njrat | 621de6d0edff7f4a71f14002d2f31d5ef0a20d3c5d279c0016d6cd4d6cd525e3

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18/01/2025, 11:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

621de6d0edff7f4a71f14002d2f31d5ef0a20d3c5d279c0016d6cd4d6cd525e3.exe
Size

506KB
MD5

cea8687c16ca4de232b21a53308714d3
SHA1

88d8fbf3e679fa2c081e79d9b561d31b8a359538
SHA256

621de6d0edff7f4a71f14002d2f31d5ef0a20d3c5d279c0016d6cd4d6cd525e3
SHA512

e09aedf77f7eedd2e49825bda4ac6e966c301135419d857df2e2c86d78c82c48d09609ed6b6937a5f4582276395bd22f8d51fd1ab3e84e287edac207e8942b3f
SSDEEP

12288:/LMEalqxXblqoRX5qbfphLxaOSoSDi7mbsG46w:zqaXNabfphLxaVpDiiQ9

Score

10^/10

njrat lammer lammer1 bootkit defense_evasion discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Lammer

ie-serving.gl.at.ply.gg:18976

Mutex

d386661cfe8f30c3a692533641b57806

Attributes

reg_key
d386661cfe8f30c3a692533641b57806
splitter
|'|'|

Extracted

Family

njrat

Version

0.7d

Botnet

Lammer1

ie-serving.gl.at.ply.gg:18976

Mutex

82f896a33c031e162176bdb24630461b

Attributes

reg_key
82f896a33c031e162176bdb24630461b
splitter
|'|'|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2304	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d386661cfe8f30c3a692533641b57806.exe	explore.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d386661cfe8f30c3a692533641b57806.exe	explore.exe

Executes dropped EXE 12 IoCs

pid	Process
2156	crackreado.exe
1336	vn.exe
2736	Lammer.exe
1656	explore.exe
2620	Lammer1.exe
2584	tmp8C87.tmp.exe
604	tmp8C87.tmp.exe
956	tmp8C87.tmp.exe
1736	tmp8C87.tmp.exe
2580	tmp8C87.tmp.exe
1984	tmp8C87.tmp.exe
1392	tmp8C87.tmp.exe

Loads dropped DLL 22 IoCs

pid	Process
1336	vn.exe
1336	vn.exe
2736	Lammer.exe
2736	Lammer.exe
1656	explore.exe
1336	vn.exe
2620	Lammer1.exe
1656	explore.exe
2584	tmp8C87.tmp.exe
2584	tmp8C87.tmp.exe
604	tmp8C87.tmp.exe
2584	tmp8C87.tmp.exe
2584	tmp8C87.tmp.exe
2584	tmp8C87.tmp.exe
1736	tmp8C87.tmp.exe
956	tmp8C87.tmp.exe
2584	tmp8C87.tmp.exe
2580	tmp8C87.tmp.exe
1984	tmp8C87.tmp.exe
2584	tmp8C87.tmp.exe
2584	tmp8C87.tmp.exe
1392	tmp8C87.tmp.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	vn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\d386661cfe8f30c3a692533641b57806 = "\"C:\\Users\\Admin\\AppData\\Roaming\\explore.exe\" .."	explore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\d386661cfe8f30c3a692533641b57806 = "\"C:\\Users\\Admin\\AppData\\Roaming\\explore.exe\" .."	explore.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	tmp8C87.tmp.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\crackreado.exe:Zone.Identifier	621de6d0edff7f4a71f14002d2f31d5ef0a20d3c5d279c0016d6cd4d6cd525e3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8C87.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8C87.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8C87.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lammer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lammer1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8C87.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8C87.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8C87.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8C87.tmp.exe

Modifies Internet Explorer settings 1 TTPs 45 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "25"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "25"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a636566074753b4581def456722946f600000000020000000000106600000001000020000000538982b32c129323acd856c55934cc2572c2be8c7ea20715678ff5bc37a35084000000000e8000000002000020000000073bbd7befaf454d53fbb2cc16e488d6704c2e82115830aa65a082fb3b0264392000000073dfbaecaab6a2578a4a9242733f80da3cd21a058a1bb814be46e0c0451c659740000000a90f5a0a607fc8170a7dc324446640c30a9acd4210218769536ae7de85a8d66057fce9ddb50d4679bfc4beb045ca52695e0b6c1518e34d1039140d54e79d78b0	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{40E57AA1-D58E-11EF-AA6E-5A85C185DB3E} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a636566074753b4581def456722946f600000000020000000000106600000001000020000000c1b5189a06859613f211d3bf863418091089d9371202d3709a5c4bcc6ed6fdad000000000e8000000002000020000000f488c196d564fa832a97d1134433ecd670d2add0a84bd5dd6ea3b8eb91b98b6f90000000bce76f3d1e256ee9e80e46071d6c3668398a0e711f8b96b91ed5e03190c442410a7b522143ee26a64d6b2aec0f7083a4b96f9c07ec3309eefcd34a774228165664e326fd1889bf467aa42e9c3295e172d913d00536d7fbf8d8bdd3d4da393d679deaade3e92ee33afcf67a166ca2757219e04c6b1538ab42b1d5ef4ae057b6d49dd991c04ad08455778028ca13b1693440000000037644c0620d1182b6ec36b9b376ea6adf6577a39d241cf083ed174e4d56abbc9acf2a0613dec1c0a3e2078f1020be64ea7120f622bc6db45c51dec90ccea4d9	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c018ed119b69db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "25"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\crackreado.exe:Zone.Identifier	621de6d0edff7f4a71f14002d2f31d5ef0a20d3c5d279c0016d6cd4d6cd525e3.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
604	tmp8C87.tmp.exe
604	tmp8C87.tmp.exe
604	tmp8C87.tmp.exe
604	tmp8C87.tmp.exe
604	tmp8C87.tmp.exe
604	tmp8C87.tmp.exe
604	tmp8C87.tmp.exe
1736	tmp8C87.tmp.exe
956	tmp8C87.tmp.exe
2580	tmp8C87.tmp.exe
604	tmp8C87.tmp.exe
956	tmp8C87.tmp.exe
1984	tmp8C87.tmp.exe
2580	tmp8C87.tmp.exe
1736	tmp8C87.tmp.exe
2580	tmp8C87.tmp.exe
604	tmp8C87.tmp.exe
1984	tmp8C87.tmp.exe
1736	tmp8C87.tmp.exe
956	tmp8C87.tmp.exe
956	tmp8C87.tmp.exe
1736	tmp8C87.tmp.exe
2580	tmp8C87.tmp.exe
1984	tmp8C87.tmp.exe
604	tmp8C87.tmp.exe
1984	tmp8C87.tmp.exe
1736	tmp8C87.tmp.exe
956	tmp8C87.tmp.exe
604	tmp8C87.tmp.exe
2580	tmp8C87.tmp.exe
1736	tmp8C87.tmp.exe
2580	tmp8C87.tmp.exe
604	tmp8C87.tmp.exe
956	tmp8C87.tmp.exe
1984	tmp8C87.tmp.exe
1736	tmp8C87.tmp.exe
604	tmp8C87.tmp.exe
1984	tmp8C87.tmp.exe
956	tmp8C87.tmp.exe
2580	tmp8C87.tmp.exe
1736	tmp8C87.tmp.exe
1984	tmp8C87.tmp.exe
604	tmp8C87.tmp.exe
2580	tmp8C87.tmp.exe
956	tmp8C87.tmp.exe
604	tmp8C87.tmp.exe
956	tmp8C87.tmp.exe
1736	tmp8C87.tmp.exe
2580	tmp8C87.tmp.exe
1984	tmp8C87.tmp.exe
604	tmp8C87.tmp.exe
2580	tmp8C87.tmp.exe
1736	tmp8C87.tmp.exe
956	tmp8C87.tmp.exe
1984	tmp8C87.tmp.exe
1984	tmp8C87.tmp.exe
1736	tmp8C87.tmp.exe
604	tmp8C87.tmp.exe
2580	tmp8C87.tmp.exe
956	tmp8C87.tmp.exe
1984	tmp8C87.tmp.exe
604	tmp8C87.tmp.exe
1736	tmp8C87.tmp.exe
956	tmp8C87.tmp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2156	crackreado.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeSecurityPrivilege	536	621de6d0edff7f4a71f14002d2f31d5ef0a20d3c5d279c0016d6cd4d6cd525e3.exe
Token: SeRestorePrivilege	536	621de6d0edff7f4a71f14002d2f31d5ef0a20d3c5d279c0016d6cd4d6cd525e3.exe
Token: SeDebugPrivilege	1656	explore.exe
Token: 33	1656	explore.exe
Token: SeIncBasePriorityPrivilege	1656	explore.exe
Token: 33	1656	explore.exe
Token: SeIncBasePriorityPrivilege	1656	explore.exe
Token: 33	1656	explore.exe
Token: SeIncBasePriorityPrivilege	1656	explore.exe
Token: 33	1656	explore.exe
Token: SeIncBasePriorityPrivilege	1656	explore.exe
Token: 33	1656	explore.exe
Token: SeIncBasePriorityPrivilege	1656	explore.exe
Token: 33	1656	explore.exe
Token: SeIncBasePriorityPrivilege	1656	explore.exe
Token: 33	1656	explore.exe
Token: SeIncBasePriorityPrivilege	1656	explore.exe
Token: 33	1656	explore.exe
Token: SeIncBasePriorityPrivilege	1656	explore.exe
Token: 33	1656	explore.exe
Token: SeIncBasePriorityPrivilege	1656	explore.exe
Token: 33	1656	explore.exe
Token: SeIncBasePriorityPrivilege	1656	explore.exe
Token: 33	1656	explore.exe
Token: SeIncBasePriorityPrivilege	1656	explore.exe
Token: 33	1656	explore.exe
Token: SeIncBasePriorityPrivilege	1656	explore.exe
Token: 33	1656	explore.exe
Token: SeIncBasePriorityPrivilege	1656	explore.exe
Token: 33	1656	explore.exe
Token: SeIncBasePriorityPrivilege	1656	explore.exe
Token: 33	1656	explore.exe
Token: SeIncBasePriorityPrivilege	1656	explore.exe
Token: 33	1656	explore.exe
Token: SeIncBasePriorityPrivilege	1656	explore.exe
Token: 33	1656	explore.exe
Token: SeIncBasePriorityPrivilege	1656	explore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2872	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2872	iexplore.exe
2872	iexplore.exe
2772	IEXPLORE.EXE
2772	IEXPLORE.EXE
2772	IEXPLORE.EXE
2772	IEXPLORE.EXE
1944	IEXPLORE.EXE
1944	IEXPLORE.EXE
1944	IEXPLORE.EXE
1944	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 536 wrote to memory of 2156	536	621de6d0edff7f4a71f14002d2f31d5ef0a20d3c5d279c0016d6cd4d6cd525e3.exe	31
PID 536 wrote to memory of 2156	536	621de6d0edff7f4a71f14002d2f31d5ef0a20d3c5d279c0016d6cd4d6cd525e3.exe	31
PID 536 wrote to memory of 2156	536	621de6d0edff7f4a71f14002d2f31d5ef0a20d3c5d279c0016d6cd4d6cd525e3.exe	31
PID 536 wrote to memory of 1336	536	621de6d0edff7f4a71f14002d2f31d5ef0a20d3c5d279c0016d6cd4d6cd525e3.exe	32
PID 536 wrote to memory of 1336	536	621de6d0edff7f4a71f14002d2f31d5ef0a20d3c5d279c0016d6cd4d6cd525e3.exe	32
PID 536 wrote to memory of 1336	536	621de6d0edff7f4a71f14002d2f31d5ef0a20d3c5d279c0016d6cd4d6cd525e3.exe	32
PID 536 wrote to memory of 1336	536	621de6d0edff7f4a71f14002d2f31d5ef0a20d3c5d279c0016d6cd4d6cd525e3.exe	32
PID 536 wrote to memory of 1336	536	621de6d0edff7f4a71f14002d2f31d5ef0a20d3c5d279c0016d6cd4d6cd525e3.exe	32
PID 536 wrote to memory of 1336	536	621de6d0edff7f4a71f14002d2f31d5ef0a20d3c5d279c0016d6cd4d6cd525e3.exe	32
PID 536 wrote to memory of 1336	536	621de6d0edff7f4a71f14002d2f31d5ef0a20d3c5d279c0016d6cd4d6cd525e3.exe	32
PID 1336 wrote to memory of 2736	1336	vn.exe	33
PID 1336 wrote to memory of 2736	1336	vn.exe	33
PID 1336 wrote to memory of 2736	1336	vn.exe	33
PID 1336 wrote to memory of 2736	1336	vn.exe	33
PID 1336 wrote to memory of 2736	1336	vn.exe	33
PID 1336 wrote to memory of 2736	1336	vn.exe	33
PID 1336 wrote to memory of 2736	1336	vn.exe	33
PID 2736 wrote to memory of 1656	2736	Lammer.exe	34
PID 2736 wrote to memory of 1656	2736	Lammer.exe	34
PID 2736 wrote to memory of 1656	2736	Lammer.exe	34
PID 2736 wrote to memory of 1656	2736	Lammer.exe	34
PID 2736 wrote to memory of 1656	2736	Lammer.exe	34
PID 2736 wrote to memory of 1656	2736	Lammer.exe	34
PID 2736 wrote to memory of 1656	2736	Lammer.exe	34
PID 1336 wrote to memory of 2620	1336	vn.exe	35
PID 1336 wrote to memory of 2620	1336	vn.exe	35
PID 1336 wrote to memory of 2620	1336	vn.exe	35
PID 1336 wrote to memory of 2620	1336	vn.exe	35
PID 1336 wrote to memory of 2620	1336	vn.exe	35
PID 1336 wrote to memory of 2620	1336	vn.exe	35
PID 1336 wrote to memory of 2620	1336	vn.exe	35
PID 1656 wrote to memory of 2304	1656	explore.exe	36
PID 1656 wrote to memory of 2304	1656	explore.exe	36
PID 1656 wrote to memory of 2304	1656	explore.exe	36
PID 1656 wrote to memory of 2304	1656	explore.exe	36
PID 1656 wrote to memory of 2304	1656	explore.exe	36
PID 1656 wrote to memory of 2304	1656	explore.exe	36
PID 1656 wrote to memory of 2304	1656	explore.exe	36
PID 1656 wrote to memory of 2584	1656	explore.exe	39
PID 1656 wrote to memory of 2584	1656	explore.exe	39
PID 1656 wrote to memory of 2584	1656	explore.exe	39
PID 1656 wrote to memory of 2584	1656	explore.exe	39
PID 1656 wrote to memory of 2584	1656	explore.exe	39
PID 1656 wrote to memory of 2584	1656	explore.exe	39
PID 1656 wrote to memory of 2584	1656	explore.exe	39
PID 2584 wrote to memory of 604	2584	tmp8C87.tmp.exe	40
PID 2584 wrote to memory of 604	2584	tmp8C87.tmp.exe	40
PID 2584 wrote to memory of 604	2584	tmp8C87.tmp.exe	40
PID 2584 wrote to memory of 604	2584	tmp8C87.tmp.exe	40
PID 2584 wrote to memory of 604	2584	tmp8C87.tmp.exe	40
PID 2584 wrote to memory of 604	2584	tmp8C87.tmp.exe	40
PID 2584 wrote to memory of 604	2584	tmp8C87.tmp.exe	40
PID 2584 wrote to memory of 956	2584	tmp8C87.tmp.exe	41
PID 2584 wrote to memory of 956	2584	tmp8C87.tmp.exe	41
PID 2584 wrote to memory of 956	2584	tmp8C87.tmp.exe	41
PID 2584 wrote to memory of 956	2584	tmp8C87.tmp.exe	41
PID 2584 wrote to memory of 956	2584	tmp8C87.tmp.exe	41
PID 2584 wrote to memory of 956	2584	tmp8C87.tmp.exe	41
PID 2584 wrote to memory of 956	2584	tmp8C87.tmp.exe	41
PID 2584 wrote to memory of 1736	2584	tmp8C87.tmp.exe	42
PID 2584 wrote to memory of 1736	2584	tmp8C87.tmp.exe	42
PID 2584 wrote to memory of 1736	2584	tmp8C87.tmp.exe	42
PID 2584 wrote to memory of 1736	2584	tmp8C87.tmp.exe	42
PID 2584 wrote to memory of 1736	2584	tmp8C87.tmp.exe	42

C:\Users\Admin\AppData\Local\Temp\621de6d0edff7f4a71f14002d2f31d5ef0a20d3c5d279c0016d6cd4d6cd525e3.exe
"C:\Users\Admin\AppData\Local\Temp\621de6d0edff7f4a71f14002d2f31d5ef0a20d3c5d279c0016d6cd4d6cd525e3.exe"
1⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:536
- C:\Users\Admin\AppData\Local\Temp\crackreado.exe
  "C:\Users\Admin\AppData\Local\Temp\crackreado.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2156
- C:\Users\Admin\AppData\Local\Temp\vn.exe
  "C:\Users\Admin\AppData\Local\Temp\vn.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1336
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lammer.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lammer.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Users\Admin\AppData\Roaming\explore.exe
      "C:\Users\Admin\AppData\Roaming\explore.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1656
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\explore.exe" "explore.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2304
    - - C:\Users\Admin\AppData\Local\Temp\tmp8C87.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp8C87.tmp.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2584
      - C:\Users\Admin\AppData\Local\Temp\tmp8C87.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp8C87.tmp.exe" /watchdog
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:604
      - C:\Users\Admin\AppData\Local\Temp\tmp8C87.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp8C87.tmp.exe" /watchdog
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:956
      - C:\Users\Admin\AppData\Local\Temp\tmp8C87.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp8C87.tmp.exe" /watchdog
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1736
      - C:\Users\Admin\AppData\Local\Temp\tmp8C87.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp8C87.tmp.exe" /watchdog
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2580
      - C:\Users\Admin\AppData\Local\Temp\tmp8C87.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp8C87.tmp.exe" /watchdog
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1984
      - C:\Users\Admin\AppData\Local\Temp\tmp8C87.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp8C87.tmp.exe" /main
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:1392
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\System32\notepad.exe" \note.txt
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2392
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" http://google.co.ck/search?q=how+to+send+a+virus+to+my+friend
        7⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:2872
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2872 CREDAT:275457 /prefetch:2
        8⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2772
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2872 CREDAT:406543 /prefetch:2
        8⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1944
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lammer1.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lammer1.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
854B

MD5
e935bc5762068caf3e24a2683b1b8a88

SHA1
82b70eb774c0756837fe8d7acbfeec05ecbf5463

SHA256
a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d

SHA512
bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
599eb95410ecc386810611a6230f14a1

SHA1
9b870f95e1fb4293b95282e9f85201dce787d90f

SHA256
70ab525d262fe421bd99fbe922146dbc1d0843fa082f5a1a6670f3b067031a2b

SHA512
90bccdc1b24a1ecdf5441519a38c555b7ba87e108e0e05ed9448d51d1355e61cd42b13de33b1d24a39ab48ccfcb47ed4222af9c6353eedd897c48dcdd1705442

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_EB153A79B5AB80C6592F798A4A3667A5

Filesize
472B

MD5
349a5442591cdd239c9e9e22190bf0cf

SHA1
406a2dfb6d727b8f4a5031503659b4f15a5b56e8

SHA256
70ad939122bd78a771db315f174b810ce41f989194bf67b23617a02676196ba1

SHA512
cd7a365df445bf884f3479ef47877c776204863ec9221c711995954bc02471dc8f515ab4461cba07c459044ee6f1bc095e3d934aebeedb0c26fe9667a88c3018

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
170B

MD5
90ce8e0cda90f6ddee8c04e2b382c6b3

SHA1
5d18ec9adc69933c38d5b79ce3471bb83fe9f1f1

SHA256
7f1489096f58466d231b4462eb6ba0ffc3b75eda6a6676d05e965fc8e0326a0f

SHA512
a2933f5e1caa3a5088cb325f23476e57bf2b776f5627e7db713e18684c25793736857c262045b74b9b396c0a5700bb6e7acfb09c6fb5acdce3a049f92294d2cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
85fc5d00e6e9c1e6560c0391e50d9073

SHA1
94b2a7f86f15a2e8050c62cd72a320121d333531

SHA256
9de532d5fc8a5281183aba9aa9089727e651a1e81e12fade9f51190da93bbf7d

SHA512
919c2e133e38542c421fd5eae7b49120a4b4dfe35371be3c34a6c780dadd76d84442135ec4899a16a870e3ec483abe3df7bc806add0e35f6f19f4827314c02cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_EB153A79B5AB80C6592F798A4A3667A5

Filesize
398B

MD5
ebdb385b83b168787756c9a64d339f6c

SHA1
296dc26e16befdc30340cc754281e3cf21d1a288

SHA256
4bfaccda1a16ecab8551b58a4a626aae6972ea70b696b10880c430fc49a7a740

SHA512
b93426d04668fdd015bc53283dac51c8cff11068f54608da77f1b74b4ca1caba77fd509bfc9aa4bd2117d5089d2c885bc3d5bb6a7b9a8202a81e9fdfb59f43de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a91c6e3e49791699b11c92da05129d61

SHA1
f9f36f265af1dd1effc58117f9ec2d80e294311c

SHA256
8da79b0f346343a9933efc6e5ca37265083d9bec577f448530131cd48d73a1a6

SHA512
dc6bd84319164918988a61e4cf545b203a2abd170bd154fff8cffcc539dbf7a390d24842fee2e57ff9d4c29d9796925db1a299f803ee2ffb2c2ef0daf5cae157

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e7407bc2d6f20e3b482422499d6c8834

SHA1
be886ea2fa85fc98d91b34f980f2f587d32524d0

SHA256
382c0e439256ffafa89b8686a8006968e9c2c4770abb8de84351a46bd4f9effa

SHA512
f5cf7fb6488192bcf72632bd95113d82537f2a1c382ca2ea4fcb7fed73d391d3615d345a409dc516fa8dbd3474d17c2d85d72cc49cf67ba00828c0548b1aae38

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6471260da33a0e27566f30da722697df

SHA1
5caf8a6ac0a28174c20d40b6b708ce94efd8fabd

SHA256
6b9a9f380d012d4f3a920ca056f4a368991764e1ee124e9db13fedfe7767452e

SHA512
1397d8aaf754be5169880a7ef7544bf00e8051554a288f04b6199afee82e1a9d4be085fb2643e6229c6db5323d43a31ba345fae9eb39ee1d689cc068c9d984ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
453c1e5d3cfb733bd2fb4f578622c148

SHA1
91f74a19eb71a9868195b0ad8d96ff5fdc503015

SHA256
acdd9b6018c093b39cd7b00a04b5703832b7e87260924680296e952d55f3cec3

SHA512
b1eebec6c05bf754772035519d563bfc75917fc3c29124735ffdf13bb3924a0f870a3869ba0c31d9277150c7be9d2906934a126e51d5f03c6d5e2c65c019ff2b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9dd4916e5b9e83b89776f7009bbaeb6b

SHA1
0d3a2969d74828adc3756de0c64b4e64d6ed40a6

SHA256
5b7cf0ffee628eceab5433735615ffb3f9db78bd5ba2c71e69a5f16686a23cb0

SHA512
185397a4b9689b79cca7c822ad7384725bac81b0dcc7d00ff7bd258767045bea81aa4859b71ec1c68f444a7454ead0c8265dbf632ead06d41618d0f2d6cc3ada

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f941bcdc856f6d08ea4144f93a595907

SHA1
285fd50b83135bb91a1aff282f740346d3a94655

SHA256
dcc1a4502b34b94b4726c14f288b3cf37d3c0cfd58f5eb312d4c0b213b7fb658

SHA512
4c636a32b225ace284d37d53f47dc7a2b1b38d236cbd46447f23791b49c4d1b68bdbd8a16b8fe51dca5c57bbe8ce3243e3b4608da78125a6475b6d70c0b8f6c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e6cf8e4d11d5de0fbede325115ea2a98

SHA1
ce7b95b25a25940c4a7f44b6220a1599b62c0733

SHA256
78a29ba9dc6dd4ec3bfefed5f3170d462bf339c1ddb5ce64d04b3d3d523138c6

SHA512
b1284ad8bd1cfcc235cabfaa12bfa2fdb1e0cf0317430f07de85a91915b84d28fec6c344b31d69db05a95150d71f9d002e691481e11c62adca67f64e72efabfd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6f123bb11e344e7b8404a0e3a6f1f055

SHA1
9701f919c1590772648fce6d5afd8f3c5a22a31a

SHA256
4af7e8f2ca3852b9f34d629bf750a82096fd4d1851a32f296d7fde8ef43f128b

SHA512
fa9adc2ef39fc0cf73017fbcdee6858e81be9dc1a16fd54f6f3709d5f56a548b1ec21952c86dc21f0cee5f5578b1bccadb35b9fd81f4633bd5930cbb38e71406

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3afe5a4b29aec437634c7d1dac579684

SHA1
71fea7fcdb3284177d022f8aab18654d0a7312a0

SHA256
72b94610f14c92d8bbf5d63b83108899f19674926a617c7e0d9fe41bf1663bce

SHA512
53ee36beeb0a664b0fce5bf22ba14cddf07ff0fd33cd7c45d12cf63b31e151894dbc570dde0a8a912c2161e10eef5f400db7b5c675bf48b9627304a48d7edc7c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2202af40e718cba374f9b40fa5e156db

SHA1
ff914569ed5ab7aa33b1ec56096c04bde639d5bf

SHA256
126a07b2fc8620e799a5ee2b67891e3e9f8bf245ed5961ae7fb535f66ebe0c5f

SHA512
1d5d067654e4b68786e68c1f6dfd80da1438a17af0c7a0ebef75e9e1d13b79412f4b8a59c28687a8815f69138836c0ee68e3a409c10544e96ac3e172eae8714e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\PRFR2LOH\www.google[1].xml

Filesize
98B

MD5
e43f55b640d1aacd7ea056de2a4aa59d

SHA1
c90e61e1ab20f3e20049269cc93f405b230c7d90

SHA256
b1987a22437002354d927027871a120b918e5d059a93cb792db0a86b3e5ebe64

SHA512
0b1cccabfe5b1f6746a2892478d49fa6c9262f62f33c36becb720d380e7364497a10b5a426e7b5481b76fde712e23fb464909339670dd452a95a3b4da585557e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\anyweax\imagestore.dat

Filesize
5KB

MD5
92e39d022c088cd2a0a5ef4d03b8fd11

SHA1
5916fc66e3421cd7ea5bff27a41fcdee5753604c

SHA256
a7f03aa263a41a64a8b1270f88eba178c9391709601dd042a43a44dc0b5ea879

SHA512
99b852db7541ee71d4ae73a5b9feee1946e365b9ba1aecba46b3c25d68b847adcc9adaf439fc10ad00e64beb15e5f2bf5cd4b65aed7c0563fad92c133a1af46b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BQQODH7V\favicon[1].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BQQODH7V\webworker[1].js

Filesize
102B

MD5
dcf0dd9e2a4c0015bd80ce993ac84ff1

SHA1
6c4eda6061f7a7b9e05f439540fa26c261996fbe

SHA256
73943cf1ab8eff323e097bee9c52083255ee6e53b9abbeb193aa09fce212fa24

SHA512
f2d0a9e79d038ae1d00e6f4c08c3cf41af3e81ea8955e73052f89c4370027ba795080c867019497842a337f049d0112d8dd6c3f1bf5db8659d5f8428023128e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q4648X1K\api[1].js

Filesize
870B

MD5
9a90c06ffab392f11cda0b80188775a8

SHA1
395386715f54948ab58be5ad918b494b1ab86156

SHA256
ef7a5d110fd5a78289d4f71807784696ef0625efca97453caa6f3051e74a4c6b

SHA512
e40292115e00e2e652be3de796da6e860f99901d58adbd543edcc281e80fbee45ba35cb6b436cd5f7bd654eee8ce722a8f5fc41c6a40478f77bd2d6fb44f5780

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q4648X1K\mvDvIi4beBjf1fAfdxGbA4VYVCJcas5EUwvCnHT9ouo[1].js

Filesize
25KB

MD5
d378a138b5451a4ef9b25945e55f6727

SHA1
cddc32434e326ef72b0153b7e0b495ce5c33e577

SHA256
9af0ef222e1b7818dfd5f01f77119b03855854225c6ace44530bc29c74fda2ea

SHA512
bd398b61ca3f36df3f4abee49a96448b461d2c27439c60819f27d9dc78ac640598f3c91080ed512c958c23f60df2c978f2ef354aabf956cbdb2a68e64e7cbfc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROLMKJ86\KFOlCnqEu92Fr1MmEU9fBBc9[1].ttf

Filesize
34KB

MD5
4d88404f733741eaacfda2e318840a98

SHA1
49e0f3d32666ac36205f84ac7457030ca0a9d95f

SHA256
b464107219af95400af44c949574d9617de760e100712d4dec8f51a76c50dda1

SHA512
2e5d3280d5f7e70ca3ea29e7c01f47feb57fe93fc55fd0ea63641e99e5d699bb4b1f1f686da25c91ba4f64833f9946070f7546558cbd68249b0d853949ff85c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROLMKJ86\KFOlCnqEu92Fr1MmYUtfBBc9[1].ttf

Filesize
34KB

MD5
4d99b85fa964307056c1410f78f51439

SHA1
f8e30a1a61011f1ee42435d7e18ba7e21d4ee894

SHA256
01027695832f4a3850663c9e798eb03eadfd1462d0b76e7c5ac6465d2d77dbd0

SHA512
13d93544b16453fe9ac9fc025c3d4320c1c83a2eca4cd01132ce5c68b12e150bc7d96341f10cbaa2777526cf72b2ca0cd64458b3df1875a184bbb907c5e3d731

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROLMKJ86\KFOmCnqEu92Fr1Mu4mxP[1].ttf

Filesize
34KB

MD5
372d0cc3288fe8e97df49742baefce90

SHA1
754d9eaa4a009c42e8d6d40c632a1dad6d44ec21

SHA256
466989fd178ca6ed13641893b7003e5d6ec36e42c2a816dee71f87b775ea097f

SHA512
8447bc59795b16877974cd77c52729f6ff08a1e741f68ff445c087ecc09c8c4822b83e8907d156a00be81cb2c0259081926e758c12b3aea023ac574e4a6c9885

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROLMKJ86\styles__ltr[1].css

Filesize
76KB

MD5
a9a4c0df287886862263d8af0a6e096e

SHA1
4aeb13637cff035bb7cc47aaa42d61f306e0e474

SHA256
ad68a177a2d52e736095a6b7431fbfca3f840d66a1ea67090b55c5f90722b067

SHA512
a9605e4b740e3841366ecfb2ee8b44469057009279d8bd6b6455af13bd5863dc130a65c740b465e20e060a3cae4d74ef7b4da860ed144b89131c5406bf12cbef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y8UFEBH5\logo_48[1].png

Filesize
2KB

MD5
ef9941290c50cd3866e2ba6b793f010d

SHA1
4736508c795667dcea21f8d864233031223b7832

SHA256
1b9efb22c938500971aac2b2130a475fa23684dd69e43103894968df83145b8a

SHA512
a0c69c70117c5713caf8b12f3b6e8bbb9cdaf72768e5db9db5831a3c37541b87613c6b020dd2f9b8760064a8c7337f175e7234bfe776eee5e3588dc5662419d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y8UFEBH5\recaptcha__en[1].js

Filesize
545KB

MD5
1f233ff2deeaaacc3c11614068d6f46d

SHA1
6ab5f0fb0ada1228ef529e3d48961c36fbc21424

SHA256
dc987654372c681461a1ab9e9835fc0006367829e3f0cdccee51081109d7868f

SHA512
a44c564ba2ff696762dd9a9f05f38dbb839a594989bcae5c402222ae6d9a17a29942c99df9c473f043e928f98bdabb62299bb192613c72d5d5b3efde7dd36c63

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA842.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA845.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\crackreado.exe

Filesize
266KB

MD5
08f60cc9834ea6aa7a0debb5a9f31596

SHA1
c5648fad6c56ee9709ef43ccbedb7c8eb5e1c765

SHA256
012b2fcc90e10eea3a4cae76faaedeb0a0577aa62925ad098c9dd8b6e610e97f

SHA512
649d7d0ecbe3cd8d3dbf649ff2389e9c88e094401a64b60429c6142c20f959c183a503245007d3bb5af80d223508298ee5750057c1279f4874942996bb5d4d4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vn.EXE

Filesize
49KB

MD5
ad82a9592cf1049cc41e09a5ded58087

SHA1
6c609e53570e6c681889e6ef8a125f3ea06dbd68

SHA256
ca36c45944b74585a60c05e618ab6bf891935f78f0137ccb27d23f2be13ca13f

SHA512
d96a40310057a7f4cd649fcc38d4d5b377b7a21ae3fd8d2941eb027eb8c107440f9d3bbd5cc67a701f40d4674f3df549dc96b2b0d0d68f592d1ece98bb4021bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\DD23M2HM.txt

Filesize
122B

MD5
6c38f1d6260d7748402be3116bdc65d4

SHA1
04f53856c820630a8e625a75875b1e977a4e8fb5

SHA256
1eaccc379170275744e7280437be8c2e7707474d025b092de4e88d0ada4a2d63

SHA512
fbd1b705eee6fb702b3b77d50a7b5233f4aaa852932fc1540407f9b4af05426192cf8ea607dbbfe6f593dcc4edea50304407ae530798f0de5c0d72c747854bf6

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lammer.exe

Filesize
23KB

MD5
26faf73fe025e21d49eb7d6d93146937

SHA1
0656911baa4e191c64e62bc8636f9dd9b4f3ac92

SHA256
ed3104c51ae7ce3a6ae62641c6bfbc5094a73eac53e6ca6706434e0815053195

SHA512
e7d0fa3cfe3bcd8ad36c01b132a463a1570f49fa3aa019d66e41359c49b2c88ef7af6a48a4de9bbe1f95c3b5840606514afca4011d836446c82ec5a0c1e83a54

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lammer1.exe

Filesize
23KB

MD5
6e21d078457153d26ad7bba875c27266

SHA1
021b8de05fd173c442445fdb7a2c35e6c55c22e4

SHA256
a80d4c357c01acdf27602109d41827da153c712d5ddc8dce1f19723257fd7e2f

SHA512
bf390204b31f532f94965c283210280fbbb47b5d5150825a8648362fb5443dc2d0df98b6bf9d8b0da8d8a273688b7252ed6043081ad545c1109f2cb4c65e6ef4

Download Submit
\Users\Admin\AppData\Local\Temp\tmp8C87.tmp.exe

Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
memory/1336-33-0x0000000001000000-0x0000000001028548-memory.dmp

Filesize
161KB

Download
memory/1336-48-0x0000000001023000-0x0000000001024000-memory.dmp

Filesize
4KB

Download
memory/1336-47-0x00000000007A0000-0x00000000007C9000-memory.dmp

Filesize
164KB

Download
memory/1336-65-0x0000000001000000-0x0000000001028548-memory.dmp

Filesize
161KB

Download
memory/1336-49-0x0000000001000000-0x0000000001028548-memory.dmp

Filesize
161KB

Download
memory/2156-42-0x000007FEF5300000-0x000007FEF5C9D000-memory.dmp

Filesize
9.6MB

Download
memory/2156-24-0x000007FEF55BE000-0x000007FEF55BF000-memory.dmp

Filesize
4KB

Download
memory/2156-46-0x000007FEF5300000-0x000007FEF5C9D000-memory.dmp

Filesize
9.6MB

Download
memory/2156-64-0x000007FEF5300000-0x000007FEF5C9D000-memory.dmp

Filesize
9.6MB

Download