ramnit | 98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 00:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe
Size

1.4MB
MD5

70cd455d964428878ffb0bca7502ac84
SHA1

5c900e0c88a31a3dd621ae9e026d3f6ce7e4a551
SHA256

98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b
SHA512

8ec39ca6600bc241de13b98175ef278325272c8ece6fdcbab0e65831f2ee642ab7c06c7635038839c5d69a65a382d1a3945913a33e448151eec219d580ff6056
SSDEEP

24576:S7SUWoDtOo8aUYoj1thwbNEHfndEGJMvw:S7z8hjrhqNWVEN

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2348 cmd.exe

Executes dropped EXE 7 IoCs

Processes:

Logo1_.exe98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63bSrv.exeDesktopLayer.exe98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63B.EXE98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63BSrv.exeDesktopLayer.exe

pid	process
2360	Logo1_.exe
2640	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe
2804	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63bSrv.exe
2460	DesktopLayer.exe
1640	98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63B.EXE
1432	98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63BSrv.exe
1308	DesktopLayer.exe

Loads dropped DLL 13 IoCs

Processes:

cmd.exe98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63bSrv.exe98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63B.EXE98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63BSrv.exeWerFault.exe

pid	process
2348	cmd.exe
2348	cmd.exe
2640	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe
2640	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe
2804	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63bSrv.exe
2640	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe
1640	98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63B.EXE
1432	98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63BSrv.exe
2948	WerFault.exe
2948	WerFault.exe
2948	WerFault.exe
2948	WerFault.exe
2948	WerFault.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
behavioral1/memory/2460-51-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2460-48-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2804-40-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2804-38-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1432-70-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1432-68-0x00000000003C0000-0x00000000003EE000-memory.dmp	upx

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Logo1_.exe

description	ioc	process
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

Processes:

Logo1_.exe

description	ioc	process
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Journal\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Journal\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\es_MX\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ro\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Solitaire\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1042\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EVRGREEN\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1041\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ie\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\InfoPathOMFormServicesV12\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fy\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Mahjong\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Photo Viewer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fi\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Mail\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\sidebar.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\STS2\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	Logo1_.exe

Drops file in Windows directory 4 IoCs

Processes:

Logo1_.exe98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe

description	ioc	process
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe
File created	C:\Windows\Logo1_.exe	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2948 2640 WerFault.exe 98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe

pid	pid_target	process	target process
2948	2640	WerFault.exe	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe

Modifies Internet Explorer settings 1 TTPs 30 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{964FA291-3741-11EF-805B-F637117826CF} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425955920"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Modifies registry class 12 IoCs

Processes:

98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ArchiveManager.Document\ = "Archiv Document"	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F799295B-8364-4BD8-886B-F7151D48EE55}\ = "Archiv Document"	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F799295B-8364-4BD8-886B-F7151D48EE55}\ProgID	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F799295B-8364-4BD8-886B-F7151D48EE55}\InprocHandler32\ = "ole32.dll"	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F799295B-8364-4BD8-886B-F7151D48EE55}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\98C4E2~1.EXE"	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F799295B-8364-4BD8-886B-F7151D48EE55}\InprocHandler32	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F799295B-8364-4BD8-886B-F7151D48EE55}\LocalServer32	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ArchiveManager.Document	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F799295B-8364-4BD8-886B-F7151D48EE55}	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ArchiveManager.Document\CLSID	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ArchiveManager.Document\CLSID\ = "{F799295B-8364-4BD8-886B-F7151D48EE55}"	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F799295B-8364-4BD8-886B-F7151D48EE55}\ProgID\ = "ArchiveManager.Document"	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

Logo1_.exeDesktopLayer.exeDesktopLayer.exe

pid	process
2360	Logo1_.exe
2360	Logo1_.exe
2360	Logo1_.exe
2360	Logo1_.exe
2360	Logo1_.exe
2360	Logo1_.exe
2460	DesktopLayer.exe
2460	DesktopLayer.exe
2460	DesktopLayer.exe
2460	DesktopLayer.exe
2360	Logo1_.exe
2360	Logo1_.exe
2360	Logo1_.exe
1308	DesktopLayer.exe
1308	DesktopLayer.exe
1308	DesktopLayer.exe
1308	DesktopLayer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe

pid process

2640 98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exe

pid process

2512 iexplore.exe
2512 iexplore.exe

pid	process
2512	iexplore.exe
2512	iexplore.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exeiexplore.exeIEXPLORE.EXE98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63B.EXEIEXPLORE.EXE

pid	process
2640	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe
2640	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe
2512	iexplore.exe
2512	iexplore.exe
2560	IEXPLORE.EXE
2560	IEXPLORE.EXE
2560	IEXPLORE.EXE
2560	IEXPLORE.EXE
1640	98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63B.EXE
2512	iexplore.exe
2512	iexplore.exe
1752	IEXPLORE.EXE
1752	IEXPLORE.EXE
1752	IEXPLORE.EXE
1752	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 62 IoCs

Processes:

98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exeLogo1_.exenet.execmd.exe98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63bSrv.exeDesktopLayer.exeiexplore.exe98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63B.EXE98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63BSrv.exeDesktopLayer.exe

description	pid	process	target process
PID 2416 wrote to memory of 2348	2416	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe	cmd.exe
PID 2416 wrote to memory of 2348	2416	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe	cmd.exe
PID 2416 wrote to memory of 2348	2416	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe	cmd.exe
PID 2416 wrote to memory of 2348	2416	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe	cmd.exe
PID 2416 wrote to memory of 2360	2416	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe	Logo1_.exe
PID 2416 wrote to memory of 2360	2416	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe	Logo1_.exe
PID 2416 wrote to memory of 2360	2416	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe	Logo1_.exe
PID 2416 wrote to memory of 2360	2416	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe	Logo1_.exe
PID 2360 wrote to memory of 2616	2360	Logo1_.exe	net.exe
PID 2360 wrote to memory of 2616	2360	Logo1_.exe	net.exe
PID 2360 wrote to memory of 2616	2360	Logo1_.exe	net.exe
PID 2360 wrote to memory of 2616	2360	Logo1_.exe	net.exe
PID 2616 wrote to memory of 2928	2616	net.exe	net1.exe
PID 2616 wrote to memory of 2928	2616	net.exe	net1.exe
PID 2616 wrote to memory of 2928	2616	net.exe	net1.exe
PID 2616 wrote to memory of 2928	2616	net.exe	net1.exe
PID 2348 wrote to memory of 2640	2348	cmd.exe	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe
PID 2348 wrote to memory of 2640	2348	cmd.exe	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe
PID 2348 wrote to memory of 2640	2348	cmd.exe	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe
PID 2348 wrote to memory of 2640	2348	cmd.exe	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe
PID 2640 wrote to memory of 2804	2640	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63bSrv.exe
PID 2640 wrote to memory of 2804	2640	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63bSrv.exe
PID 2640 wrote to memory of 2804	2640	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63bSrv.exe
PID 2640 wrote to memory of 2804	2640	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63bSrv.exe
PID 2804 wrote to memory of 2460	2804	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63bSrv.exe	DesktopLayer.exe
PID 2804 wrote to memory of 2460	2804	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63bSrv.exe	DesktopLayer.exe
PID 2804 wrote to memory of 2460	2804	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63bSrv.exe	DesktopLayer.exe
PID 2804 wrote to memory of 2460	2804	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63bSrv.exe	DesktopLayer.exe
PID 2460 wrote to memory of 2512	2460	DesktopLayer.exe	iexplore.exe
PID 2460 wrote to memory of 2512	2460	DesktopLayer.exe	iexplore.exe
PID 2460 wrote to memory of 2512	2460	DesktopLayer.exe	iexplore.exe
PID 2460 wrote to memory of 2512	2460	DesktopLayer.exe	iexplore.exe
PID 2512 wrote to memory of 2560	2512	iexplore.exe	IEXPLORE.EXE
PID 2512 wrote to memory of 2560	2512	iexplore.exe	IEXPLORE.EXE
PID 2512 wrote to memory of 2560	2512	iexplore.exe	IEXPLORE.EXE
PID 2512 wrote to memory of 2560	2512	iexplore.exe	IEXPLORE.EXE
PID 2360 wrote to memory of 2512	2360	Logo1_.exe	iexplore.exe
PID 2360 wrote to memory of 2512	2360	Logo1_.exe	iexplore.exe
PID 2640 wrote to memory of 1640	2640	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe	98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63B.EXE
PID 2640 wrote to memory of 1640	2640	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe	98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63B.EXE
PID 2640 wrote to memory of 1640	2640	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe	98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63B.EXE
PID 2640 wrote to memory of 1640	2640	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe	98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63B.EXE
PID 1640 wrote to memory of 1432	1640	98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63B.EXE	98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63BSrv.exe
PID 1640 wrote to memory of 1432	1640	98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63B.EXE	98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63BSrv.exe
PID 1640 wrote to memory of 1432	1640	98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63B.EXE	98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63BSrv.exe
PID 1640 wrote to memory of 1432	1640	98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63B.EXE	98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63BSrv.exe
PID 1432 wrote to memory of 1308	1432	98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63BSrv.exe	DesktopLayer.exe
PID 1432 wrote to memory of 1308	1432	98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63BSrv.exe	DesktopLayer.exe
PID 1432 wrote to memory of 1308	1432	98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63BSrv.exe	DesktopLayer.exe
PID 1432 wrote to memory of 1308	1432	98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63BSrv.exe	DesktopLayer.exe
PID 1308 wrote to memory of 1156	1308	DesktopLayer.exe	iexplore.exe
PID 1308 wrote to memory of 1156	1308	DesktopLayer.exe	iexplore.exe
PID 1308 wrote to memory of 1156	1308	DesktopLayer.exe	iexplore.exe
PID 1308 wrote to memory of 1156	1308	DesktopLayer.exe	iexplore.exe
PID 2512 wrote to memory of 1752	2512	iexplore.exe	IEXPLORE.EXE
PID 2512 wrote to memory of 1752	2512	iexplore.exe	IEXPLORE.EXE
PID 2512 wrote to memory of 1752	2512	iexplore.exe	IEXPLORE.EXE
PID 2512 wrote to memory of 1752	2512	iexplore.exe	IEXPLORE.EXE
PID 2640 wrote to memory of 2948	2640	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe	WerFault.exe
PID 2640 wrote to memory of 2948	2640	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe	WerFault.exe
PID 2640 wrote to memory of 2948	2640	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe	WerFault.exe
PID 2640 wrote to memory of 2948	2640	98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe
"C:\Users\Admin\AppData\Local\Temp\98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2416

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\$$a1352.bat
2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2348

C:\Users\Admin\AppData\Local\Temp\98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe
"C:\Users\Admin\AppData\Local\Temp\98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2640

C:\Users\Admin\AppData\Local\Temp\98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63bSrv.exe
C:\Users\Admin\AppData\Local\Temp\98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63bSrv.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2804

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2460

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2512

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2512 CREDAT:275457 /prefetch:2
7⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2560

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2512 CREDAT:209934 /prefetch:2
7⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1752

C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63B.EXE
C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63B.EXE
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1640

C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63BSrv.exe
C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\98C4E27DD7ACF6454AEBA5E72DABE3CC7BFA4756B9EFBE4FED7CF276A7DFE63BSrv.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1432

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1308

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
PID:1156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 292
4⤵
- Loads dropped DLL
- Program crash
PID:2948

C:\Windows\Logo1_.exe
C:\Windows\Logo1_.exe
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2360

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
3⤵
- Suspicious use of WriteProcessMemory
PID:2616

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
4⤵
PID:2928

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
Filesize
251KB

MD5
41e5bbeb9a27c24b39dfcfcd41663134

SHA1
8a32317850b77cc92ae20411009a3895aef718ab

SHA256
72d2ac5cecc3741d7657a400645a90219822a2c91aa04bef827f837a57e0ac14

SHA512
9fb405ed3ea22d0bdc23474fb4727c38470f3509ac3bf754ebcde8fc6a7aea29bbe550c9245efb5c25e54554a92f370e78d0de8b8b8e319b4b57232ff7e1a2fd

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
Filesize
471KB

MD5
4cfdb20b04aa239d6f9e83084d5d0a77

SHA1
f22863e04cc1fd4435f785993ede165bd8245ac6

SHA256
30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

SHA512
35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a1352.bat
Filesize
722B

MD5
cd6f9de71f7343871acb809467bdc8ef

SHA1
cec1d8c6fd22b092d63049afe3117966fb76e8c2

SHA256
cbb98caa1dfb9c2f6c5523fb0e451d93fef6fc5c6094ef14a042bf4879116125

SHA512
b1637bce83813a0d4fffb0ece1a204c4f6373dfc1924935e3bbd32f73e3e76d02d0fa220c80b7c9fd8e8161748ad2e693afbef6f4eb8d060e39ef30f5c99ead0

Download Submit
C:\Windows\rundl132.exe
Filesize
26KB

MD5
ae8fa257ab75cde9b7ee813762663977

SHA1
9eb4f9d9f4f505ff0f91955ebcfc0db4c505961e

SHA256
16d8783f98e7b2a4decc7df42a7957c90fbb1d6017439c667f5b104e27f5399e

SHA512
22bd094fe05cadef25f64d33686e3d3992cdf51f795354c88f240388289c719420875bd5212a01b3fd4a180f384359dab7b3950e31b386d31310bd08c71528db

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2737914667-933161113-3798636211-1000\_desktop.ini
Filesize
8B

MD5
87cbd7a2d7bdb443a36ecfb46e39db18

SHA1
12aac09be13003e857809ea9434c76126ac39bbf

SHA256
fe5e34894849bd441c429cfd17e62e06b828a82b04c9f0e7cadd884d78b326e1

SHA512
75b0b484285909c577f97dd2b748e8b6e905b2a37dc8a569519325e67cac8b8932fbbd52c754df787e2a6326a9ca575e5d37372a9635718a310c642457ed17e0

Download Submit
\Users\Admin\AppData\Local\Temp\98c4e27dd7acf6454aeba5e72dabe3cc7bfa4756b9efbe4fed7cf276a7dfe63b.exe
Filesize
1.4MB

MD5
80384c0b7c8cd050ddc12bf134394ee7

SHA1
a92caed5099fa6f80b7f12701c6c782df3fff8e2

SHA256
50a93b7a23180a575cf8c7663cec7434b893d4149c1b5b5ef23f241ab916c0c5

SHA512
924384cd625fdfd22d2386b6d082c6b0e13028399bc18bcbd387c7de12550b6f99fe1f91c82ca148fbccedf86c5173023841ef284d25c27001eeffd3f44544ae

Download Submit
memory/1308-73-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1432-68-0x00000000003C0000-0x00000000003EE000-memory.dmp

Filesize
184KB

Download
memory/1432-70-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1640-61-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/1640-64-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/1640-62-0x00000000003A0000-0x00000000003CE000-memory.dmp

Filesize
184KB

Download
memory/2348-30-0x0000000002380000-0x00000000024EC000-memory.dmp

Filesize
1.4MB

Download
memory/2348-29-0x0000000002380000-0x00000000024EC000-memory.dmp

Filesize
1.4MB

Download
memory/2360-53-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2360-139-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2360-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2360-3389-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2360-1968-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2360-1926-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2360-238-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2360-149-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2360-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2360-93-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2416-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2416-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2460-51-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2460-50-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2460-48-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2640-41-0x0000000000390000-0x00000000003BE000-memory.dmp

Filesize
184KB

Download
memory/2640-74-0x0000000000390000-0x00000000003BE000-memory.dmp

Filesize
184KB

Download
memory/2640-36-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/2804-40-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2804-38-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download