ramnit | 98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b

Analysis

max time kernel
149s
max time network
130s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
30-06-2024 18:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe
Size

1.4MB
MD5

70cd455d964428878ffb0bca7502ac84
SHA1

5c900e0c88a31a3dd621ae9e026d3f6ce7e4a551
SHA256

98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b
SHA512

8ec39ca6600bc241de13b98175ef278325272c8ece6fdcbab0e65831f2ee642ab7c06c7635038839c5d69a65a382d1a3945913a33e448151eec219d580ff6056
SSDEEP

24576:S7SUWoDtOo8aUYoj1thwbNEHfndEGJMvw:S7z8hjrhqNWVEN

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2108 cmd.exe

Executes dropped EXE 7 IoCs

Processes:

Logo1_.exe98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63bSrv.exeDesktopLayer.exe98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63B.EXE98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63BSrv.exeDesktopLayer.exe

pid	process
1532	Logo1_.exe
2664	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe
2796	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63bSrv.exe
2632	DesktopLayer.exe
1168	98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63B.EXE
2884	98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63BSrv.exe
1004	DesktopLayer.exe

Loads dropped DLL 13 IoCs

Processes:

cmd.exe98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63bSrv.exe98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63B.EXE98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63BSrv.exeWerFault.exe

pid	process
2108	cmd.exe
2108	cmd.exe
2664	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe
2664	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe
2796	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63bSrv.exe
2664	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe
1168	98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63B.EXE
2884	98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63BSrv.exe
1604	WerFault.exe
1604	WerFault.exe
1604	WerFault.exe
1604	WerFault.exe
1604	WerFault.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2796-42-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2796-46-0x0000000000270000-0x000000000029E000-memory.dmp	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
behavioral1/memory/2796-38-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2632-53-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2884-540-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2884-547-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Logo1_.exe

description	ioc	process
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

Processes:

Logo1_.exe

description	ioc	process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Slate\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1036\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\REFINED\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\3082\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Mail\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ku_IQ\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSACCESS.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kab\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_out\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Mail\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.en\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Publisher.en-us\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\FreeCell\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pt_BR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Defender\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Computers\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cy\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Media Renderer\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Mahjong\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\lua\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

Processes:

98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exeLogo1_.exe

description	ioc	process
File created	C:\Windows\rundl132.exe	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe
File created	C:\Windows\Logo1_.exe	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1604 2664 WerFault.exe 98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe

pid	pid_target	process	target process
1604	2664	WerFault.exe	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe

Modifies Internet Explorer settings 1 TTPs 30 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425933863"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4892C1F1-370E-11EF-9449-6200E4292AD7} = "0"	iexplore.exe

Modifies registry class 12 IoCs

Processes:

98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ArchiveManager.Document\CLSID\ = "{F799295B-8364-4BD8-886B-F7151D48EE55}"	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F799295B-8364-4BD8-886B-F7151D48EE55}\ProgID	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F799295B-8364-4BD8-886B-F7151D48EE55}\InprocHandler32	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F799295B-8364-4BD8-886B-F7151D48EE55}\InprocHandler32\ = "ole32.dll"	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F799295B-8364-4BD8-886B-F7151D48EE55}\LocalServer32	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ArchiveManager.Document	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F799295B-8364-4BD8-886B-F7151D48EE55}\ = "Archiv Document"	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ArchiveManager.Document\CLSID	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F799295B-8364-4BD8-886B-F7151D48EE55}\ProgID\ = "ArchiveManager.Document"	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F799295B-8364-4BD8-886B-F7151D48EE55}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\98C4E2~1.EXE"	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ArchiveManager.Document\ = "Archiv Document"	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F799295B-8364-4BD8-886B-F7151D48EE55}	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

Logo1_.exeDesktopLayer.exeDesktopLayer.exe

pid	process
1532	Logo1_.exe
1532	Logo1_.exe
1532	Logo1_.exe
1532	Logo1_.exe
1532	Logo1_.exe
1532	Logo1_.exe
2632	DesktopLayer.exe
2632	DesktopLayer.exe
2632	DesktopLayer.exe
2632	DesktopLayer.exe
1532	Logo1_.exe
1532	Logo1_.exe
1532	Logo1_.exe
1004	DesktopLayer.exe
1004	DesktopLayer.exe
1004	DesktopLayer.exe
1004	DesktopLayer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe

pid process

2664 98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exe

pid process

2856 iexplore.exe
2856 iexplore.exe

pid	process
2856	iexplore.exe
2856	iexplore.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exeiexplore.exeIEXPLORE.EXE98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63B.EXEIEXPLORE.EXE

pid	process
2664	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe
2664	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe
2856	iexplore.exe
2856	iexplore.exe
2572	IEXPLORE.EXE
2572	IEXPLORE.EXE
2572	IEXPLORE.EXE
2572	IEXPLORE.EXE
1168	98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63B.EXE
2856	iexplore.exe
2856	iexplore.exe
2616	IEXPLORE.EXE
2616	IEXPLORE.EXE
2616	IEXPLORE.EXE
2616	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 62 IoCs

Processes:

98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exeLogo1_.exenet.execmd.exe98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63bSrv.exeDesktopLayer.exeiexplore.exe98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63B.EXE98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63BSrv.exeDesktopLayer.exe

description	pid	process	target process
PID 1520 wrote to memory of 2108	1520	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe	cmd.exe
PID 1520 wrote to memory of 2108	1520	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe	cmd.exe
PID 1520 wrote to memory of 2108	1520	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe	cmd.exe
PID 1520 wrote to memory of 2108	1520	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe	cmd.exe
PID 1520 wrote to memory of 1532	1520	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe	Logo1_.exe
PID 1520 wrote to memory of 1532	1520	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe	Logo1_.exe
PID 1520 wrote to memory of 1532	1520	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe	Logo1_.exe
PID 1520 wrote to memory of 1532	1520	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe	Logo1_.exe
PID 1532 wrote to memory of 3040	1532	Logo1_.exe	net.exe
PID 1532 wrote to memory of 3040	1532	Logo1_.exe	net.exe
PID 1532 wrote to memory of 3040	1532	Logo1_.exe	net.exe
PID 1532 wrote to memory of 3040	1532	Logo1_.exe	net.exe
PID 3040 wrote to memory of 3036	3040	net.exe	net1.exe
PID 3040 wrote to memory of 3036	3040	net.exe	net1.exe
PID 3040 wrote to memory of 3036	3040	net.exe	net1.exe
PID 3040 wrote to memory of 3036	3040	net.exe	net1.exe
PID 2108 wrote to memory of 2664	2108	cmd.exe	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe
PID 2108 wrote to memory of 2664	2108	cmd.exe	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe
PID 2108 wrote to memory of 2664	2108	cmd.exe	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe
PID 2108 wrote to memory of 2664	2108	cmd.exe	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe
PID 2664 wrote to memory of 2796	2664	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63bSrv.exe
PID 2664 wrote to memory of 2796	2664	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63bSrv.exe
PID 2664 wrote to memory of 2796	2664	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63bSrv.exe
PID 2664 wrote to memory of 2796	2664	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63bSrv.exe
PID 2796 wrote to memory of 2632	2796	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63bSrv.exe	DesktopLayer.exe
PID 2796 wrote to memory of 2632	2796	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63bSrv.exe	DesktopLayer.exe
PID 2796 wrote to memory of 2632	2796	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63bSrv.exe	DesktopLayer.exe
PID 2796 wrote to memory of 2632	2796	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63bSrv.exe	DesktopLayer.exe
PID 2632 wrote to memory of 2856	2632	DesktopLayer.exe	iexplore.exe
PID 2632 wrote to memory of 2856	2632	DesktopLayer.exe	iexplore.exe
PID 2632 wrote to memory of 2856	2632	DesktopLayer.exe	iexplore.exe
PID 2632 wrote to memory of 2856	2632	DesktopLayer.exe	iexplore.exe
PID 2856 wrote to memory of 2572	2856	iexplore.exe	IEXPLORE.EXE
PID 2856 wrote to memory of 2572	2856	iexplore.exe	IEXPLORE.EXE
PID 2856 wrote to memory of 2572	2856	iexplore.exe	IEXPLORE.EXE
PID 2856 wrote to memory of 2572	2856	iexplore.exe	IEXPLORE.EXE
PID 1532 wrote to memory of 2856	1532	Logo1_.exe	iexplore.exe
PID 1532 wrote to memory of 2856	1532	Logo1_.exe	iexplore.exe
PID 2664 wrote to memory of 1168	2664	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe	98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63B.EXE
PID 2664 wrote to memory of 1168	2664	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe	98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63B.EXE
PID 2664 wrote to memory of 1168	2664	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe	98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63B.EXE
PID 2664 wrote to memory of 1168	2664	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe	98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63B.EXE
PID 1168 wrote to memory of 2884	1168	98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63B.EXE	98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63BSrv.exe
PID 1168 wrote to memory of 2884	1168	98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63B.EXE	98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63BSrv.exe
PID 1168 wrote to memory of 2884	1168	98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63B.EXE	98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63BSrv.exe
PID 1168 wrote to memory of 2884	1168	98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63B.EXE	98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63BSrv.exe
PID 2884 wrote to memory of 1004	2884	98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63BSrv.exe	DesktopLayer.exe
PID 2884 wrote to memory of 1004	2884	98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63BSrv.exe	DesktopLayer.exe
PID 2884 wrote to memory of 1004	2884	98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63BSrv.exe	DesktopLayer.exe
PID 2884 wrote to memory of 1004	2884	98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63BSrv.exe	DesktopLayer.exe
PID 1004 wrote to memory of 1512	1004	DesktopLayer.exe	iexplore.exe
PID 1004 wrote to memory of 1512	1004	DesktopLayer.exe	iexplore.exe
PID 1004 wrote to memory of 1512	1004	DesktopLayer.exe	iexplore.exe
PID 1004 wrote to memory of 1512	1004	DesktopLayer.exe	iexplore.exe
PID 2856 wrote to memory of 2616	2856	iexplore.exe	IEXPLORE.EXE
PID 2856 wrote to memory of 2616	2856	iexplore.exe	IEXPLORE.EXE
PID 2856 wrote to memory of 2616	2856	iexplore.exe	IEXPLORE.EXE
PID 2856 wrote to memory of 2616	2856	iexplore.exe	IEXPLORE.EXE
PID 2664 wrote to memory of 1604	2664	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe	WerFault.exe
PID 2664 wrote to memory of 1604	2664	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe	WerFault.exe
PID 2664 wrote to memory of 1604	2664	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe	WerFault.exe
PID 2664 wrote to memory of 1604	2664	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe
"C:\Users\Admin\AppData\Local\Temp\98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1520

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\$$a21A4.bat
2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2108

C:\Users\Admin\AppData\Local\Temp\98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe
"C:\Users\Admin\AppData\Local\Temp\98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2664

C:\Users\Admin\AppData\Local\Temp\98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63bSrv.exe
C:\Users\Admin\AppData\Local\Temp\98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63bSrv.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2632

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2856

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2856 CREDAT:275457 /prefetch:2
7⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2572

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2856 CREDAT:406538 /prefetch:2
7⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2616

C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63B.EXE
C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63B.EXE
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1168

C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63BSrv.exe
C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63BSrv.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2884

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1004

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
PID:1512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 292
4⤵
- Loads dropped DLL
- Program crash
PID:1604

C:\Windows\Logo1_.exe
C:\Windows\Logo1_.exe
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1532

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
3⤵
- Suspicious use of WriteProcessMemory
PID:3040

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
4⤵
PID:3036

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
Filesize
251KB

MD5
41e5bbeb9a27c24b39dfcfcd41663134

SHA1
8a32317850b77cc92ae20411009a3895aef718ab

SHA256
72d2ac5cecc3741d7657a400645a90219822a2c91aa04bef827f837a57e0ac14

SHA512
9fb405ed3ea22d0bdc23474fb4727c38470f3509ac3bf754ebcde8fc6a7aea29bbe550c9245efb5c25e54554a92f370e78d0de8b8b8e319b4b57232ff7e1a2fd

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
Filesize
471KB

MD5
4cfdb20b04aa239d6f9e83084d5d0a77

SHA1
f22863e04cc1fd4435f785993ede165bd8245ac6

SHA256
30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

SHA512
35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
e99496e7f097b700d3ad3b8846566413

SHA1
e4fadc261a0b2890d614234ecafe26fae5fb2ac6

SHA256
7a6955937babac518d6f13350e0047e910ae5604dd897e5f418d04a88912d182

SHA512
1cc1b9e570e0b7c76f91eacc9c95e7388dc5c2e7dcb078b443dd158b330ad18162ee49135f21eee3c4e8cdc9d1fc0dd8b6aae527248ab771d45e76e5aa39e3e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
6c64b999bc9b4a79ae3dc54ef1cfb9aa

SHA1
2329dc9525d3ce05fab21ae7ab46740b263afdf5

SHA256
38ec860bef2b0b67fcd38e617addc5c94ca0cd5caca3453b22a4fd2a0b3139ff

SHA512
6b6e56919cacfdff80fc959238ca3bd5941b942bbe88ebfe8475071430ffd1314d7757e8524ee47a6289a1351901b6ca00d86bb2a218d12176b23556a7cbe823

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
9ba62cfd65d0dd56448f8aad14f865f5

SHA1
7f586fc3015dae54b6ae6bf8ec29cce478000eaf

SHA256
c2a9a4fa13bf749b69f9316e5235d205e1d4cccf80b9f57199b1a73e63d5dd9c

SHA512
c7d1f5e88fff42160ed6a7e83492c1140ea9ef6e3dab722c091a33123cfa4fea32afa1b048021e4cb06472b0de52fc93fc1b56132fde8de1d177c03acafeac38

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
0ed752076f0b074b3127556edfcb1c26

SHA1
f663203782b046f80a36bfd3f27fd615235f027b

SHA256
229e72174679692c87b0d340ddccb510ccdc5c0737d23f04380772fc612f7f61

SHA512
8bbf515373f29f829f7f64f159af56d2aedadc810e8f09c86d2e175e5ff45b132d5b72ec481280b3b0b8f7ea041116a382282c99ab2209396c40feb115da3220

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
316b0cb723c0b696c4e9021264702fc2

SHA1
f7903794cf0bf4fc6fa11ab596a390442330ab52

SHA256
b5289cfcae8fd2dc467babe01ebe89e24c1e9683db5228e37096b3280423af1d

SHA512
f22a99d7bf2448f59138d3b8d7d7c43ad522f1aed8640eb174d68d0790bc8da65693e589f38b0d9265b0af86a6a6fa568404a249e43e0592709d26814d7f89f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
29ab63d4b931d58d1de17115674259be

SHA1
ea34876077844fe68dbb170d03e86a667a2fae79

SHA256
0ce9e64243e733e10fcdf6c7948697be1a103e13b38cf45bc495fae69c9a93e7

SHA512
4eecf6ba7f19194d809dab396547723308d1b9763bb7e8ceb461cad451ca1a4d347aa90cda66869f4a4aa5a4f317f66f83eb518d3d53ef8775f0075f4b929c71

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
1b0ec3ca05a1ce4791d13e0c383f314e

SHA1
66c53b7b8bd2161578776a00f8b794d99d77e049

SHA256
11f78a7153a8be865b67af96456f85a3e0cb10bbbaed401cdfba5581c59009c2

SHA512
66bba3693342eb4c9edcd346ba458b396313f5f6a605198d78fe76173d99eecbce5567149d6ad636018ecbb397b26e0c72bab27f2ed92c219a4e3834015c45f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
d9d5421fa91a5885cda3bbc09c817674

SHA1
4183b4334f45efcd767044d6c125d50aa8754358

SHA256
5a610e083b383ad5c483fed7e4ab7151085b14c319fe2d4776e61b930cda4dac

SHA512
a993e51a403eff39b97d15164ee657e7c28f4c7dd95383c2381e5f1a0274466b8f2232f0b4571f62cfc76fe09b68f0228702d48cb6d534bf88fbb0de27852aa0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
9ebfcde8a04dcbfa5ba3ed44da209a05

SHA1
46787944b9622c0610556b055cb37c8ead8a7bba

SHA256
97ada5cdab5bd9b8887b131f77a8a98d24d3682627d90ace7ffa4d78c479fe76

SHA512
07efa68d55a9d00edb66f70d8a26b40658c307db8be4b06a4197ec9a96a110b7e1e8577036aace7e36bf1aea5f8c8f4f99ed2c0eec5db4149c4f64795e9fd181

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
0736a66886116e147bfb05430dcb000a

SHA1
eef63363be406b0edbcd7620fa78179fe13169f7

SHA256
983d138b6f9dc0cac3b8aeec1468c29262c759b824041c5f5259cd8ef02d2f3a

SHA512
6e8eb9c929a48305451dc91c0c7be51ad3c389d09c3600bc58652020da71b80a027c6dc46b5ee2eb9247ff8a6532f9d0d1cae1ef05c383192d61ecbb4edb3294

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
b86f5a0d70d745bf7695597ea8008cd0

SHA1
410c16f095d7fd680e4f5c6a4cc5987e2dc3fa17

SHA256
2736c96106c0741b5f4162486cc1f7c7008e31239cda4e9c262250d296dee6df

SHA512
20529afa25165cd92cb1267cb2218a39f141d4138e96c1e53fddab37e37e7f80725e59738c38657ceab5166429f44b2307cd635300e7c091beaa5b58ba6b33b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
c0828a30083f54fcc46159928e13c2cd

SHA1
b69fd8dbe9b7160a806d0acfcba1c3570b69dbb0

SHA256
bb19dc98499268a33815398c28f66ec94dde0281f7649505ca7062045a50a7c9

SHA512
213da234559a240c35e355fce5e7ea03c0ca81161f9c9cfe5f74a46b24f96e5d8c0a79b592ebc6ebdb0af31ccba8bc773fe284bd35244790289d2eca65aeb997

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
079f36f3adc116b49cfd9f6bd68fdd07

SHA1
1617579c9a4fca81fc06f42cd46527c0dab05cd9

SHA256
fd2ea53fe3bbaa7c435e8ce89800c95cccf295d38deabc2cc510767438c79614

SHA512
be2a4a47fbd9e9774313f5feabc168f3e518b06fc287b6232be16dc6a798b7ba44416d6d736417f7deb55d101341591603cd1ac6a86ade446383f7e01a8ac802

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
b2648446df13d04535ad9578c397ef79

SHA1
40fe0625f182d2d48b1763efd337b54128daa563

SHA256
5650c96bc86d2d0ada6dd6214c63350a0085ac707a35bb4d7a5ba12b03a2523a

SHA512
45aae37a441302daaeab7d9dd7e4e38eac5661126abe73214d4c6d87fd5c82384f07e4a38e032d9a679ed6f91ed2e19b771e2307c507add6c8beeb4071e14d94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
5d6af089f84f649a4271bbaadd683a89

SHA1
8613646548385e60902503837f3093b5eb786f53

SHA256
c5a2f6df2fd08fffc58ccd682f7427b20e427a9441073cfe3dc5c89a0aa3aa84

SHA512
e0aa0d1f72ca0fdba71b136e202b3e6c20413fa3e3af62d59231fb4ae412414d199e9bcd403e5fc2cd6270396adcbcaa685ed25308afd2baa1691bdbb38a2583

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
91b0350d69dcd16a12d58830aaf10184

SHA1
a0acd9bde58c4d9438f686972972ec15f50b3333

SHA256
ebb263a3d0270839685122c94981cc8a72dc03ba5e5165c55fe5f2e6b7501d4d

SHA512
010681f2480f92bf3d5609d0ecad4eb8820f9309e55241654399aec189678cb7d391e19257557109b472392e791b6e16ca3eb08f99de7161877083457f4a9dbb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
0aec17f0d2d8c6a0ab1d8bc15ff259a1

SHA1
22b1c16fe4adc52a9fc97a198ef57fa139920b82

SHA256
4d78d05240347c97ba96ecb2c52de0bb184be7d0e359f1cb6bfad566da602e5f

SHA512
7c95656818473f1602dea9c987c46ab7453c3057205bd94159961b4cd50224c33b560d5d2000cfff3484c5d3616a2486d4a51fbac36ffd77365c8dd823b5b191

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
6983df0aec05a3add47d669d80f25a0d

SHA1
e3a929944a66e88e6127ab465c50967cf5ccd1c5

SHA256
25c6ac2b5e2ad08a00467a24d74abd140d8e6d08d4533e455f2ae7104494e24c

SHA512
3523d2270b0f38497d8732fd217fbec32951a2b4ffc5d3a2160e04243e537f98f182b916f0e3746a91bc8086081ae374162e8a61ff61c8c1cee6e1b8566b4988

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
8b10f9ebe5d19c8650ea8e605dfc942f

SHA1
2aa620f680529553ad005aec50cb41db3b600f2c

SHA256
b033d1cce90855bcf3cbd4a63d0e56035f44754759b89beb5d183ab3d0845517

SHA512
378bc11cd09e07fc50021f89d7bdab9e074c32846912de952cf007f0aaa570672a53d63e82a248992901d7e74739db04bfa586c949ef73af6a23d2e3c33e684f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
fab411be82697ad5d255731e8e75921c

SHA1
be1f6516f9ee13b59b3b11db328b3e4051afaed5

SHA256
fd2a42e588d02c6064329bf6cb2689a1052f47e203f9c9690daf2402f01b5edc

SHA512
73548b00c984839cd77cc92c72cb06171ee79edf3100295c63b9497d43aaa054cd1710ca7097548269c9082c2b383007a8949e49e24b87fa1574334a9c78e9bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a21A4.bat
Filesize
722B

MD5
c20b94d19c8216c418cba49c0673d5b5

SHA1
06c1e9a9935f53d879cfd5325a9d937750b308df

SHA256
386a2c15d43a007a8e9eef41ac7329fcbed6c6e4a898bb846f493e3a61e50232

SHA512
790b9e9edf484071706fa47c87fe161735f7a74ecdc8858352141678cdc60a0b12234bec1e967d415f81ab0fe02420dadd737ff01acfb229037ab482232cdcc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe.exe
Filesize
1.4MB

MD5
80384c0b7c8cd050ddc12bf134394ee7

SHA1
a92caed5099fa6f80b7f12701c6c782df3fff8e2

SHA256
50a93b7a23180a575cf8c7663cec7434b893d4149c1b5b5ef23f241ab916c0c5

SHA512
924384cd625fdfd22d2386b6d082c6b0e13028399bc18bcbd387c7de12550b6f99fe1f91c82ca148fbccedf86c5173023841ef284d25c27001eeffd3f44544ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab38BF.tmp
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab395D.tmp
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3991.tmp
Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\Logo1_.exe
Filesize
26KB

MD5
ae8fa257ab75cde9b7ee813762663977

SHA1
9eb4f9d9f4f505ff0f91955ebcfc0db4c505961e

SHA256
16d8783f98e7b2a4decc7df42a7957c90fbb1d6017439c667f5b104e27f5399e

SHA512
22bd094fe05cadef25f64d33686e3d3992cdf51f795354c88f240388289c719420875bd5212a01b3fd4a180f384359dab7b3950e31b386d31310bd08c71528db

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3691908287-3775019229-3534252667-1000\_desktop.ini
Filesize
9B

MD5
4b66be111b497cdd28c15afccbbd2620

SHA1
43ffb36014883f201e76464ded7ec69f2973d43b

SHA256
483e991549f8cb58e18e7a79a14cf6065e121f897e73b6f4edff227432a733dc

SHA512
32fddfbca04f67fdb0e865862e6f29b06cd079ddba416d801ceedcba8ed88b8dda77663fc8bd5bdd0224f722cd337c9d58edfc2e97e4fab73fa56f6f6198bb21

Download Submit
memory/1004-550-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1168-541-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/1168-539-0x00000000003B0000-0x00000000003DE000-memory.dmp

Filesize
184KB

Download
memory/1520-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1520-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1532-529-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1532-1105-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1532-563-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1532-569-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1532-615-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1532-4345-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1532-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1532-2882-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1532-1137-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2108-30-0x00000000023B0000-0x000000000251C000-memory.dmp

Filesize
1.4MB

Download
memory/2108-29-0x00000000023B0000-0x000000000251C000-memory.dmp

Filesize
1.4MB

Download
memory/2632-51-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2632-53-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2664-533-0x0000000000260000-0x000000000028E000-memory.dmp

Filesize
184KB

Download
memory/2664-31-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/2664-37-0x0000000000260000-0x000000000028E000-memory.dmp

Filesize
184KB

Download
memory/2796-38-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2796-41-0x00000000001C0000-0x00000000001CF000-memory.dmp

Filesize
60KB

Download
memory/2796-46-0x0000000000270000-0x000000000029E000-memory.dmp

Filesize
184KB

Download
memory/2796-42-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2884-540-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2884-547-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download