ramnit | 98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 18:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe
Size

1.4MB
MD5

70cd455d964428878ffb0bca7502ac84
SHA1

5c900e0c88a31a3dd621ae9e026d3f6ce7e4a551
SHA256

98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b
SHA512

8ec39ca6600bc241de13b98175ef278325272c8ece6fdcbab0e65831f2ee642ab7c06c7635038839c5d69a65a382d1a3945913a33e448151eec219d580ff6056
SSDEEP

24576:S7SUWoDtOo8aUYoj1thwbNEHfndEGJMvw:S7z8hjrhqNWVEN

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 7 IoCs

Processes:

Logo1_.exe98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63bSrv.exeDesktopLayer.exe98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63B.EXE98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63BSrv.exeDesktopLayer.exe

pid	process
936	Logo1_.exe
4768	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe
2068	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63bSrv.exe
3720	DesktopLayer.exe
1404	98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63B.EXE
3924	98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63BSrv.exe
1084	DesktopLayer.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63bSrv.exe	upx
behavioral2/memory/2068-24-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/3720-32-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/3924-41-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/3924-49-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Logo1_.exe

description	ioc	process
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

Processes:

Logo1_.exe

description	ioc	process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\en-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\pt-br\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\es-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nb-no\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ja-jp\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\beeps\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\he-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ca-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ko-kr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\en-GB\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\nb-no\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-white\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\en-IN\en-IN_female_TTS\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pt-br\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\MSBuild\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\Assets\Images\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	Logo1_.exe
File created	C:\Program Files\WindowsApps\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-black\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\SlowMotionEditor\UserControls\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\da-dk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-gb\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File created	C:\Program Files\7-Zip\Lang\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\cs-CZ\View3d\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\de-de\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

Processes:

98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exeLogo1_.exe

description	ioc	process
File created	C:\Windows\rundl132.exe	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe
File created	C:\Windows\Logo1_.exe	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4980 4768 WerFault.exe 98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe

pid	pid_target	process	target process
4980	4768	WerFault.exe	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXEiexplore.exeiexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31116059"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "454343568"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "454343568"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31116059"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31116059"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426536967"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "585906014"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31116059"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{46B4B9C2-370E-11EF-9519-7E85BBD6B187} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "460905887"	IEXPLORE.EXE

Modifies registry class 12 IoCs

Processes:

98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ArchiveManager.Document\CLSID	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ArchiveManager.Document\CLSID\ = "{F799295B-8364-4BD8-886B-F7151D48EE55}"	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F799295B-8364-4BD8-886B-F7151D48EE55}\InprocHandler32	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F799295B-8364-4BD8-886B-F7151D48EE55}\InprocHandler32\ = "ole32.dll"	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F799295B-8364-4BD8-886B-F7151D48EE55}\LocalServer32	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F799295B-8364-4BD8-886B-F7151D48EE55}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\98C4E2~1.EXE"	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F799295B-8364-4BD8-886B-F7151D48EE55}	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F799295B-8364-4BD8-886B-F7151D48EE55}\ = "Archiv Document"	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F799295B-8364-4BD8-886B-F7151D48EE55}\ProgID	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F799295B-8364-4BD8-886B-F7151D48EE55}\ProgID\ = "ArchiveManager.Document"	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ArchiveManager.Document	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ArchiveManager.Document\ = "Archiv Document"	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

Processes:

Logo1_.exeDesktopLayer.exeDesktopLayer.exe

pid	process
936	Logo1_.exe
936	Logo1_.exe
936	Logo1_.exe
936	Logo1_.exe
936	Logo1_.exe
936	Logo1_.exe
936	Logo1_.exe
936	Logo1_.exe
936	Logo1_.exe
936	Logo1_.exe
936	Logo1_.exe
936	Logo1_.exe
3720	DesktopLayer.exe
3720	DesktopLayer.exe
3720	DesktopLayer.exe
3720	DesktopLayer.exe
3720	DesktopLayer.exe
3720	DesktopLayer.exe
3720	DesktopLayer.exe
3720	DesktopLayer.exe
936	Logo1_.exe
936	Logo1_.exe
936	Logo1_.exe
936	Logo1_.exe
936	Logo1_.exe
936	Logo1_.exe
1084	DesktopLayer.exe
1084	DesktopLayer.exe
1084	DesktopLayer.exe
1084	DesktopLayer.exe
1084	DesktopLayer.exe
1084	DesktopLayer.exe
1084	DesktopLayer.exe
1084	DesktopLayer.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exe

pid process

2904 iexplore.exe
2904 iexplore.exe

pid	process
2904	iexplore.exe
2904	iexplore.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exeiexplore.exeIEXPLORE.EXE98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63B.EXEIEXPLORE.EXE

pid	process
4768	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe
4768	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe
2904	iexplore.exe
2904	iexplore.exe
2140	IEXPLORE.EXE
2140	IEXPLORE.EXE
2140	IEXPLORE.EXE
2140	IEXPLORE.EXE
1404	98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63B.EXE
2904	iexplore.exe
2904	iexplore.exe
2884	IEXPLORE.EXE
2884	IEXPLORE.EXE
2884	IEXPLORE.EXE
2884	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exeLogo1_.exenet.execmd.exe98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63bSrv.exeDesktopLayer.exeiexplore.exe98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63B.EXE98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63BSrv.exeDesktopLayer.exe

description	pid	process	target process
PID 4864 wrote to memory of 2388	4864	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe	cmd.exe
PID 4864 wrote to memory of 2388	4864	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe	cmd.exe
PID 4864 wrote to memory of 2388	4864	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe	cmd.exe
PID 4864 wrote to memory of 936	4864	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe	Logo1_.exe
PID 4864 wrote to memory of 936	4864	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe	Logo1_.exe
PID 4864 wrote to memory of 936	4864	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe	Logo1_.exe
PID 936 wrote to memory of 2816	936	Logo1_.exe	net.exe
PID 936 wrote to memory of 2816	936	Logo1_.exe	net.exe
PID 936 wrote to memory of 2816	936	Logo1_.exe	net.exe
PID 2816 wrote to memory of 1284	2816	net.exe	net1.exe
PID 2816 wrote to memory of 1284	2816	net.exe	net1.exe
PID 2816 wrote to memory of 1284	2816	net.exe	net1.exe
PID 2388 wrote to memory of 4768	2388	cmd.exe	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe
PID 2388 wrote to memory of 4768	2388	cmd.exe	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe
PID 2388 wrote to memory of 4768	2388	cmd.exe	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe
PID 4768 wrote to memory of 2068	4768	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63bSrv.exe
PID 4768 wrote to memory of 2068	4768	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63bSrv.exe
PID 4768 wrote to memory of 2068	4768	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63bSrv.exe
PID 2068 wrote to memory of 3720	2068	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63bSrv.exe	DesktopLayer.exe
PID 2068 wrote to memory of 3720	2068	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63bSrv.exe	DesktopLayer.exe
PID 2068 wrote to memory of 3720	2068	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63bSrv.exe	DesktopLayer.exe
PID 3720 wrote to memory of 2904	3720	DesktopLayer.exe	iexplore.exe
PID 3720 wrote to memory of 2904	3720	DesktopLayer.exe	iexplore.exe
PID 2904 wrote to memory of 2140	2904	iexplore.exe	IEXPLORE.EXE
PID 2904 wrote to memory of 2140	2904	iexplore.exe	IEXPLORE.EXE
PID 2904 wrote to memory of 2140	2904	iexplore.exe	IEXPLORE.EXE
PID 936 wrote to memory of 2904	936	Logo1_.exe	iexplore.exe
PID 936 wrote to memory of 2904	936	Logo1_.exe	iexplore.exe
PID 4768 wrote to memory of 1404	4768	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe	98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63B.EXE
PID 4768 wrote to memory of 1404	4768	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe	98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63B.EXE
PID 4768 wrote to memory of 1404	4768	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe	98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63B.EXE
PID 1404 wrote to memory of 3924	1404	98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63B.EXE	98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63BSrv.exe
PID 1404 wrote to memory of 3924	1404	98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63B.EXE	98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63BSrv.exe
PID 1404 wrote to memory of 3924	1404	98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63B.EXE	98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63BSrv.exe
PID 3924 wrote to memory of 1084	3924	98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63BSrv.exe	DesktopLayer.exe
PID 3924 wrote to memory of 1084	3924	98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63BSrv.exe	DesktopLayer.exe
PID 3924 wrote to memory of 1084	3924	98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63BSrv.exe	DesktopLayer.exe
PID 1084 wrote to memory of 1592	1084	DesktopLayer.exe	iexplore.exe
PID 1084 wrote to memory of 1592	1084	DesktopLayer.exe	iexplore.exe
PID 2904 wrote to memory of 2884	2904	iexplore.exe	IEXPLORE.EXE
PID 2904 wrote to memory of 2884	2904	iexplore.exe	IEXPLORE.EXE
PID 2904 wrote to memory of 2884	2904	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe
"C:\Users\Admin\AppData\Local\Temp\98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a692A.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:2388

C:\Users\Admin\AppData\Local\Temp\98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe
"C:\Users\Admin\AppData\Local\Temp\98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe"
3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4768

C:\Users\Admin\AppData\Local\Temp\98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63bSrv.exe
C:\Users\Admin\AppData\Local\Temp\98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63bSrv.exe
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2068

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3720

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2904

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2904 CREDAT:17410 /prefetch:2
7⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2140

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2904 CREDAT:82950 /prefetch:2
7⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2884

C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63B.EXE
C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63B.EXE
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1404

C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63BSrv.exe
C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63BSrv.exe
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3924

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1084

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
- Modifies Internet Explorer settings
PID:1592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 800
4⤵
- Program crash
PID:4980

C:\Windows\Logo1_.exe
C:\Windows\Logo1_.exe
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:936

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
3⤵
- Suspicious use of WriteProcessMemory
PID:2816

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
4⤵
PID:1284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4768 -ip 4768
1⤵
PID:3344

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
Filesize
251KB

MD5
41e5bbeb9a27c24b39dfcfcd41663134

SHA1
8a32317850b77cc92ae20411009a3895aef718ab

SHA256
72d2ac5cecc3741d7657a400645a90219822a2c91aa04bef827f837a57e0ac14

SHA512
9fb405ed3ea22d0bdc23474fb4727c38470f3509ac3bf754ebcde8fc6a7aea29bbe550c9245efb5c25e54554a92f370e78d0de8b8b8e319b4b57232ff7e1a2fd

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
570KB

MD5
bdddc1b2cdf76e86485d445b70620389

SHA1
add7f64d51251409f091936a9185e5a3f0262df6

SHA256
a70a4174c0711702fbc334a524e5930c22b58e0de8c11f2d47ea989cc9b7b10d

SHA512
0f32a125a06241c8b831fb45e25c099c33bb71df5e299cf5a87070bdc875cc714ba7d9d7165f138dbed8268c6e2a0aadb3069ac24eb25d825c8a1e12982e69e9

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
Filesize
636KB

MD5
2500f702e2b9632127c14e4eaae5d424

SHA1
8726fef12958265214eeb58001c995629834b13a

SHA256
82e5b0001f025ca3b8409c98e4fb06c119c68de1e4ef60a156360cb4ef61d19c

SHA512
f420c62fa1f6897f51dd7a0f0e910fb54ad14d51973a2d4840eeea0448c860bf83493fb1c07be65f731efc39e19f8a99886c8cfd058cee482fe52d255a33a55c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
471B

MD5
4002e8b12817dfbab01588c4f44e6ee3

SHA1
cd4af5e44b05b1af7218bc8b2a002f471c480fa6

SHA256
cc39772f0b25c3383b5f2e37ff9b29bdbc27193366d8d6422a8f0b81801d6ab9

SHA512
b42ef3ac0dddb2563e6c4d5d49042d9da7a5f03718cbcc59d2025b842efd0b64fda490571459fdcfb49acc0b80f15edee68a510598fe60b0ae9151c01c615404

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
404B

MD5
8ca39bb64eddad13e5885294e08c19e1

SHA1
172bec105e2ed7d32567986af183f2a7ee78c76f

SHA256
a679cb9f09db1a780a3ad854f55c92f2ebbeeaa04d0631ec1711b24ff02c397a

SHA512
7c00c8e83e0c22096d73f715482c5ff0ea90c9057f0cf85164709c2cbd962c47564c4d964cc9c7e5e4b4a4db5ff3270b5aacfa0e5d92b34eb16933838aeed5be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VLW1SL5J\suggestions[1].en-US
Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a692A.bat
Filesize
722B

MD5
51aeff563d7ed69f251d88bf15f75015

SHA1
0c2397fc5c7ea82b1f1e746b2d2dfbf206271144

SHA256
50b36f7969c1a26510b2807d3512b2ef0fee02b34f2db83945818f6465ed3f3e

SHA512
bc21e129a66af33ff36ae6552614ef7b691bd01e2360813743a90abbdcdf59621a73b9f683a9a485f06d611140fb1dda66c473c93c929e57db08b1fc54f77463

Download Submit
C:\Users\Admin\AppData\Local\Temp\98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe.exe
Filesize
1.4MB

MD5
80384c0b7c8cd050ddc12bf134394ee7

SHA1
a92caed5099fa6f80b7f12701c6c782df3fff8e2

SHA256
50a93b7a23180a575cf8c7663cec7434b893d4149c1b5b5ef23f241ab916c0c5

SHA512
924384cd625fdfd22d2386b6d082c6b0e13028399bc18bcbd387c7de12550b6f99fe1f91c82ca148fbccedf86c5173023841ef284d25c27001eeffd3f44544ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63bSrv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Windows\Logo1_.exe
Filesize
26KB

MD5
ae8fa257ab75cde9b7ee813762663977

SHA1
9eb4f9d9f4f505ff0f91955ebcfc0db4c505961e

SHA256
16d8783f98e7b2a4decc7df42a7957c90fbb1d6017439c667f5b104e27f5399e

SHA512
22bd094fe05cadef25f64d33686e3d3992cdf51f795354c88f240388289c719420875bd5212a01b3fd4a180f384359dab7b3950e31b386d31310bd08c71528db

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-4124900551-4068476067-3491212533-1000\_desktop.ini
Filesize
9B

MD5
4b66be111b497cdd28c15afccbbd2620

SHA1
43ffb36014883f201e76464ded7ec69f2973d43b

SHA256
483e991549f8cb58e18e7a79a14cf6065e121f897e73b6f4edff227432a733dc

SHA512
32fddfbca04f67fdb0e865862e6f29b06cd079ddba416d801ceedcba8ed88b8dda77663fc8bd5bdd0224f722cd337c9d58edfc2e97e4fab73fa56f6f6198bb21

Download Submit
memory/936-1284-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/936-35-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/936-1117-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/936-58-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/936-77-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/936-73-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/936-4850-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/936-11-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/936-5289-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1084-48-0x0000000000490000-0x0000000000491000-memory.dmp

Filesize
4KB

Download
memory/1404-46-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/1404-38-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/2068-24-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2068-25-0x0000000000440000-0x000000000044F000-memory.dmp

Filesize
60KB

Download
memory/3720-32-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3720-31-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/3924-49-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3924-41-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4768-51-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/4768-19-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/4864-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4864-10-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download