ramnit | a2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2

Analysis

max time kernel
119s
max time network
143s
platform
windows10_x64
resource
win10v20210410
submitted
04-05-2021 19:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2.exe
Size

353KB
MD5

77e274c816def15ffa1925d43d2d85a1
SHA1

922aacf5f67ff78e4593e4ca327ab87f9308b798
SHA256

a2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2
SHA512

3ec6dc3ebfb7509161e00335c0b0d1cd01c85e35a68d446ad6e1302f553a48b531fb4997e00e0698cba23997e236e16ba914f4967c81e985fd414418171009d8

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 7 IoCs

Processes:

a2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2Srv.exea2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2SrvSrv.exeDesktopLayer.exea2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2SrvSrvSrv.exeDesktopLayerSrv.exeDesktopLayerSrvSrv.exeDesktopLayer.exe

pid	process
3608	a2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2Srv.exe
804	a2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2SrvSrv.exe
1000	DesktopLayer.exe
584	a2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2SrvSrvSrv.exe
1132	DesktopLayerSrv.exe
2364	DesktopLayerSrvSrv.exe
3552	DesktopLayer.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\a2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2Srv.exe	upx
C:\Users\Admin\AppData\Local\Temp\a2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2Srv.exe	upx
C:\Users\Admin\AppData\Local\Temp\a2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2SrvSrv.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe	upx
C:\Users\Admin\AppData\Local\Temp\a2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2SrvSrv.exe	upx
C:\Users\Admin\AppData\Local\Temp\a2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2SrvSrvSrv.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
behavioral2/memory/3608-135-0x0000000000400000-0x000000000044B000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\a2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2SrvSrvSrv.exe	upx
behavioral2/memory/1132-148-0x0000000000400000-0x000000000043D000-memory.dmp	upx
C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe	upx
behavioral2/memory/3552-155-0x0000000000400000-0x000000000042E000-memory.dmp	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe	upx

Drops file in Program Files directory 13 IoCs

Processes:

DesktopLayerSrv.exea2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2Srv.exeDesktopLayer.exea2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2SrvSrv.exea2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2SrvSrvSrv.exeDesktopLayerSrvSrv.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\px1CB5.tmp	DesktopLayerSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px1A06.tmp	a2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2Srv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	a2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	a2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2Srv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe	DesktopLayer.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px1A92.tmp	a2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2SrvSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	a2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2SrvSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe	DesktopLayerSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px1B7D.tmp	a2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2SrvSrvSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	a2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2SrvSrvSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	DesktopLayerSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px1D32.tmp	DesktopLayerSrvSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	DesktopLayerSrvSrv.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEIEXPLORE.EXEiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3846155050"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3856936588"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30884134"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3872092751"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3868343355"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "326942872"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30884134"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{10E469B6-AD1A-11EB-A11C-7EE81CB1838C} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3858498609"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{109BEF6A-AD1A-11EB-A11C-7EE81CB1838C} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30884134"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "326974864"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3861781130"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30884134"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1079C028-AD1A-11EB-A11C-7EE81CB1838C} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3859436591"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3869280187"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3870217520"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

Processes:

a2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2SrvSrv.exeDesktopLayer.exea2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2SrvSrvSrv.exeDesktopLayerSrv.exeDesktopLayer.exe

pid	process
804	a2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2SrvSrv.exe
804	a2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2SrvSrv.exe
1000	DesktopLayer.exe
1000	DesktopLayer.exe
804	a2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2SrvSrv.exe
804	a2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2SrvSrv.exe
1000	DesktopLayer.exe
1000	DesktopLayer.exe
584	a2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2SrvSrvSrv.exe
584	a2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2SrvSrvSrv.exe
584	a2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2SrvSrvSrv.exe
584	a2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2SrvSrvSrv.exe
1000	DesktopLayer.exe
1000	DesktopLayer.exe
1000	DesktopLayer.exe
1000	DesktopLayer.exe
1132	DesktopLayerSrv.exe
1132	DesktopLayerSrv.exe
804	a2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2SrvSrv.exe
804	a2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2SrvSrv.exe
804	a2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2SrvSrv.exe
804	a2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2SrvSrv.exe
584	a2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2SrvSrvSrv.exe
584	a2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2SrvSrvSrv.exe
584	a2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2SrvSrvSrv.exe
584	a2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2SrvSrvSrv.exe
1132	DesktopLayerSrv.exe
1132	DesktopLayerSrv.exe
1132	DesktopLayerSrv.exe
1132	DesktopLayerSrv.exe
1132	DesktopLayerSrv.exe
1132	DesktopLayerSrv.exe
3552	DesktopLayer.exe
3552	DesktopLayer.exe
3552	DesktopLayer.exe
3552	DesktopLayer.exe
3552	DesktopLayer.exe
3552	DesktopLayer.exe
3552	DesktopLayer.exe
3552	DesktopLayer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

1372 iexplore.exe
Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exe

pid process

2448 iexplore.exe
4032 iexplore.exe
1432 iexplore.exe
3992 iexplore.exe
1372 iexplore.exe

pid	process
1372	iexplore.exe

pid	process
2448	iexplore.exe
4032	iexplore.exe
1432	iexplore.exe
3992	iexplore.exe
1372	iexplore.exe

Suspicious use of SetWindowsHookEx 22 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
1432	iexplore.exe
1432	iexplore.exe
3992	iexplore.exe
3992	iexplore.exe
2448	iexplore.exe
2448	iexplore.exe
1372	iexplore.exe
1372	iexplore.exe
4032	iexplore.exe
4032	iexplore.exe
3896	IEXPLORE.EXE
3896	IEXPLORE.EXE
2700	IEXPLORE.EXE
2700	IEXPLORE.EXE
1532	IEXPLORE.EXE
1532	IEXPLORE.EXE
3940	IEXPLORE.EXE
3940	IEXPLORE.EXE
204	IEXPLORE.EXE
204	IEXPLORE.EXE
3940	IEXPLORE.EXE
3940	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

a2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2.exea2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2Srv.exea2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2SrvSrv.exeDesktopLayer.exeDesktopLayerSrv.exea2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2SrvSrvSrv.exeDesktopLayerSrvSrv.exeDesktopLayer.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 3876 wrote to memory of 3608	3876	a2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2.exe	a2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2Srv.exe
PID 3876 wrote to memory of 3608	3876	a2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2.exe	a2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2Srv.exe
PID 3876 wrote to memory of 3608	3876	a2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2.exe	a2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2Srv.exe
PID 3608 wrote to memory of 804	3608	a2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2Srv.exe	a2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2SrvSrv.exe
PID 3608 wrote to memory of 804	3608	a2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2Srv.exe	a2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2SrvSrv.exe
PID 3608 wrote to memory of 804	3608	a2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2Srv.exe	a2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2SrvSrv.exe
PID 3608 wrote to memory of 1000	3608	a2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2Srv.exe	DesktopLayer.exe
PID 3608 wrote to memory of 1000	3608	a2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2Srv.exe	DesktopLayer.exe
PID 3608 wrote to memory of 1000	3608	a2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2Srv.exe	DesktopLayer.exe
PID 804 wrote to memory of 584	804	a2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2SrvSrv.exe	a2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2SrvSrvSrv.exe
PID 804 wrote to memory of 584	804	a2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2SrvSrv.exe	a2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2SrvSrvSrv.exe
PID 804 wrote to memory of 584	804	a2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2SrvSrv.exe	a2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2SrvSrvSrv.exe
PID 1000 wrote to memory of 1132	1000	DesktopLayer.exe	DesktopLayerSrv.exe
PID 1000 wrote to memory of 1132	1000	DesktopLayer.exe	DesktopLayerSrv.exe
PID 1000 wrote to memory of 1132	1000	DesktopLayer.exe	DesktopLayerSrv.exe
PID 1000 wrote to memory of 1432	1000	DesktopLayer.exe	iexplore.exe
PID 1000 wrote to memory of 1432	1000	DesktopLayer.exe	iexplore.exe
PID 1132 wrote to memory of 2364	1132	DesktopLayerSrv.exe	DesktopLayerSrvSrv.exe
PID 1132 wrote to memory of 2364	1132	DesktopLayerSrv.exe	DesktopLayerSrvSrv.exe
PID 1132 wrote to memory of 2364	1132	DesktopLayerSrv.exe	DesktopLayerSrvSrv.exe
PID 804 wrote to memory of 1372	804	a2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2SrvSrv.exe	iexplore.exe
PID 804 wrote to memory of 1372	804	a2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2SrvSrv.exe	iexplore.exe
PID 584 wrote to memory of 2448	584	a2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2SrvSrvSrv.exe	iexplore.exe
PID 584 wrote to memory of 2448	584	a2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2SrvSrvSrv.exe	iexplore.exe
PID 2364 wrote to memory of 3552	2364	DesktopLayerSrvSrv.exe	DesktopLayer.exe
PID 2364 wrote to memory of 3552	2364	DesktopLayerSrvSrv.exe	DesktopLayer.exe
PID 2364 wrote to memory of 3552	2364	DesktopLayerSrvSrv.exe	DesktopLayer.exe
PID 1132 wrote to memory of 3992	1132	DesktopLayerSrv.exe	iexplore.exe
PID 1132 wrote to memory of 3992	1132	DesktopLayerSrv.exe	iexplore.exe
PID 3552 wrote to memory of 4032	3552	DesktopLayer.exe	iexplore.exe
PID 3552 wrote to memory of 4032	3552	DesktopLayer.exe	iexplore.exe
PID 1432 wrote to memory of 3896	1432	iexplore.exe	IEXPLORE.EXE
PID 1432 wrote to memory of 3896	1432	iexplore.exe	IEXPLORE.EXE
PID 1432 wrote to memory of 3896	1432	iexplore.exe	IEXPLORE.EXE
PID 3992 wrote to memory of 1532	3992	iexplore.exe	IEXPLORE.EXE
PID 3992 wrote to memory of 1532	3992	iexplore.exe	IEXPLORE.EXE
PID 3992 wrote to memory of 1532	3992	iexplore.exe	IEXPLORE.EXE
PID 2448 wrote to memory of 2700	2448	iexplore.exe	IEXPLORE.EXE
PID 2448 wrote to memory of 2700	2448	iexplore.exe	IEXPLORE.EXE
PID 2448 wrote to memory of 2700	2448	iexplore.exe	IEXPLORE.EXE
PID 1372 wrote to memory of 3940	1372	iexplore.exe	IEXPLORE.EXE
PID 1372 wrote to memory of 3940	1372	iexplore.exe	IEXPLORE.EXE
PID 1372 wrote to memory of 3940	1372	iexplore.exe	IEXPLORE.EXE
PID 4032 wrote to memory of 204	4032	iexplore.exe	IEXPLORE.EXE
PID 4032 wrote to memory of 204	4032	iexplore.exe	IEXPLORE.EXE
PID 4032 wrote to memory of 204	4032	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\a2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2.exe
"C:\Users\Admin\AppData\Local\Temp\a2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3876

C:\Users\Admin\AppData\Local\Temp\a2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2Srv.exe
C:\Users\Admin\AppData\Local\Temp\a2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2Srv.exe
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3608

C:\Users\Admin\AppData\Local\Temp\a2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2SrvSrv.exe
C:\Users\Admin\AppData\Local\Temp\a2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2SrvSrv.exe
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:804

C:\Users\Admin\AppData\Local\Temp\a2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2SrvSrvSrv.exe
C:\Users\Admin\AppData\Local\Temp\a2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2SrvSrvSrv.exe
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:584

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2448

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2448 CREDAT:82945 /prefetch:2
6⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2700

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1372

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1372 CREDAT:82945 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3940

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1000

C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
"C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1132

C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe
"C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe"
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2364

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3552

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3992

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3992 CREDAT:82945 /prefetch:2
6⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1532

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1432

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1432 CREDAT:82945 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3896

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4032

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4032 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:204

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
MD5
291fc4f6a069c3a1bb90e05745e5b7bf

SHA1
f40e1255af422cb9e3533fe1d010c5692b0f4d5b

SHA256
44dd792f520e2d5a05fc8c2f5b38b3aca8ee996015e90acdb306b8f063bb1cdd

SHA512
ea89971ef41b97e02c03c001fd295811cc6371b68cf153b13f79f6947868a6a4a500b7f476ba91c012e5997efb9ff9d54ae1847d6333155336e665a9738110fc

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
MD5
ece429fdd92c348659088994b3662895

SHA1
1d09809447fd960adcd48f9dd61eb39efb537abf

SHA256
85f1da7859ea974f16f2effa6235ac263a5dadac183da9e9b6c0316d1fc87a90

SHA512
50bc31a42d350be3619eef0bc6fc9e9b8267392f637ff527b71acfcc7f752687bf487f95790562119965f945bd5af8fceebddf61a599b6695cf925867ab77410

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
MD5
f018e9eb66dc53d840ee98c5926f1e2e

SHA1
8e736010173688f982e5713fa8b70c978f17ba42

SHA256
8e9e93a7ae39aa3c6e17a11d567cf52e6190b726d76e6f60b57e9db99ee58bb6

SHA512
30b1fb67767eb5b15bd9d45091d9f184811d4934faeed47b672315d8c8d05b9dc031a6a02addb4b71de1c6b286cc62ef61db2f55dfe4df4bd3c584f256ca49a2

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
MD5
f018e9eb66dc53d840ee98c5926f1e2e

SHA1
8e736010173688f982e5713fa8b70c978f17ba42

SHA256
8e9e93a7ae39aa3c6e17a11d567cf52e6190b726d76e6f60b57e9db99ee58bb6

SHA512
30b1fb67767eb5b15bd9d45091d9f184811d4934faeed47b672315d8c8d05b9dc031a6a02addb4b71de1c6b286cc62ef61db2f55dfe4df4bd3c584f256ca49a2

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe
MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe
MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
10987a1d727697d22e9613985bf39eba

SHA1
d92fa559cdea14bdc068eb5388f4a8725d9d290c

SHA256
8c026af272e0d8eae1ec8978047926e4bbdb2a7ebe0207a738307150e2ed0063

SHA512
31910362ff1a6afe47a6abe7d77d1056eb1a1531cc027ae33bb34e1b4b788cd7efe2292278b02548e72b1441c86f85a3376ed46edf4c58a247febf4da91dfb87

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
cdfde5033fc6bdf2766e3f331c689713

SHA1
ec3152aae950ebbe712e2219f14281193ac0d723

SHA256
1ddda7003e4a4a9f5b1e3dd5e380c6d9832c57122fa584623c42d91e299e1bdf

SHA512
ceb2c000dd2b3bba80d63218780f2ebb65c873f5442eba1554060ed327150e93b2744943f5d409c9a695c45ae0620449e128dd83ca6e7cb6a14db3ac5db0c191

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{109BEF6A-AD1A-11EB-A11C-7EE81CB1838C}.dat
MD5
bd00d18fa197cbe5c9e408ef22839f7a

SHA1
4ca231cac9b94dbbc5479c76768d115292736a71

SHA256
ac87f6b5c9d2215f0cc97ce0fbfba728e90e8a375210169b3c1b1d69178b7d48

SHA512
c0b3148badf395906945a0c162729350c8fab8bc7e0350270c65556285b83f37c898b18ab84ea9371e97f5d251ae814adb9f6086795323cf6b4dd35fd16ef0e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{10E469B6-AD1A-11EB-A11C-7EE81CB1838C}.dat
MD5
a462124286afa1ddc14831c99f303057

SHA1
9c7108cbb9f11c017b1c55ac9b636d259e5352d8

SHA256
6e7545f27c77214316d248a6f8ee5433f9c11ae1022f5ffdbbd2695af9ca6585

SHA512
5029c6f26abdeb83ec7c5e70ffb93b450aad24e6d8d3e982ef046487ebb4841ff153212a1238d0baa0002c72efd831508bee73316481a2a2ebcbba2e02159c31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{10E469B6-AD1A-11EB-A11C-7EE81CB1838C}.dat
MD5
511c4cd6e1505bebbc5c6349693662da

SHA1
85880ddf2925f60058d920ef154d4bd5d2d913d7

SHA256
a5a3ca6fcf0a6c768105cfced7f4f47bcaa7d471d2655df9fab11655938218b4

SHA512
7a3540c6b2c24aa545c7039a3f50b33a85acb7c5fdc5b38f1149fb0972692febf4be13f3886661cee56a01b4a69a46bda495663151e9a2cc6cb3e8c2a158ce87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\4M1PEBSI.cookie
MD5
46078ae2a52cb12288464e74c844705f

SHA1
70ffd3897d0b404691ab0f0699b8d164ab5439f6

SHA256
37ece4e19139c9c0299c055ea239a8f94f8035661de95171e6a3a28bdfefcf03

SHA512
3fe6727d2f7ffe16d19d27047fc9203816d860e2a2d14a4dba2d3c20d25427c8a62ef6ef40a148f17334f1c2a0301813e3d9c18e5be25b06a90281b49c3761ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\FP90C1EL.cookie
MD5
72f48fc3e797b30c3e2bf85d13e4b7b7

SHA1
e40b3a1292a5e9c41f1282649f57623041a07ebb

SHA256
d4d268e59097020b3b3e0aa0934464ce12167be548c097a002f263fbf1e461d2

SHA512
cb39e699fb1405e975b454f7d2557552b03373937142bc329628f46f6709b619488d55018d70e2c1ef7d1de963f86a8f95019e8f4cd4f03bb80e65e4b98320cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\a2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2Srv.exe
MD5
395a1a546b4424e3f11cd3ea26066ff9

SHA1
2f18bf153ed75cd9f33f356d1b9b02219c3a1279

SHA256
5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6a

SHA512
2a5a398a56f895bffb245b830fd9b3003d887c2a71c6f1e022fd25bcec303cacd691dc744c0121f1d93f1f6e9887da386b3fab096ec0090a607d2d1aa72710a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\a2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2Srv.exe
MD5
395a1a546b4424e3f11cd3ea26066ff9

SHA1
2f18bf153ed75cd9f33f356d1b9b02219c3a1279

SHA256
5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6a

SHA512
2a5a398a56f895bffb245b830fd9b3003d887c2a71c6f1e022fd25bcec303cacd691dc744c0121f1d93f1f6e9887da386b3fab096ec0090a607d2d1aa72710a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\a2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2SrvSrv.exe
MD5
f018e9eb66dc53d840ee98c5926f1e2e

SHA1
8e736010173688f982e5713fa8b70c978f17ba42

SHA256
8e9e93a7ae39aa3c6e17a11d567cf52e6190b726d76e6f60b57e9db99ee58bb6

SHA512
30b1fb67767eb5b15bd9d45091d9f184811d4934faeed47b672315d8c8d05b9dc031a6a02addb4b71de1c6b286cc62ef61db2f55dfe4df4bd3c584f256ca49a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\a2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2SrvSrv.exe
MD5
f018e9eb66dc53d840ee98c5926f1e2e

SHA1
8e736010173688f982e5713fa8b70c978f17ba42

SHA256
8e9e93a7ae39aa3c6e17a11d567cf52e6190b726d76e6f60b57e9db99ee58bb6

SHA512
30b1fb67767eb5b15bd9d45091d9f184811d4934faeed47b672315d8c8d05b9dc031a6a02addb4b71de1c6b286cc62ef61db2f55dfe4df4bd3c584f256ca49a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\a2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2SrvSrvSrv.exe
MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a2debf74976609695002e376659c93f42025990eab3f35cb9fa839026caa72a2SrvSrvSrv.exe
MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/204-168-0x0000000000000000-mapping.dmp

Download
memory/584-120-0x0000000000000000-mapping.dmp

Download
memory/804-116-0x0000000000000000-mapping.dmp

Download
memory/804-125-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1000-119-0x0000000000000000-mapping.dmp

Download
memory/1132-148-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1132-122-0x0000000000000000-mapping.dmp

Download
memory/1372-145-0x00007FFE0F8B0000-0x00007FFE0F91B000-memory.dmp

Filesize
428KB

Download
memory/1372-134-0x0000000000000000-mapping.dmp

Download
memory/1432-142-0x00007FFE0F8B0000-0x00007FFE0F91B000-memory.dmp

Filesize
428KB

Download
memory/1432-132-0x0000000000000000-mapping.dmp

Download
memory/1532-165-0x0000000000000000-mapping.dmp

Download
memory/2364-133-0x0000000000000000-mapping.dmp

Download
memory/2448-136-0x0000000000000000-mapping.dmp

Download
memory/2448-147-0x00007FFE0F8B0000-0x00007FFE0F91B000-memory.dmp

Filesize
428KB

Download
memory/2700-166-0x0000000000000000-mapping.dmp

Download
memory/3552-143-0x0000000000000000-mapping.dmp

Download
memory/3552-151-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/3552-155-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3608-114-0x0000000000000000-mapping.dmp

Download
memory/3608-131-0x00000000001E0000-0x00000000001EF000-memory.dmp

Filesize
60KB

Download
memory/3608-135-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3896-164-0x0000000000000000-mapping.dmp

Download
memory/3940-167-0x0000000000000000-mapping.dmp

Download
memory/3992-144-0x0000000000000000-mapping.dmp

Download
memory/3992-152-0x00007FFE0F8B0000-0x00007FFE0F91B000-memory.dmp

Filesize
428KB

Download
memory/4032-156-0x00007FFE0F8B0000-0x00007FFE0F91B000-memory.dmp

Filesize
428KB

Download
memory/4032-154-0x0000000000000000-mapping.dmp

Download