gh0strat | 8a0adc21da0f4460d73bc875d75c6c1708f0c95d493b4fcc32c34008eefd3cfe

Analysis

max time kernel
143s
max time network
149s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
25-01-2025 13:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8a0adc21da0f4460d73bc875d75c6c1708f0c95d493b4fcc32c34008eefd3cfe.exe
Size

408KB
MD5

f4378da7594eae7da42cbfdef392edbf
SHA1

f4ac310ef1378d4d9deabb48fdf162d2c546f0ef
SHA256

8a0adc21da0f4460d73bc875d75c6c1708f0c95d493b4fcc32c34008eefd3cfe
SHA512

66c2d80b891df386b13c77ad7e04731de93c3a56af155c2a23b00fe15defd98b78c1944e039c7b714be677de41eeaece8463f87a33ac9c7c8223653fdc74221c
SSDEEP

6144:6NyLEbWaR5Cc5iXVrXKVRl6zVH+DOEFEDMw7PvP2aCnt:aUaWaR5voXVr6J6zVIKv+t

Score

10^/10

gh0strat ramnit banker discovery rat spyware stealer trojan upx worm

Malware Config

Extracted

Family

gh0strat

frp-fun.top

Signatures

Gh0st RAT payload 6 IoCs

resource	yara_rule
behavioral1/memory/824-0-0x0000000010000000-0x0000000010024000-memory.dmp	family_gh0strat
behavioral1/memory/824-5-0x0000000010000000-0x0000000010024000-memory.dmp	family_gh0strat
behavioral1/memory/824-40-0x0000000010000000-0x0000000010024000-memory.dmp	family_gh0strat
behavioral1/memory/2736-42-0x0000000000400000-0x0000000000468000-memory.dmp	family_gh0strat
behavioral1/memory/2736-133-0x0000000000400000-0x0000000000468000-memory.dmp	family_gh0strat
behavioral1/memory/824-1193-0x0000000000400000-0x0000000000468000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 7 IoCs

pid	Process
2216	8a0adc21da0f4460d73bc875d75c6c1708f0c95d493b4fcc32c34008eefd3cfeSrv.exe
2772	DesktopLayer.exe
2736	Eowywou.exe
2124	EowywouSrv.exe
1660	Eowywou.exe
2536	EowywouSrv.exe
2924	DesktopLayer.exe

Loads dropped DLL 5 IoCs

pid	Process
824	8a0adc21da0f4460d73bc875d75c6c1708f0c95d493b4fcc32c34008eefd3cfe.exe
2216	8a0adc21da0f4460d73bc875d75c6c1708f0c95d493b4fcc32c34008eefd3cfeSrv.exe
2736	Eowywou.exe
1660	Eowywou.exe
2536	EowywouSrv.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{D50D0CE1-DB22-11EF-B4E2-F64010A3169C}.dat	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\desktop.ini	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\DNTException\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	iexplore.exe
File created	C:\Windows\SysWOW64\EowywouSrv.exe	Eowywou.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{D4346FC1-DB22-11EF-B4E2-F64010A3169C}.dat	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites	iexplore.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatCache\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~	iexplore.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch	ie4uinit.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{D4346FC3-DB22-11EF-B4E2-F64010A3169C}.dat	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{D50D0CE1-DB22-11EF-B4E2-F64010A3169C}.dat	iexplore.exe
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{D4346FC1-DB22-11EF-B4E2-F64010A3169C}.dat	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{D50D0CE3-DB22-11EF-B4E2-F64010A3169C}.dat	iexplore.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low	iexplore.exe
File opened for modification	C:\Windows\SysWOW64\EowywouSrv.exe	Eowywou.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{D50D0CE4-DB22-11EF-B4E2-F64010A3169C}.dat	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoaming	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[1].ico	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\DNTException\Low	iexplore.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\Low	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoaming	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{D50D0CE1-DB22-11EF-B4E2-F64010A3169C}.dat	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{D4346FC1-DB22-11EF-B4E2-F64010A3169C}.dat	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ieonline.microsoft[1]	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC	iexplore.exe
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{D4346FCC-DB22-11EF-B4E2-F64010A3169C}.dat	iexplore.exe
File opened for modification	C:\Windows\SysWOW64\Eowywou.exe	8a0adc21da0f4460d73bc875d75c6c1708f0c95d493b4fcc32c34008eefd3cfe.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	iexplore.exe
File created	C:\Windows\SysWOW64\Eowywou.exe	8a0adc21da0f4460d73bc875d75c6c1708f0c95d493b4fcc32c34008eefd3cfe.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatCache\Low	iexplore.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000b00000001225f-6.dat	upx
behavioral1/memory/2216-16-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2772-31-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2772-29-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2216-11-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2772-26-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2124-49-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2924-151-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2536-150-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	8a0adc21da0f4460d73bc875d75c6c1708f0c95d493b4fcc32c34008eefd3cfeSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	8a0adc21da0f4460d73bc875d75c6c1708f0c95d493b4fcc32c34008eefd3cfeSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxE698.tmp	EowywouSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	EowywouSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxEC71.tmp	EowywouSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	EowywouSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxE2FF.tmp	8a0adc21da0f4460d73bc875d75c6c1708f0c95d493b4fcc32c34008eefd3cfeSrv.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8a0adc21da0f4460d73bc875d75c6c1708f0c95d493b4fcc32c34008eefd3cfe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8a0adc21da0f4460d73bc875d75c6c1708f0c95d493b4fcc32c34008eefd3cfeSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EowywouSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eowywou.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EowywouSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eowywou.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D3AF22C1-DB22-11EF-B4E2-F64010A3169C} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "443974686"	iexplore.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Type = "3"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Setup	ie4uinit.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\OperationalData = "4"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Time = e9070100060019000d002e0039001403	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Count = "2"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\User Preferences\2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c716e0cdd085c545bd704861ff2ad63b00000000020000000000106600000001000020000000204d7fd30be994b869b79bdcb4483fb53a8fd0c6ea5bdfc7c547abbc4d87d8a5000000000e8000000002000020000000647e6b88a874ccbea6ec050d4a593ec3274e096a190857b53f4c12e5cb1f344d1000000007dc84196069f140b30c6565c02a7aac40000000543856b375bb4cea0b8c3e759b753c507599c7144afc75af7bfae11fe9027d6c3b718923489175af51107b8976067e0f5334a32f00211ab33c8016cc2b30bbae	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Time = e9070100060019000d002e0039001403	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Passport	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Type = "3"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\DisplayName = "Bing"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Flags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\LoadTimeArray = 0000000002000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021494-0000-0000-C000-000000000046}	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\F12	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Feeds	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021494-0000-0000-C000-000000000046}\Enum\Implementing = 1c00000001000000e9070100060019000d002e003a00f30200000000	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-732 = "Finds and displays information and Web sites on the Internet."	ie4uinit.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\Software	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Time = e9070100060019000d002e0035000801	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	iexplore.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2772	DesktopLayer.exe
2772	DesktopLayer.exe
2772	DesktopLayer.exe
2772	DesktopLayer.exe
2124	EowywouSrv.exe
2124	EowywouSrv.exe
2124	EowywouSrv.exe
2124	EowywouSrv.exe
2924	DesktopLayer.exe
2924	DesktopLayer.exe
2924	DesktopLayer.exe
2924	DesktopLayer.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
824	8a0adc21da0f4460d73bc875d75c6c1708f0c95d493b4fcc32c34008eefd3cfe.exe

Suspicious use of FindShellTrayWindow 10 IoCs

pid	Process
3008	iexplore.exe
2928	iexplore.exe
2928	iexplore.exe
2928	iexplore.exe
2928	iexplore.exe
2928	iexplore.exe
2928	iexplore.exe
2928	iexplore.exe
2928	iexplore.exe
1876	iexplore.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
3008	iexplore.exe
3008	iexplore.exe
2768	IEXPLORE.EXE
2768	IEXPLORE.EXE
2928	iexplore.exe
2928	iexplore.exe
1424	IEXPLORE.EXE
1424	IEXPLORE.EXE
1876	iexplore.exe
1876	iexplore.exe
1480	IEXPLORE.EXE
1480	IEXPLORE.EXE
1424	IEXPLORE.EXE
1424	IEXPLORE.EXE
1480	IEXPLORE.EXE
1480	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 824 wrote to memory of 2216	824	8a0adc21da0f4460d73bc875d75c6c1708f0c95d493b4fcc32c34008eefd3cfe.exe	31
PID 824 wrote to memory of 2216	824	8a0adc21da0f4460d73bc875d75c6c1708f0c95d493b4fcc32c34008eefd3cfe.exe	31
PID 824 wrote to memory of 2216	824	8a0adc21da0f4460d73bc875d75c6c1708f0c95d493b4fcc32c34008eefd3cfe.exe	31
PID 824 wrote to memory of 2216	824	8a0adc21da0f4460d73bc875d75c6c1708f0c95d493b4fcc32c34008eefd3cfe.exe	31
PID 2216 wrote to memory of 2772	2216	8a0adc21da0f4460d73bc875d75c6c1708f0c95d493b4fcc32c34008eefd3cfeSrv.exe	32
PID 2216 wrote to memory of 2772	2216	8a0adc21da0f4460d73bc875d75c6c1708f0c95d493b4fcc32c34008eefd3cfeSrv.exe	32
PID 2216 wrote to memory of 2772	2216	8a0adc21da0f4460d73bc875d75c6c1708f0c95d493b4fcc32c34008eefd3cfeSrv.exe	32
PID 2216 wrote to memory of 2772	2216	8a0adc21da0f4460d73bc875d75c6c1708f0c95d493b4fcc32c34008eefd3cfeSrv.exe	32
PID 2772 wrote to memory of 3008	2772	DesktopLayer.exe	33
PID 2772 wrote to memory of 3008	2772	DesktopLayer.exe	33
PID 2772 wrote to memory of 3008	2772	DesktopLayer.exe	33
PID 2772 wrote to memory of 3008	2772	DesktopLayer.exe	33
PID 3008 wrote to memory of 2768	3008	iexplore.exe	34
PID 3008 wrote to memory of 2768	3008	iexplore.exe	34
PID 3008 wrote to memory of 2768	3008	iexplore.exe	34
PID 3008 wrote to memory of 2768	3008	iexplore.exe	34
PID 2736 wrote to memory of 2124	2736	Eowywou.exe	36
PID 2736 wrote to memory of 2124	2736	Eowywou.exe	36
PID 2736 wrote to memory of 2124	2736	Eowywou.exe	36
PID 2736 wrote to memory of 2124	2736	Eowywou.exe	36
PID 2124 wrote to memory of 2928	2124	EowywouSrv.exe	37
PID 2124 wrote to memory of 2928	2124	EowywouSrv.exe	37
PID 2124 wrote to memory of 2928	2124	EowywouSrv.exe	37
PID 2124 wrote to memory of 2928	2124	EowywouSrv.exe	37
PID 2928 wrote to memory of 3064	2928	iexplore.exe	38
PID 2928 wrote to memory of 3064	2928	iexplore.exe	38
PID 2928 wrote to memory of 3064	2928	iexplore.exe	38
PID 2928 wrote to memory of 1424	2928	iexplore.exe	39
PID 2928 wrote to memory of 1424	2928	iexplore.exe	39
PID 2928 wrote to memory of 1424	2928	iexplore.exe	39
PID 2928 wrote to memory of 1424	2928	iexplore.exe	39
PID 2736 wrote to memory of 1660	2736	Eowywou.exe	40
PID 2736 wrote to memory of 1660	2736	Eowywou.exe	40
PID 2736 wrote to memory of 1660	2736	Eowywou.exe	40
PID 2736 wrote to memory of 1660	2736	Eowywou.exe	40
PID 1660 wrote to memory of 2536	1660	Eowywou.exe	41
PID 1660 wrote to memory of 2536	1660	Eowywou.exe	41
PID 1660 wrote to memory of 2536	1660	Eowywou.exe	41
PID 1660 wrote to memory of 2536	1660	Eowywou.exe	41
PID 2536 wrote to memory of 2924	2536	EowywouSrv.exe	42
PID 2536 wrote to memory of 2924	2536	EowywouSrv.exe	42
PID 2536 wrote to memory of 2924	2536	EowywouSrv.exe	42
PID 2536 wrote to memory of 2924	2536	EowywouSrv.exe	42
PID 2924 wrote to memory of 1876	2924	DesktopLayer.exe	43
PID 2924 wrote to memory of 1876	2924	DesktopLayer.exe	43
PID 2924 wrote to memory of 1876	2924	DesktopLayer.exe	43
PID 2924 wrote to memory of 1876	2924	DesktopLayer.exe	43
PID 1876 wrote to memory of 1480	1876	iexplore.exe	44
PID 1876 wrote to memory of 1480	1876	iexplore.exe	44
PID 1876 wrote to memory of 1480	1876	iexplore.exe	44
PID 1876 wrote to memory of 1480	1876	iexplore.exe	44

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\8a0adc21da0f4460d73bc875d75c6c1708f0c95d493b4fcc32c34008eefd3cfe.exe
"C:\Users\Admin\AppData\Local\Temp\8a0adc21da0f4460d73bc875d75c6c1708f0c95d493b4fcc32c34008eefd3cfe.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:824
- C:\Users\Admin\AppData\Local\Temp\8a0adc21da0f4460d73bc875d75c6c1708f0c95d493b4fcc32c34008eefd3cfeSrv.exe
  C:\Users\Admin\AppData\Local\Temp\8a0adc21da0f4460d73bc875d75c6c1708f0c95d493b4fcc32c34008eefd3cfeSrv.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3008
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3008 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2768

C:\Windows\SysWOW64\Eowywou.exe
C:\Windows\SysWOW64\Eowywou.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Windows\SysWOW64\EowywouSrv.exe
  C:\Windows\SysWOW64\EowywouSrv.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2124
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2928
  - - C:\Windows\System32\ie4uinit.exe
      "C:\Windows\System32\ie4uinit.exe" -ShowQLIcon
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      PID:3064
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2928 CREDAT:275457 /prefetch:2
      4⤵
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Suspicious use of SetWindowsHookEx
      PID:1424
- C:\Windows\SysWOW64\Eowywou.exe
  C:\Windows\SysWOW64\Eowywou.exe Win7
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1660
- - C:\Windows\SysWOW64\EowywouSrv.exe
    C:\Windows\SysWOW64\EowywouSrv.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2536
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2924
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1876
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1876 CREDAT:275457 /prefetch:2
        6⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies data under HKEY_USERS
        Suspicious use of SetWindowsHookEx
        
        PID:1480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f8c581ce2488e8bb59c006904be06e22

SHA1
ccdd86c0c17dc712ab50fed2e88a919e3001afba

SHA256
10c8a23ad1f13258ffd217c44d91007b4c2b9e232f83423e539fac98af1bb1bd

SHA512
3fb969f8f8c454a7bd8834d7f29b067f19a35cb72abd1765303a183ccc50379cb1b0878e71dfde8c0d07b6316f69262791afe59f94df24bc4a6cf7d8ef7ee2b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bef860d65d06b8d05e403e23eb4014a7

SHA1
a9d7ee62dac9146b2af11c06cd2063e1134ea790

SHA256
29ce0d5ad6af2973946f4f23b40ec52a8c4a28097a59958bc7a1339b8a0ff4f5

SHA512
d9743c9038f31c5ce3778ed8480522a9e60f205bae75cbfb829b8a6b2b33d39fd895a3b9f5c02e6788b9adb66529e56302d1096cc8e2939abe73e35f57a880d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c9341d2ee70f10eae7121364a178b4f9

SHA1
af1dfe6b9adcb90690f5c43c9bb56319f77a68a2

SHA256
ef2dfc9fcc200bd88ac411fdddd7e988f481596308ca91333d7a4e46e83c901d

SHA512
1b086c4c40788919e1cc7f61065a278142a6f1032affc69d08358750ec44930bba4dce3c80ff0f9ecdf6aeb9564a6472da293d567af2db842f4ed1c7e9f35240

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1ee7c528683849928452d5862795dba7

SHA1
872b6d9ad0d971740cc7c6cd5da639cd3149c278

SHA256
12213203260934ab0dca330865839fb6b95841e8f2ec3cbb0a0eb886f7c98208

SHA512
8d1e0f2ccfcd7e87fddf150e8f375c28572220182ba4b3fe4bb0694e6f212163488afc7d76ceabe2a4753a8014288ba527986afac486339a0c050fa0a15197f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
01192aeeeb3f40e0abd48b17714fb236

SHA1
9dde58a194887b145464f04bc355da6f7bd42583

SHA256
0d878d973fdd7acb2914c3898b1bfebb3e45e1fa362130da0ceaa03fe657486e

SHA512
3f4caaa526ddbdf7842ff7c138296c87f7926deedd94c23ef20ee209b3c92500c1546d04822c0212b5e81c9b36153a03bd0c558a21617f218b0d106bc2690390

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ff1c5be54bfe27caa538a2e1f784f30b

SHA1
735dfc2a1f8ba8beb8f3bc62beb668d8fa6f1372

SHA256
8f75012b751067929249a28344b9254d37127c94a7a2f89a2c535dc464df3048

SHA512
380bc88745bc941814c6e89fbcbba3d10ea6678fec450ea142b256b83eda0e83705e675b10d76d3896d58a07cfc390cff10471a208723af77f81a22c9fe3fb8f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c17a29775e57202b46a170c09bad6ecf

SHA1
ea640b17a08b4564d61dccd406cc471fc35bd711

SHA256
1da6cabba7644477c7404a90839e5b2e5e53c19fdd5573b6b729e5985f615c00

SHA512
e11f36aea9990b4aeadd9538cf3ac6f05102d17806d32da68da7b1c2e5006517c5f0ebf266a94b55dca98dffcaa8ead1a49c45196fd4cf6a3a3d603b26e4a91b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a73671e1404a6a89100c1da7090c7191

SHA1
6742255a3968c0eb9905e4a476c1b064a328e867

SHA256
53384d2feda40585dbeb2b9dbf12e1cf012f1b783e34dccdec2b69a3d26cfc34

SHA512
fb59406d4ebefa88204265889323a8a2da2fa5a5690dce1b30dc79f5a820d8c6dfd2d1d3434026761e6793825c829c91754afde81ccf9f08eebd53b1d2909fce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4809e268fe40335699fd5ce943a6d6fd

SHA1
2c8ecbc3e33e9a34c8deeb62fd6774949322cc34

SHA256
bf81341756a0cced05a423a821e2827459104839ba42238e25af686b17e85d23

SHA512
d86ec6170f2183d6831600dc966f302769a9ac6e2c2f782fc1f43eeda0bdb009cd36017efb4a765e4f94d3de4a90811121b1b61572f77faa693848440f29c69a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f36d7f0f380c5bc6d25bfa115356b0f3

SHA1
8e2c9d461a9d7883aa7f7daf3a3a15acc6cdc89f

SHA256
950be7373a08d014ad58f2358e95e20c4b2eff84c174a52fd4ddbf6f6d0f885e

SHA512
5a8e32853c6ca1c87b8c7f8591f1597d0ef77d32366187f9f7a0115ff6971a187f5d29b80caf03d1a3396697dad18986968e457b1c88c217ed7ab00afc841619

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ec6cdfd10792243dae70b56e43f7f993

SHA1
c8cf6e37201929caac95c42fcfb38d32aff89ab4

SHA256
0e55dfe620d55937f17d0d29485b6e199864d3c1238bc5e26b77c7369308f193

SHA512
0fa479d4f85fa3eb8e93fd1ac3bfacafdfd0b0f276d0c22d3030b57d56c2c0fc61296f6ddda0a9dd08a52d49ddc37d70dd991fae0a8071fdf3aa537b62c803a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5ba939977a54c8566ef5bf374f44d337

SHA1
7888184a3d9ad901c28e5e45ecbd44371489d21c

SHA256
adbc37963876c13e9801c00cfbd928f473a573f32cd3d25003983c572d201066

SHA512
25bc542f60986fbad825cda3741ca63d0a507586f90e9882b9ebb08c6d8ebf4320fda8e509bdcb6106e66d251b1e4ea3c80fdd8fcc429a60c6b71b706ea02ef6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6dd9bd9dc1a0882bf18ac14c828c57ba

SHA1
f60d91967e36d0666b413e482cfdbb513d6a2beb

SHA256
3e29b96a9aed3a9cc5cca34372aad634247b3e0d573b45f9689d64aa4eb4a27f

SHA512
547eefc774bc36eb6dc08fc81bda2faa271b994fd605c82d007ee98d6b7934909f3bda01ab76dbf1c3bb05e3ffa9b4f9ec901e0da35065bd05fbcbbeb970cca0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5d67816bd91f9a3b7139ac06f1b4fcf4

SHA1
67de1aeecaa608b607f25e38a38f02c46fb8952e

SHA256
c067fc58f13fe94a08f80f86448d94adb45a59bda3cd2cde03f195e773f91477

SHA512
33cb5d7fdeddcbc56fb9fd1b9bc39fc4344819129f4a3399b17b12251de6888c917b1e92c85fba685786b20fec9a284c7cee2b33d5b8d48fdac0902ff111ff74

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
45dce488db965dd259fc81ff48a87810

SHA1
402ee7b5a0b054909588bee8ff7b2599bddd20ef

SHA256
30e277186560bf0456b4d40f515f7ee22e8d6db22de0d417659ca9b84ab6a9e9

SHA512
1cece236cc65045999a075349fcec9db58ecad1da98fd24c0b44a0c3ac4673ea36f8ef1053b0fe693ed094b2796bddee4476521338fe102f31811bb9e53465ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ca4f29f62387fe0e359e8a14d1ea56ed

SHA1
d8266e3636fad80904e172c838821b62694cf4c8

SHA256
336f1736bc209b0de8f0209536f49ebc48154867a90707f2b1ff1fad0a917da4

SHA512
ef96077e0e56c8c26428c9e1f4e31d40eaea5eb0d42b161717793a5c98ceb29165c4e656fef15851d542879b44b2201b9e948c1e93d0553ceccfcc72624bf9f1

Download Submit
C:\Windows\SysWOW64\Eowywou.exe

Filesize
12.4MB

MD5
93c0e096592a2d5245847331b072fd46

SHA1
088274a1e73d666c95c6132fade7e355784dcce0

SHA256
0aa0d575715a25fb2b4e06f1f09a0ad8230f073b2255a2eefb467219a2bf7fb2

SHA512
3dae3325c144025124737b1a9c4a48d6c54799bbfe67fb16a47fe043187a34ed96fcba3b17b114a85cf4c88607ef8c01f057e24ede29c8d62299fd15da8633d1

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
eb4a297192fa3ddb9259c6da8877cb61

SHA1
5591979e2a2eb68b373b4b0b59897f44a83035bc

SHA256
d3bd6b2193f84ee84f6d8de14f855f0202eed2300a8b93a669f63fb767e66ca1

SHA512
74ac67df52e791ccd660869c95c08c3eb4e128099ed0c2f714cd6f18e340aad39b8827409495c8d31c4e08e00a48f91963f597ed8126b42c101f963c1e73a45e

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9b4204bd2f48238a8789c8d4b84dffa7

SHA1
b9909a2d74d5fd92ddec7be7a08b47e0abda839e

SHA256
5e445f13d67c8b3fad86c07c951602a0018d3f8214b982de70716e4462ed5d9a

SHA512
944f7eac464aa4dfc0091dc4f16dce19616adf11cd4ae68843ad329658af294883c30e5aaf2ec73ef045496643da260654798b7d8c624f9d84507796d4021b77

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7ee2dfa95416bcec9805b61f2266c16a

SHA1
002354c78933c12c83de697fcd147cc36dd6d0ec

SHA256
f1183709d92a7a28cc4dc2b1c9119dfbda6f9f12818f1fce65befadf9ee4e94b

SHA512
06b889c4c219ab72309d9854b491030bbbceb22ceb8d717b59ac0f52cda2b7581a28041676f984b0688e3618d7c6ec382337a5edc2c4344852d44f8d02354ae7

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
07335b33305d52c46456e606cef3a0f3

SHA1
2e7d51f4696debbf1d0c97fb4a380d1f7199a607

SHA256
8afdcd400aab0a3aa0c71ef083af3373d4a0ae141c8d5778fc0afa360a7e7b49

SHA512
95f1564f632275862dfe7186736120b606b1851f5c66fd14cf08fe336cc65d621ae0f5087eb4a83474517e11b0ab9c281e2f20b344fb2fae5f3f0b35006f2ca1

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fc5eb510e3846bf3413155430c1a144f

SHA1
abf4092b906e1fd94fbefa051314ee6f3103eab9

SHA256
8e7eb9a717ea0ee85956f48b71d882ec843cbc031c19e5ba7f9667fc0c8b3814

SHA512
6f24ca9a45dc2d1176b975a8fc3cc2b101f198d659d8356f436d96fb8fded18efbb1dac0840dc31c0460aa8ab51d9af8620231bbf1c59ef163ab65e104d61007

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1cee952b00b2376c0406d81db8685749

SHA1
ee0b925ae5a205be30db7ac182745d62ec82152d

SHA256
c9bd4c265c33fab1c464739b7021fceffaf1e34f1f76ea0656a348a1a1a9da85

SHA512
7b5f0de613647d2d001ad596c7b6a7e1d1a67f98e2a25217850891665dfabe8ca299952eeedfea0af0b7530f648542c5ad82f67cf42e541c2f88245ff5cc3656

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5f582b5366afa9420830d50e49420192

SHA1
89eece02f5c235eaabd42db6ec95aa75d6e6f8aa

SHA256
028bba2e445bee7684fdd7ecd974cdd77d2fb5fec1e7160165d0d2dc8873d786

SHA512
4c216e41f1fd1bcccc971dd6308d648336485fcfe0e7a6f0c9d7e18cdca7b704a8a9fe8cacf9b42fd6004c2f63207ad3c0928e352ab1a0175b2d768f06745b94

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1d5147a7e799f07cd4c145e96c07ec22

SHA1
ac02fb5a493f21872ac9a221bc678c0fc426d646

SHA256
eaa979b6cb4aaff3e2ec821cf6088d82a8d4c36e0ef7ceb9b888966d04329d9a

SHA512
5c20b19cfc384fb2053089590c37b282c4c4bd86b2255ce9a9ef97eaa77c8cca79923dae4e564033105b13634428da456d07033bf7dfec6aa3c0e533e1242c99

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b7f498d8355b7252eb4b149fd7c1754e

SHA1
724d96477d48e19e93fc7d4e88abad717194f192

SHA256
45bc4a64f0f84cc67ce61c6ff938b979ce3f7d17eea6a7443f497333d10dc5e1

SHA512
3888754382e65b7fadaf17e2fed3757ea48335d38beb6d461638571a823d092b39c2a6a4a220e5ded8a13bbc3fb0ca72520ab1deae8b6f0628a013b275f1e4e4

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7af4c8e00b8bf44c6cc9bb9a06faab90

SHA1
df6cf1b67b32e1b6a60f6626b39731502d4348fe

SHA256
c1e433002b33f457cbe511afbfa647b447e2c1ac058c904c931cab5b274f3924

SHA512
3fcff59c40537dce02b340595b2eb6a2a08229b8dc972c4d147369f50f3a30583111eab34cc09f2f11335b593a7eef12b96183d2032c9f6f1ff3f39cd7270ed3

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dc92367e596f500fa8806ac3869dfe7d

SHA1
c50b233274e97605071fe972a20a1d3a90570528

SHA256
f006114c1c2dfbdce6806517eda1211065e1e17dc1fdc2ac4f751f8c1a30153b

SHA512
1b032f18ccfafcf98026b237959a8e54e7da5d24ce423fdf3e01f8f86de29d422e2fbd965edda6c7a60e4bbe4c7cedd0f58ab11c3f62cfc21fa48941955dc70f

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4762ee1685db5a445d4e06e2201ca7da

SHA1
8ae16c1aa6d0f12b9b1d9cdd761fd9a72fdafd36

SHA256
0d5a5a5d5a8f1de3953891131d25e232ad6aa540c38532e2049889f2d41567a9

SHA512
52c93c5982710f898d786b8fbc789a580b2606ca6a9f9bf7c383496a3f0362a79e65f176e70bc8cbd97450e0ebda700ac69c25ff93fdfcf0f4a44cd16380a422

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0a19dc91edfafc788938a748e450da85

SHA1
4c6b53dd88b4eef6b07fcb0cf25a503d85658759

SHA256
d1799ca4a54e4d36658624db154aed850a84dcc0ef59a7066e35e9e5aad1888c

SHA512
3c254017bfe072862d5d660bef12cbef9f65b0b6705ceff61db55471eda516585985e7ac01fd933441e437fd780ae7db401fd2ea546c04522a4b0afee56e276d

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c94ef0b57363629e556706a094c3fa9f

SHA1
37fbfe6d1025514c31109133fefc91ca2e23c8f3

SHA256
3b5e5f97f69a22c23b7c2e1b99e2f65b21504c0278a52e28f6e0648a41498a62

SHA512
47ec73da1db740cc9951b05c57012c06f07cfbc2ef2f5b59584ccf414f969ef9e4e0d9d6101bb2dbc5a117fef403781fee03346a18915fd54a7c4a9c12a6daed

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
663d949dcb505b8abaee55089d2de54d

SHA1
410c16d13ac5bd933943ffca13b76bf5c421075d

SHA256
fe66c78664e6425c40b61bfbf221b465990fc5b4a9b5cd06326efaf27ea15db6

SHA512
c1a0fb6ea07a3c228b0bb2a0b0cb8c6cf226acbc790bb350ccf0f42be87c1c70941d53726b5999bb2ca34ea9afcae0f945be7ede6efb631eaae31c69cc693ecd

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4faf3c68afdfd8071f8b7bda8ac32a86

SHA1
7cddcfd6480835f180e447ec477fbbff5ae1b23c

SHA256
ac8a37f46eabaf4f405473f676b9aadfd72e6e8a9e41614c33365eb0e1460252

SHA512
363d8043d21639ae54fe5c838f7cde7e4868f6ed970044118a701b6a7b3e3c25d16dd4fbeee033ec3f367b2b12d78f55ddbd065e4c871ef87881b037afefd60d

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
980078b28d0c7065ffabc4206bf0dfb7

SHA1
ab91a8d5eb2cbb9931867143dd8eae9688d71337

SHA256
017969c15948e06fff7ebcab00d1a38296f27bdced7db293dace04b96add8cab

SHA512
b2608714be3680c31159860c48b2ceda3e45ef859b30693441d80a67f1a1a6e75d2188df29571209c290848b30c7880787b208fb83b17db862c6a8d0441fcb3b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
58f958dab32a8f4a9acf2f2c89fdbd17

SHA1
0af02b19f34bdd2c4171b519fb42c6eac4605652

SHA256
0eaee6e7e5656c53c10117398b686d82d463da2aa1ed65364fe280074eaa65dc

SHA512
9370377dfa859377c63477d2a4e5602b8e485a501a2a0859a610b5e1b0432a16810d214472b84c7fc92cad61d961138e07510ae920eb9758f8c75bb9dc0321e3

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9eb81e3be804a7256b54ac547855f5b0

SHA1
4c7000e58f227c5396abba4ff4e0ab6a3fa90e3a

SHA256
4be5e10d194b04a9ba60e804a9f4e99de788e859068d628d36e7e1d47e8c824c

SHA512
60320dccdef8cf77a9779e0a05e3e17a2a51c348144729b3d0cc2c567da1b42cd570cb1af3356553c8d5b2f494869e55abaef008fb7248f30ec21731e40d9666

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
618153a37e4bc421e9be47489fdf8b00

SHA1
0a5d0ebf8f83fa78ea985dd8729d8ac59d99dac1

SHA256
0999a3a3ebb519afd67b33427b1a9f7a8441605201f5d55c76747b11e7032501

SHA512
5d1827b099ac3dbfa31985e378dc51ba4c05cc81b701c078a2761caeac56fded865634acc4c2b240cf6bd2c8d77569d3d9e99e6a849199473ab78fc059431114

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
236B

MD5
11cede0563d1d61930e433cd638d6419

SHA1
366b26547292482b871404b33930cefca8810dbd

SHA256
e3ab045d746a0821cfb0c34aee9f98ce658caab2c99841464c68d49ab2cd85d9

SHA512
d9a4cdd3d3970d1f3812f7b5d21bb9ae1f1347d0ddfe079a1b5ef15ec1367778056b64b865b21dd52692134771655461760db75309c78dc6f372cc4d0ab7c752

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
129B

MD5
2578ef0db08f1e1e7578068186a1be0f

SHA1
87dca2f554fa51a98726f0a7a9ac0120be0c4572

SHA256
bdc63d9fd191114227a6e0ac32aaf4de85b91fc602fcb8555c0f3816ac8620b3

SHA512
b42be0e6f438362d107f0f3a7e4809753cf3491ab15145f9ffa4def413606243f4dfffc0449687bd1bb01c653e9339e26b97c286382743d14a2f0ed52e72f7ee

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini

Filesize
80B

MD5
3c106f431417240da12fd827323b7724

SHA1
2345cc77576f666b812b55ea7420b8d2c4d2a0b5

SHA256
e469ed17b4b54595b335dc51817a52b81fcf13aad7b7b994626f84ec097c5d57

SHA512
c7391b6b9c4e00494910303e8a6c4dca5a5fc0c461047ef95e3be1c8764928af344a29e2e7c92819174894b51ae0e69b5e11a9dc7cb093f984553d34d5e737bb

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\desktop.ini

Filesize
174B

MD5
1971d71c62ea75c4f433476600caa4f9

SHA1
428e9b5498ba9746c123ebf3ffd86a14f73878f3

SHA256
3f7e7774532126e2c175de962ce9d620471f4ac75463457e1b93ab615abd4de4

SHA512
88667b670c3ffc78b442e0767ca0ea2c1409b8a2c5f18e69496831f7bfa7496e54843819fe725eda06de6deca9ba9dd769d4b5f3ade4126905ed3b1bb6f94422

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\desktop.ini

Filesize
402B

MD5
881dfac93652edb0a8228029ba92d0f5

SHA1
5b317253a63fecb167bf07befa05c5ed09c4ccea

SHA256
a45e345556901cd98b9bf8700b2a263f1da2b2e53dbdf69b9e6cfab6e0bd3464

SHA512
592b24deb837d6b82c692da781b8a69d9fa20bbaa3041d6c651839e72f45ac075a86cb967ea2df08fa0635ae28d6064a900f5d15180b9037bb8ba02f9e8e1810

Download Submit
C:\Windows\Temp\CabF5B8.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\CabF6B9.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Windows\Temp\TarF5CC.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\Temp\TarF76A.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\Temp\wwwE984.tmp

Filesize
195B

MD5
a1fd5255ed62e10721ac426cd139aa83

SHA1
98a11bdd942bb66e9c829ae0685239212e966b9e

SHA256
d3b6eea852bacee54fbf4f3d77c6ec6d198bd59258968528a0231589f01b32f4

SHA512
51399b4eac1883f0e52279f6b9943d5a626de378105cadff2b3c17473edf0835d67437ae8e8d0e25e5d4b88f924fa3ac74d808123ec2b7f98eff1b248a1ab370

Download Submit
C:\Windows\Temp\wwwE985.tmp

Filesize
216B

MD5
2ce792bc1394673282b741a25d6148a2

SHA1
5835c389ea0f0c1423fa26f98b84a875a11d19b1

SHA256
992031e95ad1e0f4305479e8d132c1ff14ed0eb913da33f23c576cd89f14fa48

SHA512
cdcc4d9967570018ec7dc3d825ff96b4817fecfbd424d30b74ba9ab6cc16cb035434f680b3d035f7959ceb0cc9e3c56f8dc78b06adb1dd2289930cc9acc87749

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{D4346FC1-DB22-11EF-B4E2-F64010A3169C}.dat

Filesize
5KB

MD5
db5762c06fba940f4b179316979c4d84

SHA1
1e9bde689eec56315e7fa095cee0d2126961408d

SHA256
0db8eb19d9e36364d5605c1af075efac6312e42aef45e2ceefe114fe321938f5

SHA512
5372c2bb0e2ff54d145d166e8e640f8d28121484250dd6e14446018f8d22952b97fb59b0f95f29a8b5c5b3b9f86d16c354fe824bd9046af47d7843e05f317e5a

Download Submit
\Users\Admin\AppData\Local\Temp\8a0adc21da0f4460d73bc875d75c6c1708f0c95d493b4fcc32c34008eefd3cfeSrv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/824-40-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/824-45-0x00000000003D0000-0x00000000003FE000-memory.dmp

Filesize
184KB

Download
memory/824-8-0x00000000003D0000-0x00000000003FE000-memory.dmp

Filesize
184KB

Download
memory/824-0-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/824-5-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/824-1193-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2124-49-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2216-15-0x0000000000240000-0x000000000024F000-memory.dmp

Filesize
60KB

Download
memory/2216-11-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2216-20-0x0000000000250000-0x000000000027E000-memory.dmp

Filesize
184KB

Download
memory/2216-16-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2536-150-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2736-42-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2736-133-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2736-43-0x00000000003C0000-0x00000000003EE000-memory.dmp

Filesize
184KB

Download
memory/2772-29-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2772-28-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2772-31-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2772-26-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2924-153-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2924-151-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download