ramnit | 5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6a

Analysis

max time kernel
93s
max time network
143s
platform
windows10_x64
resource
win10v20210410
submitted
04-05-2021 23:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6a.exe
Size

168KB
MD5

395a1a546b4424e3f11cd3ea26066ff9
SHA1

2f18bf153ed75cd9f33f356d1b9b02219c3a1279
SHA256

5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6a
SHA512

2a5a398a56f895bffb245b830fd9b3003d887c2a71c6f1e022fd25bcec303cacd691dc744c0121f1d93f1f6e9887da386b3fab096ec0090a607d2d1aa72710a7

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 5 IoCs

Processes:

5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6aSrv.exeDesktopLayer.exe5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6aSrvSrv.exeDesktopLayerSrv.exeDesktopLayerSrvSrv.exe

pid	process
1756	5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6aSrv.exe
1888	DesktopLayer.exe
1468	5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6aSrvSrv.exe
2408	DesktopLayerSrv.exe
2688	DesktopLayerSrvSrv.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6aSrv.exe	upx
C:\Users\Admin\AppData\Local\Temp\5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6aSrvSrv.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Users\Admin\AppData\Local\Temp\5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6aSrv.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe	upx
behavioral2/memory/3400-145-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/1756-147-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral2/memory/1468-149-0x0000000000400000-0x000000000042E000-memory.dmp	upx
C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe	upx
C:\Users\Admin\AppData\Local\Temp\5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6aSrvSrv.exe	upx

Drops file in Program Files directory 13 IoCs

Processes:

5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6aSrvSrv.exeDesktopLayerSrv.exe5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6a.exe5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6aSrv.exeDesktopLayerSrvSrv.exeDesktopLayer.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6aSrvSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe	DesktopLayerSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px1A92.tmp	DesktopLayerSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6a.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6a.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px190C.tmp	5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6aSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px19D7.tmp	5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6aSrvSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	DesktopLayerSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px1B00.tmp	DesktopLayerSrvSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	DesktopLayerSrvSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px1860.tmp	5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6a.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6aSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe	DesktopLayer.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exeiexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "966762251"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "947075207"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff720000001a000000f80400007f020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30884192"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30884192"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{63E08DF3-AD53-11EB-A11C-425E2D5A16C6} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "326950899"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "947231047"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30884192"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30884192"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30884192"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30884192"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "950043488"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{63A2249E-AD53-11EB-A11C-425E2D5A16C6} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "326967493"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30884192"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "966762251"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30884192"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{63D605F1-AD53-11EB-A11C-425E2D5A16C6} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30884192"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 40 IoCs

Processes:

pid	process
1756	5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6aSrv.exe
1756	5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6aSrv.exe
1756	5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6aSrv.exe
1756	5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6aSrv.exe
1888	DesktopLayer.exe
1888	DesktopLayer.exe
1468	5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6aSrvSrv.exe
1468	5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6aSrvSrv.exe
1756	5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6aSrv.exe
1756	5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6aSrv.exe
1888	DesktopLayer.exe
1888	DesktopLayer.exe
1756	5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6aSrv.exe
1756	5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6aSrv.exe
1468	5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6aSrvSrv.exe
1468	5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6aSrvSrv.exe
2408	DesktopLayerSrv.exe
2408	DesktopLayerSrv.exe
1888	DesktopLayer.exe
1888	DesktopLayer.exe
1888	DesktopLayer.exe
1888	DesktopLayer.exe
1468	5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6aSrvSrv.exe
1468	5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6aSrvSrv.exe
1468	5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6aSrvSrv.exe
1468	5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6aSrvSrv.exe
2688	DesktopLayerSrvSrv.exe
2688	DesktopLayerSrvSrv.exe
2408	DesktopLayerSrv.exe
2408	DesktopLayerSrv.exe
2688	DesktopLayerSrvSrv.exe
2688	DesktopLayerSrvSrv.exe
2408	DesktopLayerSrv.exe
2408	DesktopLayerSrv.exe
2408	DesktopLayerSrv.exe
2408	DesktopLayerSrv.exe
2688	DesktopLayerSrvSrv.exe
2688	DesktopLayerSrvSrv.exe
2688	DesktopLayerSrvSrv.exe
2688	DesktopLayerSrvSrv.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

96 iexplore.exe
Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exe

pid process

2452 iexplore.exe
96 iexplore.exe
2572 iexplore.exe
2732 iexplore.exe
2772 iexplore.exe

pid	process
96	iexplore.exe

Suspicious use of SetWindowsHookEx 22 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
2452	iexplore.exe
2452	iexplore.exe
2732	iexplore.exe
2732	iexplore.exe
2572	iexplore.exe
2572	iexplore.exe
96	iexplore.exe
96	iexplore.exe
2772	iexplore.exe
2772	iexplore.exe
2760	IEXPLORE.EXE
2760	IEXPLORE.EXE
3400	IEXPLORE.EXE
3400	IEXPLORE.EXE
3972	IEXPLORE.EXE
3972	IEXPLORE.EXE
1892	IEXPLORE.EXE
1892	IEXPLORE.EXE
4016	IEXPLORE.EXE
4016	IEXPLORE.EXE
3400	IEXPLORE.EXE
3400	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6a.exe5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6aSrv.exeDesktopLayer.exeDesktopLayerSrv.exe5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6aSrvSrv.exeDesktopLayerSrvSrv.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 3400 wrote to memory of 1756	3400	5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6a.exe	5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6aSrv.exe
PID 3400 wrote to memory of 1756	3400	5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6a.exe	5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6aSrv.exe
PID 3400 wrote to memory of 1756	3400	5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6a.exe	5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6aSrv.exe
PID 3400 wrote to memory of 1888	3400	5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6a.exe	DesktopLayer.exe
PID 3400 wrote to memory of 1888	3400	5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6a.exe	DesktopLayer.exe
PID 3400 wrote to memory of 1888	3400	5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6a.exe	DesktopLayer.exe
PID 1756 wrote to memory of 1468	1756	5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6aSrv.exe	5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6aSrvSrv.exe
PID 1756 wrote to memory of 1468	1756	5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6aSrv.exe	5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6aSrvSrv.exe
PID 1756 wrote to memory of 1468	1756	5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6aSrv.exe	5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6aSrvSrv.exe
PID 1888 wrote to memory of 2408	1888	DesktopLayer.exe	DesktopLayerSrv.exe
PID 1888 wrote to memory of 2408	1888	DesktopLayer.exe	DesktopLayerSrv.exe
PID 1888 wrote to memory of 2408	1888	DesktopLayer.exe	DesktopLayerSrv.exe
PID 1756 wrote to memory of 2452	1756	5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6aSrv.exe	iexplore.exe
PID 1756 wrote to memory of 2452	1756	5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6aSrv.exe	iexplore.exe
PID 2408 wrote to memory of 2688	2408	DesktopLayerSrv.exe	DesktopLayerSrvSrv.exe
PID 2408 wrote to memory of 2688	2408	DesktopLayerSrv.exe	DesktopLayerSrvSrv.exe
PID 2408 wrote to memory of 2688	2408	DesktopLayerSrv.exe	DesktopLayerSrvSrv.exe
PID 1888 wrote to memory of 2732	1888	DesktopLayer.exe	iexplore.exe
PID 1888 wrote to memory of 2732	1888	DesktopLayer.exe	iexplore.exe
PID 1468 wrote to memory of 2772	1468	5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6aSrvSrv.exe	iexplore.exe
PID 1468 wrote to memory of 2772	1468	5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6aSrvSrv.exe	iexplore.exe
PID 2408 wrote to memory of 2572	2408	DesktopLayerSrv.exe	iexplore.exe
PID 2408 wrote to memory of 2572	2408	DesktopLayerSrv.exe	iexplore.exe
PID 2688 wrote to memory of 96	2688	DesktopLayerSrvSrv.exe	iexplore.exe
PID 2688 wrote to memory of 96	2688	DesktopLayerSrvSrv.exe	iexplore.exe
PID 2772 wrote to memory of 2760	2772	iexplore.exe	IEXPLORE.EXE
PID 2772 wrote to memory of 2760	2772	iexplore.exe	IEXPLORE.EXE
PID 2772 wrote to memory of 2760	2772	iexplore.exe	IEXPLORE.EXE
PID 2732 wrote to memory of 3972	2732	iexplore.exe	IEXPLORE.EXE
PID 2732 wrote to memory of 3972	2732	iexplore.exe	IEXPLORE.EXE
PID 2732 wrote to memory of 3972	2732	iexplore.exe	IEXPLORE.EXE
PID 2452 wrote to memory of 4016	2452	iexplore.exe	IEXPLORE.EXE
PID 2452 wrote to memory of 4016	2452	iexplore.exe	IEXPLORE.EXE
PID 2452 wrote to memory of 4016	2452	iexplore.exe	IEXPLORE.EXE
PID 2572 wrote to memory of 1892	2572	iexplore.exe	IEXPLORE.EXE
PID 2572 wrote to memory of 1892	2572	iexplore.exe	IEXPLORE.EXE
PID 2572 wrote to memory of 1892	2572	iexplore.exe	IEXPLORE.EXE
PID 96 wrote to memory of 3400	96	iexplore.exe	IEXPLORE.EXE
PID 96 wrote to memory of 3400	96	iexplore.exe	IEXPLORE.EXE
PID 96 wrote to memory of 3400	96	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6a.exe
"C:\Users\Admin\AppData\Local\Temp\5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6a.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3400

C:\Users\Admin\AppData\Local\Temp\5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6aSrv.exe
C:\Users\Admin\AppData\Local\Temp\5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6aSrv.exe
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1756

C:\Users\Admin\AppData\Local\Temp\5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6aSrvSrv.exe
C:\Users\Admin\AppData\Local\Temp\5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6aSrvSrv.exe
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1468

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2772

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2772 CREDAT:82945 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2760

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2452

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2452 CREDAT:82945 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4016

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1888

C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
"C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2408

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2572

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2572 CREDAT:82945 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1892

C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe
"C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2688

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2732

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2732 CREDAT:82945 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3972

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:96

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:96 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3400

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
MD5
395a1a546b4424e3f11cd3ea26066ff9

SHA1
2f18bf153ed75cd9f33f356d1b9b02219c3a1279

SHA256
5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6a

SHA512
2a5a398a56f895bffb245b830fd9b3003d887c2a71c6f1e022fd25bcec303cacd691dc744c0121f1d93f1f6e9887da386b3fab096ec0090a607d2d1aa72710a7

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
MD5
395a1a546b4424e3f11cd3ea26066ff9

SHA1
2f18bf153ed75cd9f33f356d1b9b02219c3a1279

SHA256
5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6a

SHA512
2a5a398a56f895bffb245b830fd9b3003d887c2a71c6f1e022fd25bcec303cacd691dc744c0121f1d93f1f6e9887da386b3fab096ec0090a607d2d1aa72710a7

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
MD5
f018e9eb66dc53d840ee98c5926f1e2e

SHA1
8e736010173688f982e5713fa8b70c978f17ba42

SHA256
8e9e93a7ae39aa3c6e17a11d567cf52e6190b726d76e6f60b57e9db99ee58bb6

SHA512
30b1fb67767eb5b15bd9d45091d9f184811d4934faeed47b672315d8c8d05b9dc031a6a02addb4b71de1c6b286cc62ef61db2f55dfe4df4bd3c584f256ca49a2

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
MD5
f018e9eb66dc53d840ee98c5926f1e2e

SHA1
8e736010173688f982e5713fa8b70c978f17ba42

SHA256
8e9e93a7ae39aa3c6e17a11d567cf52e6190b726d76e6f60b57e9db99ee58bb6

SHA512
30b1fb67767eb5b15bd9d45091d9f184811d4934faeed47b672315d8c8d05b9dc031a6a02addb4b71de1c6b286cc62ef61db2f55dfe4df4bd3c584f256ca49a2

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe
MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe
MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
MD5
f7dcb24540769805e5bb30d193944dce

SHA1
e26c583c562293356794937d9e2e6155d15449ee

SHA256
6b88c6ac55bbd6fea0ebe5a760d1ad2cfce251c59d0151a1400701cb927e36ea

SHA512
cb5ad678b0ef642bf492f32079fe77e8be20c02de267f04b545df346b25f3e4eb98bb568c4c2c483bb88f7d1826863cb515b570d620766e52476c8ee2931ea94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
10987a1d727697d22e9613985bf39eba

SHA1
d92fa559cdea14bdc068eb5388f4a8725d9d290c

SHA256
8c026af272e0d8eae1ec8978047926e4bbdb2a7ebe0207a738307150e2ed0063

SHA512
31910362ff1a6afe47a6abe7d77d1056eb1a1531cc027ae33bb34e1b4b788cd7efe2292278b02548e72b1441c86f85a3376ed46edf4c58a247febf4da91dfb87

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
10987a1d727697d22e9613985bf39eba

SHA1
d92fa559cdea14bdc068eb5388f4a8725d9d290c

SHA256
8c026af272e0d8eae1ec8978047926e4bbdb2a7ebe0207a738307150e2ed0063

SHA512
31910362ff1a6afe47a6abe7d77d1056eb1a1531cc027ae33bb34e1b4b788cd7efe2292278b02548e72b1441c86f85a3376ed46edf4c58a247febf4da91dfb87

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
MD5
ede3727fdd19fdaade1a135945cb53c1

SHA1
29fbb9b7bec5437dc4e08dc3cf043c49b9f80869

SHA256
edf98c4660d19c165c3a9e929536510da512d6a3f49f36f1e515456c025a0aa7

SHA512
bbf8022b6603955ed0cfa00f4d4377cccd965570b696c3bbb8141f2f817299e2d7a54c630fe54ec347d274966083434b198402a7cdc5acb77e437ae6be157166

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
cd33646efcd4a591133b51949f3b0608

SHA1
84f3288dee79521d67b35df665244c7cbbe3f083

SHA256
a49ae17bf503c4bd19618d704d498c1610abf8301f007b30adf52a4af0feaf95

SHA512
a685b1d3a2e07641d6f5c816d3be9eccf41ac240da6e24f869a48708f63f9b32dad267b898a43d9f9e69c869bc41d79351ffea6c408daa0fb7667eb70061d339

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
e462642718887369fc8b74381ee06c31

SHA1
c3eecf2e80b2b89fb450fd87151e1ffbe9bcf2a1

SHA256
46190c4593bb12319ab573776c4ec02529f8e2bb41afbf3228d77620f8d703d5

SHA512
8ab130e116dd8396ef30dc2fa7780a354b76325412c1eb926bd1b053a44f490883f69877e6f698c934edae29b5b3ad33461e97dd5971e4140981f7ff56f019f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
b09e407064d8a74044fa83c9dd9bbc58

SHA1
77b011a0acca52a3093c68743f0b2f68e19ae02c

SHA256
50cf75c6905ff3abdf182b5704a1673310fd1cbfc5449f8e47a7c9e9477e0716

SHA512
91146291b2ab27b1ff8fdaf52b5b4cefd68c4ddc3a5b8149979f8b8db80b0e245637e76786693f4bcdf24ebeb5590fe2a9e0ac6b09a335f927ff2eacc30486c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
b09e407064d8a74044fa83c9dd9bbc58

SHA1
77b011a0acca52a3093c68743f0b2f68e19ae02c

SHA256
50cf75c6905ff3abdf182b5704a1673310fd1cbfc5449f8e47a7c9e9477e0716

SHA512
91146291b2ab27b1ff8fdaf52b5b4cefd68c4ddc3a5b8149979f8b8db80b0e245637e76786693f4bcdf24ebeb5590fe2a9e0ac6b09a335f927ff2eacc30486c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
b09e407064d8a74044fa83c9dd9bbc58

SHA1
77b011a0acca52a3093c68743f0b2f68e19ae02c

SHA256
50cf75c6905ff3abdf182b5704a1673310fd1cbfc5449f8e47a7c9e9477e0716

SHA512
91146291b2ab27b1ff8fdaf52b5b4cefd68c4ddc3a5b8149979f8b8db80b0e245637e76786693f4bcdf24ebeb5590fe2a9e0ac6b09a335f927ff2eacc30486c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{63B14075-AD53-11EB-A11C-425E2D5A16C6}.dat
MD5
37c406fb9d5005c0d42de9dd6263015c

SHA1
c95d068ea2aee9921a0c9baaca9589fa5ab251f4

SHA256
629b69f08325d858aa4ca0e6605d4e51d11c25477a14f71a0e689299de0273b2

SHA512
d2e8fbd71e33da760b2f993be077c286591ba08f5eb4d48a88411c802315752bb7c4cf92014906f1217e31468c20bf02f6ddb6230ca8761d3dca852cd7562913

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{63C3B6FD-AD53-11EB-A11C-425E2D5A16C6}.dat
MD5
e920a6b7876e7291030a3973b5528d1f

SHA1
1d610452842bfe0020cf75c3c87e83bf062313cd

SHA256
26bb83132b5df4a70232dcfe44ec76f3afc30e41d8b4f3d80842787cd02b2edb

SHA512
d26392976b018c8f55c4357499aba422ff7c6fd7a8abe480a15ac59ad28f859c64918303b8bc06d3401d7a3089de020509c17f07c879186dd903b2eb46caee1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{63D605F1-AD53-11EB-A11C-425E2D5A16C6}.dat
MD5
7b7b3fb50a717ffd98231634be7e0fc7

SHA1
eea706fcd2ce25306cfd08055d291dd73ba50330

SHA256
4a079241a9adf2c87d01c0e81a3505f58d70cc430630137f6ef1917b4fab8f4d

SHA512
932431f9cc4e5575f4a877c1fad8e05f7aae1c9be4446eaccc2bf4a92b7c2465590ad30ce1892d7221bcb1279b3cc38f4f42df9e1d896a508bfa1eff53bba929

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{63E08DF3-AD53-11EB-A11C-425E2D5A16C6}.dat
MD5
ddec9f3f2527f65ed5d7661c5a8bdaae

SHA1
b730405b2a9ae9bef5adc3959a7b36706814247a

SHA256
ac998c9685f4e8479d28fc2a931d0bbf294196acd8df39f9512c72d4d264f906

SHA512
af15ade9e213e5788064612fe210c0e58093b2aaf8d89188f8fc0b63f53d77be2aeadd825b434ed9fc399f15f72547dc97eb02e8e87fec7344d5d5c1bf1270af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\PS25PT6T.cookie
MD5
48705382ec6472b9a9dacf4cf335edc8

SHA1
d1db7644d8fd32d4f27f4445012dc03e6defe887

SHA256
e5f47c58ce8f576d5de4c51f4246d15ba02cf3884b13dfa19ef09a17cb9ad1b1

SHA512
b05c4fbe9d8ffcc6dec7462216ca1ec3ad45e411b81dc778adc7895c025b65d8323df07cbdff41bc5df676541f67334450e07daaf2c8aba40a7e8cc95810d85f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\X8AAO9RB.cookie
MD5
cd3dd6d76456fd67c2fcd0bd7ec8df95

SHA1
b5b085709327a403844c42dd0f4781b58f6caf58

SHA256
c3945be691ce7882ae6159761077ac5c0c8d4fc217e5b3f2f57b1299bb0ed4d8

SHA512
ad40a929fd7328bab3d9e6e25c673da7067ea9b9727795ee8e113b24571c8f484db160ef5682bc75998d2067752ca8841af9bf3bce6e7393bee5da88e11840b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6aSrv.exe
MD5
f018e9eb66dc53d840ee98c5926f1e2e

SHA1
8e736010173688f982e5713fa8b70c978f17ba42

SHA256
8e9e93a7ae39aa3c6e17a11d567cf52e6190b726d76e6f60b57e9db99ee58bb6

SHA512
30b1fb67767eb5b15bd9d45091d9f184811d4934faeed47b672315d8c8d05b9dc031a6a02addb4b71de1c6b286cc62ef61db2f55dfe4df4bd3c584f256ca49a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6aSrv.exe
MD5
f018e9eb66dc53d840ee98c5926f1e2e

SHA1
8e736010173688f982e5713fa8b70c978f17ba42

SHA256
8e9e93a7ae39aa3c6e17a11d567cf52e6190b726d76e6f60b57e9db99ee58bb6

SHA512
30b1fb67767eb5b15bd9d45091d9f184811d4934faeed47b672315d8c8d05b9dc031a6a02addb4b71de1c6b286cc62ef61db2f55dfe4df4bd3c584f256ca49a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6aSrvSrv.exe
MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6aSrvSrv.exe
MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/96-141-0x0000000000000000-mapping.dmp

Download
memory/96-144-0x00007FF843820000-0x00007FF84388B000-memory.dmp

Filesize
428KB

Download
memory/1468-149-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1468-127-0x0000000000470000-0x0000000000471000-memory.dmp

Filesize
4KB

Download
memory/1468-117-0x0000000000000000-mapping.dmp

Download
memory/1756-147-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1756-114-0x0000000000000000-mapping.dmp

Download
memory/1756-119-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1888-126-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/1888-116-0x0000000000000000-mapping.dmp

Download
memory/1892-159-0x0000000000000000-mapping.dmp

Download
memory/2408-122-0x0000000000000000-mapping.dmp

Download
memory/2452-134-0x00007FF843820000-0x00007FF84388B000-memory.dmp

Filesize
428KB

Download
memory/2452-123-0x0000000000000000-mapping.dmp

Download
memory/2572-143-0x00007FF843820000-0x00007FF84388B000-memory.dmp

Filesize
428KB

Download
memory/2572-139-0x0000000000000000-mapping.dmp

Download
memory/2688-129-0x0000000000000000-mapping.dmp

Download
memory/2732-137-0x00007FF843820000-0x00007FF84388B000-memory.dmp

Filesize
428KB

Download
memory/2732-130-0x0000000000000000-mapping.dmp

Download
memory/2760-156-0x0000000000000000-mapping.dmp

Download
memory/2772-131-0x0000000000000000-mapping.dmp

Download
memory/2772-140-0x00007FF843820000-0x00007FF84388B000-memory.dmp

Filesize
428KB

Download
memory/3400-160-0x0000000000000000-mapping.dmp

Download
memory/3400-142-0x00000000001E0000-0x00000000001EF000-memory.dmp

Filesize
60KB

Download
memory/3400-145-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3972-158-0x0000000000000000-mapping.dmp

Download
memory/4016-157-0x0000000000000000-mapping.dmp

Download