ramnit | e5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07beb

Analysis

max time kernel
132s
max time network
148s
platform
windows10_x64
resource
win10v20210408
submitted
08-05-2021 17:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07beb.exe
Size

288KB
MD5

5008a60721c16ef5fdc19321de567d34
SHA1

ce60264e4bcc9ada4bea700d632fc1c7b1666645
SHA256

e5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07beb
SHA512

55890b01237eeef99ef99274074e06b97e26dece01164c3dfde74f8f5eb5dea02b249427cfb4e1c32ea9e510e81c67838950a4f894cd4fd9592cd0df765caeac

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 6 IoCs

Processes:

e5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07bebSrv.exee5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07bebSrvSrv.exee5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07bebSrvSrvSrv.exeDesktopLayer.exeDesktopLayerSrv.exeDesktopLayerSrvSrv.exe

pid	process
1888	e5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07bebSrv.exe
2224	e5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07bebSrvSrv.exe
852	e5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07bebSrvSrvSrv.exe
848	DesktopLayer.exe
196	DesktopLayerSrv.exe
3548	DesktopLayerSrvSrv.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\e5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07bebSrv.exe	upx
C:\Users\Admin\AppData\Local\Temp\e5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07bebSrvSrv.exe	upx
C:\Users\Admin\AppData\Local\Temp\e5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07bebSrv.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe	upx
C:\Users\Admin\AppData\Local\Temp\e5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07bebSrvSrvSrv.exe	upx
C:\Users\Admin\AppData\Local\Temp\e5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07bebSrvSrvSrv.exe	upx
C:\Users\Admin\AppData\Local\Temp\e5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07bebSrvSrv.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe	upx
behavioral2/memory/2224-152-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral2/memory/852-155-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/1888-149-0x0000000000400000-0x000000000044B000-memory.dmp	upx

Drops file in Program Files directory 13 IoCs

Processes:

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\px7A85.tmp	e5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07bebSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px7AA4.tmp	e5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07bebSrvSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	e5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07bebSrvSrvSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe	DesktopLayer.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	DesktopLayerSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px7CA8.tmp	DesktopLayerSrvSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	DesktopLayerSrvSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	e5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07bebSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	e5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07bebSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	e5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07bebSrvSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px7AE3.tmp	e5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07bebSrvSrvSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe	DesktopLayerSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px7C3A.tmp	DesktopLayerSrv.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff720000001a000000f80400007f020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30884935"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30884935"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2021DB8E-B03B-11EB-B2DB-F6E29603A65E} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30884935"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30884935"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4113089012"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "327270333"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30884935"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{207ED79D-B03B-11EB-B2DB-F6E29603A65E} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "327286927"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4149339325"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff720000001a000000f80400007f020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4149339325"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4113089012"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4112932773"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4112932773"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30884935"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4113245827"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

Processes:

e5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07bebSrvSrv.exee5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07bebSrvSrvSrv.exeDesktopLayer.exeDesktopLayerSrv.exeDesktopLayerSrvSrv.exe

pid	process
2224	e5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07bebSrvSrv.exe
2224	e5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07bebSrvSrv.exe
852	e5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07bebSrvSrvSrv.exe
852	e5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07bebSrvSrvSrv.exe
2224	e5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07bebSrvSrv.exe
2224	e5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07bebSrvSrv.exe
852	e5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07bebSrvSrvSrv.exe
852	e5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07bebSrvSrvSrv.exe
2224	e5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07bebSrvSrv.exe
2224	e5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07bebSrvSrv.exe
2224	e5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07bebSrvSrv.exe
2224	e5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07bebSrvSrv.exe
852	e5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07bebSrvSrvSrv.exe
852	e5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07bebSrvSrvSrv.exe
852	e5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07bebSrvSrvSrv.exe
852	e5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07bebSrvSrvSrv.exe
848	DesktopLayer.exe
848	DesktopLayer.exe
848	DesktopLayer.exe
848	DesktopLayer.exe
196	DesktopLayerSrv.exe
196	DesktopLayerSrv.exe
848	DesktopLayer.exe
848	DesktopLayer.exe
848	DesktopLayer.exe
848	DesktopLayer.exe
3548	DesktopLayerSrvSrv.exe
3548	DesktopLayerSrvSrv.exe
196	DesktopLayerSrv.exe
196	DesktopLayerSrv.exe
3548	DesktopLayerSrvSrv.exe
3548	DesktopLayerSrvSrv.exe
196	DesktopLayerSrv.exe
196	DesktopLayerSrv.exe
196	DesktopLayerSrv.exe
196	DesktopLayerSrv.exe
3548	DesktopLayerSrvSrv.exe
3548	DesktopLayerSrvSrv.exe
3548	DesktopLayerSrvSrv.exe
3548	DesktopLayerSrvSrv.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

2840 iexplore.exe
Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exe

pid process

2840 iexplore.exe
3228 iexplore.exe
1004 iexplore.exe
1132 iexplore.exe
3004 iexplore.exe

pid	process
2840	iexplore.exe

pid	process
2840	iexplore.exe
3228	iexplore.exe
1004	iexplore.exe
1132	iexplore.exe
3004	iexplore.exe

Suspicious use of SetWindowsHookEx 22 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
1004	iexplore.exe
1004	iexplore.exe
3228	iexplore.exe
3228	iexplore.exe
2840	iexplore.exe
2840	iexplore.exe
1132	iexplore.exe
1132	iexplore.exe
3004	iexplore.exe
3004	iexplore.exe
3880	IEXPLORE.EXE
3880	IEXPLORE.EXE
204	IEXPLORE.EXE
204	IEXPLORE.EXE
184	IEXPLORE.EXE
184	IEXPLORE.EXE
188	IEXPLORE.EXE
188	IEXPLORE.EXE
3356	IEXPLORE.EXE
3356	IEXPLORE.EXE
188	IEXPLORE.EXE
188	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

e5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07beb.exee5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07bebSrv.exee5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07bebSrvSrv.exee5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07bebSrvSrvSrv.exeDesktopLayer.exeDesktopLayerSrv.exeDesktopLayerSrvSrv.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 1032 wrote to memory of 1888	1032	e5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07beb.exe	e5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07bebSrv.exe
PID 1032 wrote to memory of 1888	1032	e5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07beb.exe	e5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07bebSrv.exe
PID 1032 wrote to memory of 1888	1032	e5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07beb.exe	e5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07bebSrv.exe
PID 1888 wrote to memory of 2224	1888	e5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07bebSrv.exe	e5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07bebSrvSrv.exe
PID 1888 wrote to memory of 2224	1888	e5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07bebSrv.exe	e5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07bebSrvSrv.exe
PID 1888 wrote to memory of 2224	1888	e5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07bebSrv.exe	e5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07bebSrvSrv.exe
PID 2224 wrote to memory of 852	2224	e5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07bebSrvSrv.exe	e5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07bebSrvSrvSrv.exe
PID 2224 wrote to memory of 852	2224	e5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07bebSrvSrv.exe	e5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07bebSrvSrvSrv.exe
PID 2224 wrote to memory of 852	2224	e5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07bebSrvSrv.exe	e5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07bebSrvSrvSrv.exe
PID 2224 wrote to memory of 1004	2224	e5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07bebSrvSrv.exe	iexplore.exe
PID 2224 wrote to memory of 1004	2224	e5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07bebSrvSrv.exe	iexplore.exe
PID 1888 wrote to memory of 848	1888	e5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07bebSrv.exe	DesktopLayer.exe
PID 1888 wrote to memory of 848	1888	e5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07bebSrv.exe	DesktopLayer.exe
PID 1888 wrote to memory of 848	1888	e5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07bebSrv.exe	DesktopLayer.exe
PID 852 wrote to memory of 2840	852	e5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07bebSrvSrvSrv.exe	iexplore.exe
PID 852 wrote to memory of 2840	852	e5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07bebSrvSrvSrv.exe	iexplore.exe
PID 848 wrote to memory of 196	848	DesktopLayer.exe	DesktopLayerSrv.exe
PID 848 wrote to memory of 196	848	DesktopLayer.exe	DesktopLayerSrv.exe
PID 848 wrote to memory of 196	848	DesktopLayer.exe	DesktopLayerSrv.exe
PID 848 wrote to memory of 3004	848	DesktopLayer.exe	iexplore.exe
PID 848 wrote to memory of 3004	848	DesktopLayer.exe	iexplore.exe
PID 196 wrote to memory of 3548	196	DesktopLayerSrv.exe	DesktopLayerSrvSrv.exe
PID 196 wrote to memory of 3548	196	DesktopLayerSrv.exe	DesktopLayerSrvSrv.exe
PID 196 wrote to memory of 3548	196	DesktopLayerSrv.exe	DesktopLayerSrvSrv.exe
PID 196 wrote to memory of 1132	196	DesktopLayerSrv.exe	iexplore.exe
PID 196 wrote to memory of 1132	196	DesktopLayerSrv.exe	iexplore.exe
PID 3548 wrote to memory of 3228	3548	DesktopLayerSrvSrv.exe	iexplore.exe
PID 3548 wrote to memory of 3228	3548	DesktopLayerSrvSrv.exe	iexplore.exe
PID 1132 wrote to memory of 3356	1132	iexplore.exe	IEXPLORE.EXE
PID 1132 wrote to memory of 3356	1132	iexplore.exe	IEXPLORE.EXE
PID 1132 wrote to memory of 3356	1132	iexplore.exe	IEXPLORE.EXE
PID 3004 wrote to memory of 204	3004	iexplore.exe	IEXPLORE.EXE
PID 3004 wrote to memory of 204	3004	iexplore.exe	IEXPLORE.EXE
PID 3004 wrote to memory of 204	3004	iexplore.exe	IEXPLORE.EXE
PID 2840 wrote to memory of 188	2840	iexplore.exe	IEXPLORE.EXE
PID 2840 wrote to memory of 188	2840	iexplore.exe	IEXPLORE.EXE
PID 2840 wrote to memory of 188	2840	iexplore.exe	IEXPLORE.EXE
PID 3228 wrote to memory of 184	3228	iexplore.exe	IEXPLORE.EXE
PID 3228 wrote to memory of 184	3228	iexplore.exe	IEXPLORE.EXE
PID 3228 wrote to memory of 184	3228	iexplore.exe	IEXPLORE.EXE
PID 1004 wrote to memory of 3880	1004	iexplore.exe	IEXPLORE.EXE
PID 1004 wrote to memory of 3880	1004	iexplore.exe	IEXPLORE.EXE
PID 1004 wrote to memory of 3880	1004	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\e5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07beb.exe
"C:\Users\Admin\AppData\Local\Temp\e5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07beb.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1032

C:\Users\Admin\AppData\Local\Temp\e5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07bebSrv.exe
C:\Users\Admin\AppData\Local\Temp\e5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07bebSrv.exe
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1888

C:\Users\Admin\AppData\Local\Temp\e5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07bebSrvSrv.exe
C:\Users\Admin\AppData\Local\Temp\e5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07bebSrvSrv.exe
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2224

C:\Users\Admin\AppData\Local\Temp\e5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07bebSrvSrvSrv.exe
C:\Users\Admin\AppData\Local\Temp\e5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07bebSrvSrvSrv.exe
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:852

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2840

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2840 CREDAT:82945 /prefetch:2
6⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:188

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1004

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1004 CREDAT:82945 /prefetch:2
5⤵
- Suspicious use of SetWindowsHookEx
PID:3880

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:848

C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
"C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:196

C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe
"C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe"
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3548

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3228

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3228 CREDAT:82945 /prefetch:2
7⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:184

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1132

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1132 CREDAT:82945 /prefetch:2
6⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3356

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3004

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3004 CREDAT:82945 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:204

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
MD5
395a1a546b4424e3f11cd3ea26066ff9

SHA1
2f18bf153ed75cd9f33f356d1b9b02219c3a1279

SHA256
5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6a

SHA512
2a5a398a56f895bffb245b830fd9b3003d887c2a71c6f1e022fd25bcec303cacd691dc744c0121f1d93f1f6e9887da386b3fab096ec0090a607d2d1aa72710a7

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
MD5
395a1a546b4424e3f11cd3ea26066ff9

SHA1
2f18bf153ed75cd9f33f356d1b9b02219c3a1279

SHA256
5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6a

SHA512
2a5a398a56f895bffb245b830fd9b3003d887c2a71c6f1e022fd25bcec303cacd691dc744c0121f1d93f1f6e9887da386b3fab096ec0090a607d2d1aa72710a7

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
MD5
f018e9eb66dc53d840ee98c5926f1e2e

SHA1
8e736010173688f982e5713fa8b70c978f17ba42

SHA256
8e9e93a7ae39aa3c6e17a11d567cf52e6190b726d76e6f60b57e9db99ee58bb6

SHA512
30b1fb67767eb5b15bd9d45091d9f184811d4934faeed47b672315d8c8d05b9dc031a6a02addb4b71de1c6b286cc62ef61db2f55dfe4df4bd3c584f256ca49a2

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
MD5
f018e9eb66dc53d840ee98c5926f1e2e

SHA1
8e736010173688f982e5713fa8b70c978f17ba42

SHA256
8e9e93a7ae39aa3c6e17a11d567cf52e6190b726d76e6f60b57e9db99ee58bb6

SHA512
30b1fb67767eb5b15bd9d45091d9f184811d4934faeed47b672315d8c8d05b9dc031a6a02addb4b71de1c6b286cc62ef61db2f55dfe4df4bd3c584f256ca49a2

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe
MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe
MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
MD5
f7dcb24540769805e5bb30d193944dce

SHA1
e26c583c562293356794937d9e2e6155d15449ee

SHA256
6b88c6ac55bbd6fea0ebe5a760d1ad2cfce251c59d0151a1400701cb927e36ea

SHA512
cb5ad678b0ef642bf492f32079fe77e8be20c02de267f04b545df346b25f3e4eb98bb568c4c2c483bb88f7d1826863cb515b570d620766e52476c8ee2931ea94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
MD5
f7dcb24540769805e5bb30d193944dce

SHA1
e26c583c562293356794937d9e2e6155d15449ee

SHA256
6b88c6ac55bbd6fea0ebe5a760d1ad2cfce251c59d0151a1400701cb927e36ea

SHA512
cb5ad678b0ef642bf492f32079fe77e8be20c02de267f04b545df346b25f3e4eb98bb568c4c2c483bb88f7d1826863cb515b570d620766e52476c8ee2931ea94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
MD5
f7dcb24540769805e5bb30d193944dce

SHA1
e26c583c562293356794937d9e2e6155d15449ee

SHA256
6b88c6ac55bbd6fea0ebe5a760d1ad2cfce251c59d0151a1400701cb927e36ea

SHA512
cb5ad678b0ef642bf492f32079fe77e8be20c02de267f04b545df346b25f3e4eb98bb568c4c2c483bb88f7d1826863cb515b570d620766e52476c8ee2931ea94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
MD5
f7dcb24540769805e5bb30d193944dce

SHA1
e26c583c562293356794937d9e2e6155d15449ee

SHA256
6b88c6ac55bbd6fea0ebe5a760d1ad2cfce251c59d0151a1400701cb927e36ea

SHA512
cb5ad678b0ef642bf492f32079fe77e8be20c02de267f04b545df346b25f3e4eb98bb568c4c2c483bb88f7d1826863cb515b570d620766e52476c8ee2931ea94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
f24c21cc3be7daee3b2334dfbf6cc685

SHA1
3f5fc1985d1e6396c501c2b1529ba2b3974433a5

SHA256
9fcbd46ce88164cb062aa624c45fce51d969cf14cb5bded593220125e6250227

SHA512
e15eb7e0c50ac2a6f7372392991faf27dab8503862b7fec043c308cfa1dd53c6c8356253212c4dff3b284d5062e1696c5655fa9fff8172d6a934729aee5c695c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
f24c21cc3be7daee3b2334dfbf6cc685

SHA1
3f5fc1985d1e6396c501c2b1529ba2b3974433a5

SHA256
9fcbd46ce88164cb062aa624c45fce51d969cf14cb5bded593220125e6250227

SHA512
e15eb7e0c50ac2a6f7372392991faf27dab8503862b7fec043c308cfa1dd53c6c8356253212c4dff3b284d5062e1696c5655fa9fff8172d6a934729aee5c695c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
f24c21cc3be7daee3b2334dfbf6cc685

SHA1
3f5fc1985d1e6396c501c2b1529ba2b3974433a5

SHA256
9fcbd46ce88164cb062aa624c45fce51d969cf14cb5bded593220125e6250227

SHA512
e15eb7e0c50ac2a6f7372392991faf27dab8503862b7fec043c308cfa1dd53c6c8356253212c4dff3b284d5062e1696c5655fa9fff8172d6a934729aee5c695c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
f24c21cc3be7daee3b2334dfbf6cc685

SHA1
3f5fc1985d1e6396c501c2b1529ba2b3974433a5

SHA256
9fcbd46ce88164cb062aa624c45fce51d969cf14cb5bded593220125e6250227

SHA512
e15eb7e0c50ac2a6f7372392991faf27dab8503862b7fec043c308cfa1dd53c6c8356253212c4dff3b284d5062e1696c5655fa9fff8172d6a934729aee5c695c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
f24c21cc3be7daee3b2334dfbf6cc685

SHA1
3f5fc1985d1e6396c501c2b1529ba2b3974433a5

SHA256
9fcbd46ce88164cb062aa624c45fce51d969cf14cb5bded593220125e6250227

SHA512
e15eb7e0c50ac2a6f7372392991faf27dab8503862b7fec043c308cfa1dd53c6c8356253212c4dff3b284d5062e1696c5655fa9fff8172d6a934729aee5c695c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
MD5
1e0ba9d0e9341ff0e939187e84c36d7d

SHA1
e1c2bb70c00ed3db1d49025dfca61b3e0557c5f6

SHA256
c7a6ef00e0abc4297449fa62d64c91d096421257c07eb8d1e244239c4ed0cb02

SHA512
e4e5455f839d292d6f4d5bcaa75a5c598023f512566f1b4004617e90bbfcc6fe33ccc45b2c26a45f05f16284ea7c8dc47cab3b8d6ecc1e5a716bc064f8af929f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
MD5
1e0ba9d0e9341ff0e939187e84c36d7d

SHA1
e1c2bb70c00ed3db1d49025dfca61b3e0557c5f6

SHA256
c7a6ef00e0abc4297449fa62d64c91d096421257c07eb8d1e244239c4ed0cb02

SHA512
e4e5455f839d292d6f4d5bcaa75a5c598023f512566f1b4004617e90bbfcc6fe33ccc45b2c26a45f05f16284ea7c8dc47cab3b8d6ecc1e5a716bc064f8af929f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
MD5
ce8a7ee91c9217a058926d2e6b2ce687

SHA1
afe7030326cedbf3d41a6f0715d6667399c77231

SHA256
e6d32c56bbb74c8104ff67b1242125e3f6f5864079bf580777aae78ff6fc0ea5

SHA512
fc4d8c96f387519f3e52cddf11f83490159efb26feeace6b77c036053732fa1ba90883c62f7ca3de7ab75a013edf6b7361653a34153fc36e9515a5dc16fe0e59

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
MD5
ce8a7ee91c9217a058926d2e6b2ce687

SHA1
afe7030326cedbf3d41a6f0715d6667399c77231

SHA256
e6d32c56bbb74c8104ff67b1242125e3f6f5864079bf580777aae78ff6fc0ea5

SHA512
fc4d8c96f387519f3e52cddf11f83490159efb26feeace6b77c036053732fa1ba90883c62f7ca3de7ab75a013edf6b7361653a34153fc36e9515a5dc16fe0e59

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
9a6e96c8f2aa80e11935ef0cc4115dee

SHA1
948d088e115e0291978995be2ec4eff9e7ec145f

SHA256
25030426d35ce79582302e99dcb8d940b964a3c5d05e514b7e7ba58b70525ac1

SHA512
6026aed5b0f173d1eec2315f3ebf3de42bff4a9989f28969b5893cc74d9104a3325495fe76df13bb50e26c8ebba199c67d3f0d68c57f69f221199209c99d09a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
c31cf018800e58d1407ba4dcbcd99b8b

SHA1
49d4d682006b94893d153666557651196c98a3fe

SHA256
faa42feed2c57daee787011338b10aead2f60ef1f0db500f9dbbe795a267e1a1

SHA512
89d30f1583a209284b8409e67d286cdb20808feed1fb00b7bdc1af30e43a259fabc7f633dedb1cd29af0128694b32ba178d21403b6e04f9b67cadc9c9724b97b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
c31cf018800e58d1407ba4dcbcd99b8b

SHA1
49d4d682006b94893d153666557651196c98a3fe

SHA256
faa42feed2c57daee787011338b10aead2f60ef1f0db500f9dbbe795a267e1a1

SHA512
89d30f1583a209284b8409e67d286cdb20808feed1fb00b7bdc1af30e43a259fabc7f633dedb1cd29af0128694b32ba178d21403b6e04f9b67cadc9c9724b97b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
c31cf018800e58d1407ba4dcbcd99b8b

SHA1
49d4d682006b94893d153666557651196c98a3fe

SHA256
faa42feed2c57daee787011338b10aead2f60ef1f0db500f9dbbe795a267e1a1

SHA512
89d30f1583a209284b8409e67d286cdb20808feed1fb00b7bdc1af30e43a259fabc7f633dedb1cd29af0128694b32ba178d21403b6e04f9b67cadc9c9724b97b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
6a843622efe1f184b021eddbc6deb871

SHA1
a58b5cbd8507f3c407c0425fffc51c6f931cb0bf

SHA256
4075ef15a65b601e55080ffcde076081486732a954a96b983177efe45acb27d8

SHA512
9ae359e901247e84091a1efabecec2d38f77b75ec7c1d7be1fefb91b45258d7f8ce2d247a3bc79e58d1a93de6c8f3c5573b12a063b584f3e3ea7d9511f555dc3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
6a843622efe1f184b021eddbc6deb871

SHA1
a58b5cbd8507f3c407c0425fffc51c6f931cb0bf

SHA256
4075ef15a65b601e55080ffcde076081486732a954a96b983177efe45acb27d8

SHA512
9ae359e901247e84091a1efabecec2d38f77b75ec7c1d7be1fefb91b45258d7f8ce2d247a3bc79e58d1a93de6c8f3c5573b12a063b584f3e3ea7d9511f555dc3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
6a843622efe1f184b021eddbc6deb871

SHA1
a58b5cbd8507f3c407c0425fffc51c6f931cb0bf

SHA256
4075ef15a65b601e55080ffcde076081486732a954a96b983177efe45acb27d8

SHA512
9ae359e901247e84091a1efabecec2d38f77b75ec7c1d7be1fefb91b45258d7f8ce2d247a3bc79e58d1a93de6c8f3c5573b12a063b584f3e3ea7d9511f555dc3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
6a843622efe1f184b021eddbc6deb871

SHA1
a58b5cbd8507f3c407c0425fffc51c6f931cb0bf

SHA256
4075ef15a65b601e55080ffcde076081486732a954a96b983177efe45acb27d8

SHA512
9ae359e901247e84091a1efabecec2d38f77b75ec7c1d7be1fefb91b45258d7f8ce2d247a3bc79e58d1a93de6c8f3c5573b12a063b584f3e3ea7d9511f555dc3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
6a843622efe1f184b021eddbc6deb871

SHA1
a58b5cbd8507f3c407c0425fffc51c6f931cb0bf

SHA256
4075ef15a65b601e55080ffcde076081486732a954a96b983177efe45acb27d8

SHA512
9ae359e901247e84091a1efabecec2d38f77b75ec7c1d7be1fefb91b45258d7f8ce2d247a3bc79e58d1a93de6c8f3c5573b12a063b584f3e3ea7d9511f555dc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{201F79AD-B03B-11EB-B2DB-F6E29603A65E}.dat
MD5
76df529be7fab8e4f8af0ef946230c4a

SHA1
144dd99f643d83bf5975033f25f1564fddbeb1de

SHA256
13a7bb35ba272748b6d2801d891642b15b7e523dd662423ed45a24e760368dce

SHA512
473ce958e9db926a7261b238a9fc49fe0c5ad4bc3167381c29dabb7b79f81f46cc0c0f1cb8c58676aa7763021f982a2e6a774a9f39ab6972f59011b6d62ab27f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{2021DB8E-B03B-11EB-B2DB-F6E29603A65E}.dat
MD5
92c8931820458bca13c6fb4103108a9d

SHA1
f06d45ce0b39f7216ef738943bdbed3a47f5e558

SHA256
ebd2664cd677c8af6a53e813ad97f34ffa44aae38b9ac0d05159587084641486

SHA512
918eb4b69dd344c8c3c074e11c5d33fa5eb455d2a1541087717d3485275e599441c3ce9b56e2b2dcf821b6169e5e79857a98c08875fe64ff3813978427247e44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{205D7764-B03B-11EB-B2DB-F6E29603A65E}.dat
MD5
8ab743f9e248d4e25b84e81a9fb324c5

SHA1
ee97019c6cbea839d7ed27628939fdb4a2aee85f

SHA256
4afe11540f807a0f3871c6215f7d4e070612fa071bf301b32b1171caaa1bbdd4

SHA512
ac93ec6659b954e41cc35445dcfefca52b95f94d1fc2bf9c1ecb3f0772806f0b9e9402e5141a406965bad089a83012227852cafffce47352cb6bf21e5412ca8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{205D7764-B03B-11EB-B2DB-F6E29603A65E}.dat
MD5
2cb07b6c54ad1b983e082b292b20b4c6

SHA1
d408c7fcc39288a7e93469c629684936b89de3bd

SHA256
37d8d5215fb83dd2ba0c0d299340300bd1bfad6cac0850552304bbdf3d02ca93

SHA512
caef90516380e77241a1b087d5c6e9ca6f4d8fd88c586ceef95f623b452c753079a6b6a2ea7de1a1a532ddd7d8b986582716e66cd1ec56308e5e8e8f89bb9792

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{2072EBFA-B03B-11EB-B2DB-F6E29603A65E}.dat
MD5
a14fb9721426dbab31f60544cfcd6875

SHA1
a64ecef975c0e95f5428898cc297eadfc2d52987

SHA256
46151a4622c12b6d5fb4e5bdb6987f2d368935e08f948286705c3bc227073a51

SHA512
4b9e4140f147e810b5572ffe683bc04aadc7aff4940256c057e8ec0db7389199703b2b693d193defda89bd16cf5a0936e10ec24cd83df5d3266878fb83dcf966

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\1EDFKRJP.cookie
MD5
eee8545b78ba5a2d84d65694cd9b6aac

SHA1
61ddd12bda617802e83356cccec713a0fa121013

SHA256
9bf83b955a64ffacae5d8ec44fe0ffe5f232077c0b28f2a2ed35d2a5da0ca567

SHA512
295a5b5a22e9d2f271fd5610fa967b50550b65279d04a58bb5400be43dee131a847aac2d8567d888e764189472eeb7ffec241ad14ecf2d073a106f7d1722679f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\ATPWBWDV.cookie
MD5
50aa81b9d8a5841454b203c486d38e5e

SHA1
63e38e766b519bdd1dcef63e3fb1742b66b29336

SHA256
96f63bf5449165159370806bab247650d364693300faa6dc3264554c7bf171ce

SHA512
88bf28d77b5e214e4d8d9dda17ef56d348cb88880ff6157c3e4191aa96ff51f183d0e030e45d1700d6eaaa1978756b54e5b7687150eb092c48305107f0cd6c3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\e5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07bebSrv.exe
MD5
395a1a546b4424e3f11cd3ea26066ff9

SHA1
2f18bf153ed75cd9f33f356d1b9b02219c3a1279

SHA256
5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6a

SHA512
2a5a398a56f895bffb245b830fd9b3003d887c2a71c6f1e022fd25bcec303cacd691dc744c0121f1d93f1f6e9887da386b3fab096ec0090a607d2d1aa72710a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\e5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07bebSrv.exe
MD5
395a1a546b4424e3f11cd3ea26066ff9

SHA1
2f18bf153ed75cd9f33f356d1b9b02219c3a1279

SHA256
5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6a

SHA512
2a5a398a56f895bffb245b830fd9b3003d887c2a71c6f1e022fd25bcec303cacd691dc744c0121f1d93f1f6e9887da386b3fab096ec0090a607d2d1aa72710a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\e5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07bebSrvSrv.exe
MD5
f018e9eb66dc53d840ee98c5926f1e2e

SHA1
8e736010173688f982e5713fa8b70c978f17ba42

SHA256
8e9e93a7ae39aa3c6e17a11d567cf52e6190b726d76e6f60b57e9db99ee58bb6

SHA512
30b1fb67767eb5b15bd9d45091d9f184811d4934faeed47b672315d8c8d05b9dc031a6a02addb4b71de1c6b286cc62ef61db2f55dfe4df4bd3c584f256ca49a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\e5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07bebSrvSrv.exe
MD5
f018e9eb66dc53d840ee98c5926f1e2e

SHA1
8e736010173688f982e5713fa8b70c978f17ba42

SHA256
8e9e93a7ae39aa3c6e17a11d567cf52e6190b726d76e6f60b57e9db99ee58bb6

SHA512
30b1fb67767eb5b15bd9d45091d9f184811d4934faeed47b672315d8c8d05b9dc031a6a02addb4b71de1c6b286cc62ef61db2f55dfe4df4bd3c584f256ca49a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\e5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07bebSrvSrvSrv.exe
MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\e5094b9e567150427a779a3e2803f4ff544c92be031da5d68685f275b7e07bebSrvSrvSrv.exe
MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/184-162-0x0000000000000000-mapping.dmp

Download
memory/188-161-0x0000000000000000-mapping.dmp

Download
memory/196-129-0x0000000000000000-mapping.dmp

Download
memory/204-160-0x0000000000000000-mapping.dmp

Download
memory/848-126-0x0000000000000000-mapping.dmp

Download
memory/848-132-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/852-119-0x0000000000000000-mapping.dmp

Download
memory/852-155-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1004-125-0x0000000000000000-mapping.dmp

Download
memory/1004-140-0x00007FFC5F130000-0x00007FFC5F19B000-memory.dmp

Filesize
428KB

Download
memory/1132-150-0x00007FFC5F130000-0x00007FFC5F19B000-memory.dmp

Filesize
428KB

Download
memory/1132-146-0x0000000000000000-mapping.dmp

Download
memory/1888-114-0x0000000000000000-mapping.dmp

Download
memory/1888-149-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1888-130-0x00000000001E0000-0x00000000001EF000-memory.dmp

Filesize
60KB

Download
memory/2224-152-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2224-116-0x0000000000000000-mapping.dmp

Download
memory/2224-121-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2840-127-0x0000000000000000-mapping.dmp

Download
memory/2840-142-0x00007FFC5F130000-0x00007FFC5F19B000-memory.dmp

Filesize
428KB

Download
memory/3004-147-0x00007FFC5F130000-0x00007FFC5F19B000-memory.dmp

Filesize
428KB

Download
memory/3004-135-0x0000000000000000-mapping.dmp

Download
memory/3228-148-0x0000000000000000-mapping.dmp

Download
memory/3228-153-0x00007FFC5F130000-0x00007FFC5F19B000-memory.dmp

Filesize
428KB

Download
memory/3356-159-0x0000000000000000-mapping.dmp

Download
memory/3548-144-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/3548-136-0x0000000000000000-mapping.dmp

Download
memory/3880-163-0x0000000000000000-mapping.dmp

Download