\language\Chinese.ico

Filesize
1KB

MD5
2ca29c521af17539d17968900ed650a1

SHA1
b508852a5febaa2ebd942229cc9104df4059430f

SHA256
1b8a834029f10ec10d796c8344b990df082a3b3c67e8f480d8ce48c07177d549

SHA512
90ba3bd6431912fa44458675eff9be42d99665b505d5dc4012591f4b018033ff95c6b7adceffe639040aa32ed2ef8c978c249fae9ede5a2db26e9b522d61d11d

Download Submit
C:\Users\Admin\AppData\Roaming\Strong Recovery Master\language\English-H.ico

Filesize
1KB

MD5
e5e33562181f5549042249668092b0db

SHA1
7103748dd38ec44a3dea582a9aea2123870a6937

SHA256
1dff252a4f45c471b8fc81d5d1c94ac1ca918a2ec0725b875f088cb75b53a938

SHA512
9cdf1a067383086d7ea79fe145e84ae6be8b1e476dcc357416941c8839c46eafd496f865aa8c553df6ad61ea1afe00004cc3df22a395cbbd53f4b45423468b6b

Download Submit
C:\Users\Admin\AppData\Roaming\Strong Recovery Master\language\Polish.ico

Filesize
1KB

MD5
ad8bbac74c6010604a7bbd9e4df43688

SHA1
eb18b66c38b2a5ad5fe98177b677b4ed36c898aa

SHA256
5a98fc48378b8772579632706747d35d3f16c542fa5f0493b44100a0104eb559

SHA512
6df720edc81ce9af7e26028073219fcf3d8a503285bac95e9bbf2f6e7dd51e05624d72d9cd7bf670bc9c081ebf25dcde728ff7d21386d5a1d8330b1988527c56

Download Submit
C:\Users\Admin\AppData\Roaming\Strong Recovery Master\language\Russian-H.ico

Filesize
1KB

MD5
ee464ce2c72dc4a01afccf12b318ea23

SHA1
9cebc61498162ca4847519cdd0739f97399cd396

SHA256
596b46cdafb26774740466a73d4031813511db5840d2fe5c4d90284278a08d99

SHA512
0645f8d741feea1debe9b7ee484922499d44270783ba3d4d65232d7b6f2bb113cf4adb8278b78fb8dc725228fe21e912a2b8b228cb08d58015a537d4774e7a62

Download Submit
C:\Users\Admin\AppData\Roaming\Strong Recovery Master\language\Russian.ico

Filesize
1KB

MD5
ed0fa2d2cd41dbb442b010b4bd2cca9f

SHA1
783d3843a976bd91829398f9ccbfa5b98150023e

SHA256
7c24485ad1023a46521ed10a38ea762cd9c185aeed7dfd32a717d274606d8074

SHA512
4b2134844bfb56b9ba266f6687359117d5f0c0d5040213c025d906fab5ac8711a09673bdac342c59bfd1bb0fc8294c5a4f97cbc29567bd2c52b90dbabddc1d3b

Download Submit
C:\Users\Admin\AppData\Roaming\Strong Recovery Master\language\Spanish-H.ico

Filesize
1KB

MD5
959a045dcfc52077692f0d091db9054d

SHA1
ecd119a1e382f059bb9b04e37222ac3257272994

SHA256
73fca4e5f38e65f21b2b7251231178e64ce8cb288044d064e176965a1b4dc699

SHA512
022939b3cf3bc0555b190ea61b7594fe24f87cce44ce371f081d67202fe085e19a550898a4372bf8cca0d492a9ec837ff3a9d680998d2d5b35c26a5b0f042a98

Download Submit
C:\Users\Admin\AppData\Roaming\Strong Recovery Master\language\Spanish.ico

Filesize
1KB

MD5
603afd32d12ed4bdc1bdfbb11040f271

SHA1
ac68f01be1f873330333ccacebd8079e2a72adfc

SHA256
9eb18c0dacb6e60abdf315b853fd6c9db8968ced959b7d31d1dcbc80b561bfb6

SHA512
b93869f43ae9cd0c1cac0d21b588527a3f93eeaf972ecf1f6d167f36d5f8e3d677daee6db0e1d409294e939cc8f2be2c65f4c0fbd5ca5918a09b01571a630c33

Download Submit
C:\Users\Admin\AppData\Roaming\Strong Recovery Master\libwlp-20.dll

Filesize
19KB

MD5
fa847fa54c646c39fcf8e58c6fdcb46f

SHA1
d052ac0346c77be6d87c2da668543c63d3307036

SHA256
a15614de6f933f1941dbbb57641900439c02b3a90c40e409e32cae5c04426378

SHA512
3dca61429b7572d3106d095cea128b8b0bb8c685f0251b5920c8d69d828d33f90d507ba62033ab29cb8bb2d46e8574d0b52c7dba8181c2fa98ed304a8ed80cb2

Download Submit
C:\Users\Admin\AppData\Roaming\Strong Recovery Master\page

Filesize
1.3MB

MD5
bc23ffe164676054ce5e5314abeaf11a

SHA1
eebc94229ce1b1a51d4dc96399d1ebda0b52b075

SHA256
dc36a03e536fbc03b4a89caa83435ec57fd021386341b53e23b56b359d988ab0

SHA512
78262e6a18988981e8a4f82fbf84e00d9058480912947851c5491a822f8f3c27a3345acf37bc2aeff514251024a1304fba087cf63f699b99af0299e9b0b26cdf

Download Submit
C:\Users\Admin\AppData\Roaming\Strong Recovery Master\ucrtbase.DLL

Filesize
880KB

MD5
5dafe0bfb955e780b3d50da4524b752f

SHA1
91c0d9fabe748d373215ba21b90278671b5f8957

SHA256
6255112c9978c07a05c6feaee01cf4be74b2920dc7017fbc1a42f8f5d23c20f9

SHA512
37fd37f3ad87838f596d1e8e497fe66d1a1c4128625ab456ec850179dd1e1f33cf4945d0faaf6cdbd1ed586ecfb7ff3e7cf10a88a823cc5eb06c2fc4fa16bff3

Download Submit
\Users\Admin\AppData\Local\Temp\is-NOL9M.tmp\pentest_sample_15.tmp

Filesize
3.1MB

MD5
7388fff746d0ccae6e5610e87ff63b7d

SHA1
3ac665008fed3810141cf530627afa365df6dbf9

SHA256
85431ef6910699233ecd80d08c13f5507990b9d5d668f589768416c4a25b8494

SHA512
9a5002a93c0b53854af4c55c26ec65709f4080e6940b22729a399f844a2513a55e37cca1df960992996da8976ab8a918baa7b970afbc04e25b0f511bec7b4d00

Download Submit
\Users\Admin\AppData\Roaming\Strong Recovery Master\Mp3tag.exe

Filesize
8.6MB

MD5
92c1655770e49b1dc19359ea1f02e780

SHA1
16b459328f086dd988bfb2b45288d32652400301

SHA256
bf9a506f8c9409fe9609c9590477fdb5cbd185c7b76344260a2494ec064feb28

SHA512
b5e7d6eb435411449402840161d47ec17a6d7f24853e3536d0619dfec5b5fead9de9336560a434735c343e2d96f22d97b9be6c5a52e708c97ced6999808946f6

Download Submit
\Users\Admin\AppData\Roaming\Strong Recovery Master\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
11KB

MD5
a07afa26ab56a8d3b8b16591a1962005

SHA1
2b6f3143487f747911ee20f039f1ffb1381858ac

SHA256
6be230837149dc2a8c7772142a674c3f90930a55da7f91d791942d8276d5440b

SHA512
b77b277d10cf6b8d209679684ead55b4347caef3213acdccdee35b5d4fe0e3fc136daf057830512c5473c4653a8d66357927c4b7d204c07d7508f792299d7fe9

Download Submit
\Users\Admin\AppData\Roaming\Strong Recovery Master\api-ms-win-crt-environment-l1-1-0.dll

Filesize
11KB

MD5
311e582d5d3d8421e883c4a8248eacc8

SHA1
c99e61d1446fce0f883a2aad261af22d77953a59

SHA256
369cc4d3bb05f4160a0bc9683feb1df2e94d02f061e4b23d53c3a6e2230cd5e4

SHA512
050ed1310e667e6bb22bb7952794745df1eee0c78f18240cc2217e748a11213d094b48153964c3da0ad8141da1709ece637315633396c77c035bb0565fa981b4

Download Submit
\Users\Admin\AppData\Roaming\Strong Recovery Master\api-ms-win-crt-locale-l1-1-0.dll

Filesize
11KB

MD5
60ffdc3ef20b127e3fd14a0719328c34

SHA1
b510833350328f79a79fa464ea9d5e9455643659

SHA256
43c9ea4ddecf2f34852559cf0b40b5261e6701d3743ab219f48d43a312707ad9

SHA512
caef6ee08c9f6fabecef1f0be37ab34e2d4dc22f15a775b2f0dcacda1f0fcdf2259399e6fbab85f0f00e8e4b03d77fe88b85b901a9ba2f775a50f2da724da26e

Download Submit
\Users\Admin\AppData\Roaming\Strong Recovery Master\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
17KB

MD5
f681a45c47ebb2c56c1465677ec33ff3

SHA1
06bf7798c51325cf1806e14dea56ff98b05b7846

SHA256
3a03d727d291be57057587227273af410eda935438d8a0a165ec63ae772809af

SHA512
eeb05f1af7e1c714c658e9aa06e8c6dbeeb5f2e8dcf3fdb7b9b408018e41402d83893472114e0cf6d3a9a3bf54ec45c4f7a4840a09570d190277aa3514681ab8

Download Submit
\Users\Admin\AppData\Roaming\Strong Recovery Master\tak_deco_lib.dll

Filesize
127KB

MD5
f0bf722006ebf17f9a194e892ba2bf37

SHA1
a483e46857f29e98535a992438006c962e0404e5

SHA256
a737f6f613c161938ef4c795fb0cf1a0a7bf7e1539cefebc030fc36ac37bf0af

SHA512
47e4113ef649539db6b7ba52106477ac415fafcc0fad5b9a92575d18d110d1fd21e906cecf2546ddc20ef554e09f3da418a5066b70b31dc1360e555eb2cbd0e4

Download Submit
memory/568-258-0x0000000000400000-0x0000000000726000-memory.dmp

Filesize
3.1MB

Download
memory/2196-399-0x000000000A500000-0x000000000A577000-memory.dmp

Filesize
476KB

Download
memory/2196-852-0x000000000A500000-0x000000000A577000-memory.dmp

Filesize
476KB

Download
memory/2196-402-0x000000000A500000-0x000000000A577000-memory.dmp

Filesize
476KB

Download
memory/2196-690-0x000000000A500000-0x000000000A577000-memory.dmp

Filesize
476KB

Download
memory/2196-401-0x000000000A500000-0x000000000A577000-memory.dmp

Filesize
476KB

Download
memory/2196-400-0x000000000A500000-0x000000000A577000-memory.dmp

Filesize
476KB

Download
memory/2196-385-0x000000000A500000-0x000000000A577000-memory.dmp

Filesize
476KB

Download
memory/2196-386-0x000000000A500000-0x000000000A577000-memory.dmp

Filesize
476KB

Download
memory/2196-835-0x000000000A500000-0x000000000A577000-memory.dmp

Filesize
476KB

Download
memory/2196-836-0x000000000A500000-0x000000000A577000-memory.dmp

Filesize
476KB

Download
memory/2196-838-0x000000000A500000-0x000000000A577000-memory.dmp

Filesize
476KB

Download
memory/2196-839-0x000000000A500000-0x000000000A577000-memory.dmp

Filesize
476KB

Download
memory/2196-840-0x000000000A500000-0x000000000A577000-memory.dmp

Filesize
476KB

Download
memory/2196-841-0x000000000A500000-0x000000000A577000-memory.dmp

Filesize
476KB

Download
memory/2196-842-0x000000000A500000-0x000000000A577000-memory.dmp

Filesize
476KB

Download
memory/2196-844-0x000000000A500000-0x000000000A577000-memory.dmp

Filesize
476KB

Download
memory/2196-845-0x000000000A500000-0x000000000A577000-memory.dmp

Filesize
476KB

Download
memory/2196-846-0x000000000A500000-0x000000000A577000-memory.dmp

Filesize
476KB

Download
memory/2196-847-0x000000000A500000-0x000000000A577000-memory.dmp

Filesize
476KB

Download
memory/2196-371-0x0000000004E60000-0x0000000004EF9000-memory.dmp

Filesize
612KB

Download
memory/2196-849-0x000000000A500000-0x000000000A577000-memory.dmp

Filesize
476KB

Download
memory/2196-850-0x000000000A500000-0x000000000A577000-memory.dmp

Filesize
476KB

Download
memory/2196-851-0x000000000A500000-0x000000000A577000-memory.dmp

Filesize
476KB

Download
memory/2196-419-0x000000000A500000-0x000000000A577000-memory.dmp

Filesize
476KB

Download
memory/2196-853-0x000000000A500000-0x000000000A577000-memory.dmp

Filesize
476KB

Download
memory/2196-855-0x000000000A500000-0x000000000A577000-memory.dmp

Filesize
476KB

Download
memory/2196-856-0x000000000A500000-0x000000000A577000-memory.dmp

Filesize
476KB

Download
memory/2196-857-0x000000000A500000-0x000000000A577000-memory.dmp

Filesize
476KB

Download
memory/2196-858-0x000000000A500000-0x000000000A577000-memory.dmp

Filesize
476KB

Download
memory/2196-860-0x000000000A500000-0x000000000A577000-memory.dmp

Filesize
476KB

Download
memory/2196-861-0x000000000A500000-0x000000000A577000-memory.dmp

Filesize
476KB

Download
memory/2196-862-0x000000000A500000-0x000000000A577000-memory.dmp

Filesize
476KB

Download
memory/2196-863-0x000000000A500000-0x000000000A577000-memory.dmp

Filesize
476KB

Download
memory/2196-865-0x000000000A500000-0x000000000A577000-memory.dmp

Filesize
476KB

Download
memory/2196-372-0x0000000004E60000-0x0000000004EF9000-memory.dmp

Filesize
612KB

Download
memory/2196-378-0x000000000A500000-0x000000000A577000-memory.dmp

Filesize
476KB

Download
memory/2196-373-0x0000000004E60000-0x0000000004EF9000-memory.dmp

Filesize
612KB

Download
memory/2196-369-0x0000000004E60000-0x0000000004EF9000-memory.dmp

Filesize
612KB

Download
memory/2196-365-0x0000000004E60000-0x0000000004EF9000-memory.dmp

Filesize
612KB

Download
memory/2196-352-0x0000000004E60000-0x0000000004EF9000-memory.dmp

Filesize
612KB

Download
memory/2196-212-0x00000000002B0000-0x00000000002D5000-memory.dmp

Filesize
148KB

Download
memory/2244-14-0x0000000000400000-0x0000000000726000-memory.dmp

Filesize
3.1MB

Download
memory/2244-8-0x0000000000400000-0x0000000000726000-memory.dmp

Filesize
3.1MB

Download
memory/2956-16-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/2956-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/2956-0-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/3032-12-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/3032-260-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download