ramnit | 99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83

Analysis

max time kernel
140s
max time network
145s
platform
windows10_x64
resource
win10v20210410
submitted
09-05-2021 21:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83.exe
Size

239KB
MD5

04619d1454626bb64be70fae41c06240
SHA1

192960125a50cb9e947619d3e8410a4b49502f20
SHA256

99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83
SHA512

71936a552e27d6bf93f4eaff8f5a9497d3e6e72372291a438c640abcda41bd7d9add13f18f36dbee5732ef511f7e810b26aec2c66c66c29982102af87e571dc9

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 6 IoCs

Processes:

99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83Srv.exe99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83SrvSrv.exeDesktopLayer.exe99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83SrvSrvSrv.exeDesktopLayerSrv.exeDesktopLayerSrvSrv.exe

pid	process
908	99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83Srv.exe
1172	99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83SrvSrv.exe
1508	DesktopLayer.exe
1596	99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83SrvSrvSrv.exe
2012	DesktopLayerSrv.exe
2416	DesktopLayerSrvSrv.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83Srv.exe	upx
C:\Users\Admin\AppData\Local\Temp\99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83Srv.exe	upx
C:\Users\Admin\AppData\Local\Temp\99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83SrvSrv.exe	upx
C:\Users\Admin\AppData\Local\Temp\99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83SrvSrv.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Users\Admin\AppData\Local\Temp\99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83SrvSrvSrv.exe	upx
C:\Users\Admin\AppData\Local\Temp\99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83SrvSrvSrv.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe	upx
behavioral2/memory/908-146-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/1172-150-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral2/memory/1596-152-0x0000000000400000-0x000000000042E000-memory.dmp	upx
C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe	upx

Drops file in Program Files directory 13 IoCs

Processes:

99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83SrvSrvSrv.exeDesktopLayerSrvSrv.exe99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83Srv.exeDesktopLayer.exe99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83SrvSrv.exeDesktopLayerSrv.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\px8A1.tmp	99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83SrvSrvSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxA95.tmp	DesktopLayerSrvSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	DesktopLayerSrvSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px7C6.tmp	99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83Srv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe	DesktopLayer.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px852.tmp	99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83SrvSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83SrvSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83SrvSrvSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe	DesktopLayerSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxA56.tmp	DesktopLayerSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	DesktopLayerSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83Srv.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "327384373"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30885201"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30885201"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2092492213"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2068899515"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2078742227"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2093899031"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A6CF8030-B144-11EB-A11C-56F1F4F21F1A} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2079367591"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A6A6F9AF-B144-11EB-A11C-56F1F4F21F1A} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2079367591"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30885201"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30885201"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2087961193"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "327400966"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2079367591"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A698A9CD-B144-11EB-A11C-56F1F4F21F1A} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A6D90ACB-B144-11EB-A11C-56F1F4F21F1A} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2078898799"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30885201"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

Processes:

99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83SrvSrv.exe99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83SrvSrvSrv.exeDesktopLayer.exeDesktopLayerSrv.exeDesktopLayerSrvSrv.exeIEXPLORE.EXE

pid	process
1172	99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83SrvSrv.exe
1172	99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83SrvSrv.exe
1596	99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83SrvSrvSrv.exe
1596	99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83SrvSrvSrv.exe
1172	99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83SrvSrv.exe
1172	99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83SrvSrv.exe
1596	99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83SrvSrvSrv.exe
1596	99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83SrvSrvSrv.exe
1508	DesktopLayer.exe
1508	DesktopLayer.exe
1172	99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83SrvSrv.exe
1172	99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83SrvSrv.exe
1172	99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83SrvSrv.exe
1172	99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83SrvSrv.exe
1596	99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83SrvSrvSrv.exe
1596	99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83SrvSrvSrv.exe
1596	99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83SrvSrvSrv.exe
1596	99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83SrvSrvSrv.exe
1508	DesktopLayer.exe
1508	DesktopLayer.exe
1508	DesktopLayer.exe
1508	DesktopLayer.exe
2012	DesktopLayerSrv.exe
2012	DesktopLayerSrv.exe
1508	DesktopLayer.exe
1508	DesktopLayer.exe
2416	DesktopLayerSrvSrv.exe
2416	DesktopLayerSrvSrv.exe
2012	IEXPLORE.EXE
2012	IEXPLORE.EXE
2416	DesktopLayerSrvSrv.exe
2416	DesktopLayerSrvSrv.exe
2012	IEXPLORE.EXE
2012	IEXPLORE.EXE
2012	IEXPLORE.EXE
2012	IEXPLORE.EXE
2416	DesktopLayerSrvSrv.exe
2416	DesktopLayerSrvSrv.exe
2416	DesktopLayerSrvSrv.exe
2416	DesktopLayerSrvSrv.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

2168 iexplore.exe
Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exe

pid process

2464 iexplore.exe
2184 iexplore.exe
3520 iexplore.exe
2168 iexplore.exe
3340 iexplore.exe

pid	process
2168	iexplore.exe

Suspicious use of SetWindowsHookEx 22 IoCs

Processes:

iexplore.exeIEXPLORE.EXEiexplore.exeiexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
2464	iexplore.exe
2464	iexplore.exe
3872	IEXPLORE.EXE
3872	IEXPLORE.EXE
2184	iexplore.exe
2184	iexplore.exe
3340	iexplore.exe
3340	iexplore.exe
3520	iexplore.exe
3520	iexplore.exe
2168	iexplore.exe
2168	iexplore.exe
2012	IEXPLORE.EXE
2012	IEXPLORE.EXE
3896	IEXPLORE.EXE
3896	IEXPLORE.EXE
3980	IEXPLORE.EXE
3980	IEXPLORE.EXE
4132	IEXPLORE.EXE
4132	IEXPLORE.EXE
4132	IEXPLORE.EXE
4132	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83.exe99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83Srv.exe99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83SrvSrv.exeDesktopLayer.exe99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83SrvSrvSrv.exeDesktopLayerSrv.exeIEXPLORE.EXEDesktopLayerSrvSrv.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 4064 wrote to memory of 908	4064	99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83.exe	99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83Srv.exe
PID 4064 wrote to memory of 908	4064	99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83.exe	99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83Srv.exe
PID 4064 wrote to memory of 908	4064	99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83.exe	99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83Srv.exe
PID 908 wrote to memory of 1172	908	99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83Srv.exe	99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83SrvSrv.exe
PID 908 wrote to memory of 1172	908	99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83Srv.exe	99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83SrvSrv.exe
PID 908 wrote to memory of 1172	908	99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83Srv.exe	99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83SrvSrv.exe
PID 908 wrote to memory of 1508	908	99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83Srv.exe	DesktopLayer.exe
PID 908 wrote to memory of 1508	908	99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83Srv.exe	DesktopLayer.exe
PID 908 wrote to memory of 1508	908	99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83Srv.exe	DesktopLayer.exe
PID 1172 wrote to memory of 1596	1172	99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83SrvSrv.exe	99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83SrvSrvSrv.exe
PID 1172 wrote to memory of 1596	1172	99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83SrvSrv.exe	99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83SrvSrvSrv.exe
PID 1172 wrote to memory of 1596	1172	99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83SrvSrv.exe	99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83SrvSrvSrv.exe
PID 1508 wrote to memory of 2012	1508	DesktopLayer.exe	DesktopLayerSrv.exe
PID 1508 wrote to memory of 2012	1508	DesktopLayer.exe	DesktopLayerSrv.exe
PID 1508 wrote to memory of 2012	1508	DesktopLayer.exe	DesktopLayerSrv.exe
PID 1172 wrote to memory of 2168	1172	99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83SrvSrv.exe	iexplore.exe
PID 1172 wrote to memory of 2168	1172	99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83SrvSrv.exe	iexplore.exe
PID 1596 wrote to memory of 2184	1596	99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83SrvSrvSrv.exe	iexplore.exe
PID 1596 wrote to memory of 2184	1596	99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83SrvSrvSrv.exe	iexplore.exe
PID 2012 wrote to memory of 2416	2012	DesktopLayerSrv.exe	DesktopLayerSrvSrv.exe
PID 2012 wrote to memory of 2416	2012	DesktopLayerSrv.exe	DesktopLayerSrvSrv.exe
PID 2012 wrote to memory of 2416	2012	DesktopLayerSrv.exe	DesktopLayerSrvSrv.exe
PID 1508 wrote to memory of 2464	1508	DesktopLayer.exe	iexplore.exe
PID 1508 wrote to memory of 2464	1508	DesktopLayer.exe	iexplore.exe
PID 2012 wrote to memory of 3520	2012	IEXPLORE.EXE	iexplore.exe
PID 2012 wrote to memory of 3520	2012	IEXPLORE.EXE	iexplore.exe
PID 2416 wrote to memory of 3340	2416	DesktopLayerSrvSrv.exe	iexplore.exe
PID 2416 wrote to memory of 3340	2416	DesktopLayerSrvSrv.exe	iexplore.exe
PID 2464 wrote to memory of 3872	2464	iexplore.exe	IEXPLORE.EXE
PID 2464 wrote to memory of 3872	2464	iexplore.exe	IEXPLORE.EXE
PID 2464 wrote to memory of 3872	2464	iexplore.exe	IEXPLORE.EXE
PID 2184 wrote to memory of 2012	2184	iexplore.exe	IEXPLORE.EXE
PID 2184 wrote to memory of 2012	2184	iexplore.exe	IEXPLORE.EXE
PID 2184 wrote to memory of 2012	2184	iexplore.exe	IEXPLORE.EXE
PID 3340 wrote to memory of 3896	3340	iexplore.exe	IEXPLORE.EXE
PID 3340 wrote to memory of 3896	3340	iexplore.exe	IEXPLORE.EXE
PID 3340 wrote to memory of 3896	3340	iexplore.exe	IEXPLORE.EXE
PID 3520 wrote to memory of 3980	3520	iexplore.exe	IEXPLORE.EXE
PID 3520 wrote to memory of 3980	3520	iexplore.exe	IEXPLORE.EXE
PID 3520 wrote to memory of 3980	3520	iexplore.exe	IEXPLORE.EXE
PID 2168 wrote to memory of 4132	2168	iexplore.exe	IEXPLORE.EXE
PID 2168 wrote to memory of 4132	2168	iexplore.exe	IEXPLORE.EXE
PID 2168 wrote to memory of 4132	2168	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83.exe
"C:\Users\Admin\AppData\Local\Temp\99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4064

C:\Users\Admin\AppData\Local\Temp\99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83Srv.exe
C:\Users\Admin\AppData\Local\Temp\99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83Srv.exe
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:908

C:\Users\Admin\AppData\Local\Temp\99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83SrvSrv.exe
C:\Users\Admin\AppData\Local\Temp\99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83SrvSrv.exe
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1172

C:\Users\Admin\AppData\Local\Temp\99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83SrvSrvSrv.exe
C:\Users\Admin\AppData\Local\Temp\99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83SrvSrvSrv.exe
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1596

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2184

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2184 CREDAT:82945 /prefetch:2
6⤵
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2012

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2168

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2168 CREDAT:82945 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4132

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1508

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2464

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2464 CREDAT:82945 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3872

C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
"C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2012

C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe
"C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2416

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3340

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3340 CREDAT:82945 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3896

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3520

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3520 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3980

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
MD5
395a1a546b4424e3f11cd3ea26066ff9

SHA1
2f18bf153ed75cd9f33f356d1b9b02219c3a1279

SHA256
5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6a

SHA512
2a5a398a56f895bffb245b830fd9b3003d887c2a71c6f1e022fd25bcec303cacd691dc744c0121f1d93f1f6e9887da386b3fab096ec0090a607d2d1aa72710a7

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
MD5
395a1a546b4424e3f11cd3ea26066ff9

SHA1
2f18bf153ed75cd9f33f356d1b9b02219c3a1279

SHA256
5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6a

SHA512
2a5a398a56f895bffb245b830fd9b3003d887c2a71c6f1e022fd25bcec303cacd691dc744c0121f1d93f1f6e9887da386b3fab096ec0090a607d2d1aa72710a7

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
MD5
f018e9eb66dc53d840ee98c5926f1e2e

SHA1
8e736010173688f982e5713fa8b70c978f17ba42

SHA256
8e9e93a7ae39aa3c6e17a11d567cf52e6190b726d76e6f60b57e9db99ee58bb6

SHA512
30b1fb67767eb5b15bd9d45091d9f184811d4934faeed47b672315d8c8d05b9dc031a6a02addb4b71de1c6b286cc62ef61db2f55dfe4df4bd3c584f256ca49a2

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
MD5
f018e9eb66dc53d840ee98c5926f1e2e

SHA1
8e736010173688f982e5713fa8b70c978f17ba42

SHA256
8e9e93a7ae39aa3c6e17a11d567cf52e6190b726d76e6f60b57e9db99ee58bb6

SHA512
30b1fb67767eb5b15bd9d45091d9f184811d4934faeed47b672315d8c8d05b9dc031a6a02addb4b71de1c6b286cc62ef61db2f55dfe4df4bd3c584f256ca49a2

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe
MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe
MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
6b816ee93f1cf36935099a4d593bb05f

SHA1
0c0189324d4658217cfb69ed3131f657ee82ef28

SHA256
0f617ef157edf719de5b1281c6f2afb01903acd66aa0a60e075cfc341adcb6f5

SHA512
cd270c8c41db861a78e1a08c08f2186f95e3f45b0d964edb2d9eb8aa4ecf9f796f07ffc2f03a3d96848cb0142cb0d6838fdd08daa68c53bcd176ca27f4320b7c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
e723e23dd61cbc492f4a6b2b0e37c116

SHA1
404fcdbd2428751c972e00a5564ed28a860c2ba4

SHA256
03457eab94ccf693180ce2ab7cd494299e0094a01a04f947a3fd08f614dab116

SHA512
d59303df6040292ec3f5f2f193a7eb6ad39c627f769ba04c038dad66b4002e67d405ceb7cd62edc2af5af7ff9b65264ca014ce9cd2d8d72d9e855f1a4429f383

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A6964857-B144-11EB-A11C-56F1F4F21F1A}.dat
MD5
4a8c622745d469efcff6a3aae9b807c8

SHA1
4e3927226ab841cd8f63a5e824b115b99985bdf3

SHA256
fde306725af5ecd788e800967d09af32257183114e6842b228bb03e0deab2867

SHA512
b45e85591275c43f33a8e8200d33e9fe79accfe9e647b32bb55065027c8211248ddb64ebbf25bde0d873b74c488b5ebfa46320747ae964151de005b3d517172c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A6964857-B144-11EB-A11C-56F1F4F21F1A}.dat
MD5
8c0010bd15f1f476625f46f03d05481b

SHA1
14a87f6fbbe9ad7cfc71182968448ca656ae46e6

SHA256
202c643bd84d08a3e21de203829249454f3eec8421114f4fb88f8cb37c9a75ca

SHA512
c57836f7277e7285620bea662eb887ec0e3fa8c4a93f3fd6c79c91e761a7c3875157b619cb47bbcf8b2db725aaf7a4bd2f66cb9dc0337b13e6e4010951849a82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A6CF8030-B144-11EB-A11C-56F1F4F21F1A}.dat
MD5
fccc53a0e9584b882d0a995d0b808276

SHA1
9647e6393be46a5abf2f89bba03f8c4541e74198

SHA256
c79161d246102a847d430dbe42a6146a1e30f91f63f03e87c138461c1c669398

SHA512
dcbe1cbfcce9490ec237eed093116d4b883ec537cedd61735ea41b110e784ec07e678347d791df53bdc1a3c85f5c0f99b3c32592fd548e00754b37fd4161a0ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A6D90ACB-B144-11EB-A11C-56F1F4F21F1A}.dat
MD5
eb948ef7a4012c354523041dbc027764

SHA1
f69ada7d3328c5fb2d431dce3f8aceed4b335df8

SHA256
bbfbd7e2c2b26c9b286e9ceebb111d89a784e2f36522a6bb21d23d42353277b6

SHA512
49a6452d4b7dddae368bde6f61bcdfe7aeb400e818b8555a5c8ce735361147424a27be51ca44865e1ca3ea3da7eefd32835d22012ec31211a891f00c001fe39c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\GKOEXLLE.cookie
MD5
ffc37fd136247a5b861de7c2acb95894

SHA1
65866bb956fa25105dfe868d2085de72288f54a2

SHA256
6b360b1551a18ddde116389995ac8b8e2a86a164cbfc73b6423b5b77e871f307

SHA512
2c72e6fd9ac753b290702498d7d4e5ba1fbcfdb8b4e2c39e46e7769ddd3236eb5981661554631f8be4a823ea52069cb0ce1239411d7b8e399a5ad80cb076219f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\M2UCZ8C5.cookie
MD5
33a117c70b7810c8b4b75d3abf7748c8

SHA1
14b88fcae329dd5b1dcc0c3a456edcb1c1ebead1

SHA256
ff715ae570727716b9323f91b2b42c446fac18fb97749ad2beec672e309e7cdc

SHA512
30fef0be313df80245701e284de9554e3f4131cc8153b5df15d54e7a1f4cd6910c3a46465e9d20c422ac4dceac179c28428bd61bb48cbf63c4d942d30e4146d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83Srv.exe
MD5
395a1a546b4424e3f11cd3ea26066ff9

SHA1
2f18bf153ed75cd9f33f356d1b9b02219c3a1279

SHA256
5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6a

SHA512
2a5a398a56f895bffb245b830fd9b3003d887c2a71c6f1e022fd25bcec303cacd691dc744c0121f1d93f1f6e9887da386b3fab096ec0090a607d2d1aa72710a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83Srv.exe
MD5
395a1a546b4424e3f11cd3ea26066ff9

SHA1
2f18bf153ed75cd9f33f356d1b9b02219c3a1279

SHA256
5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6a

SHA512
2a5a398a56f895bffb245b830fd9b3003d887c2a71c6f1e022fd25bcec303cacd691dc744c0121f1d93f1f6e9887da386b3fab096ec0090a607d2d1aa72710a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83SrvSrv.exe
MD5
f018e9eb66dc53d840ee98c5926f1e2e

SHA1
8e736010173688f982e5713fa8b70c978f17ba42

SHA256
8e9e93a7ae39aa3c6e17a11d567cf52e6190b726d76e6f60b57e9db99ee58bb6

SHA512
30b1fb67767eb5b15bd9d45091d9f184811d4934faeed47b672315d8c8d05b9dc031a6a02addb4b71de1c6b286cc62ef61db2f55dfe4df4bd3c584f256ca49a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83SrvSrv.exe
MD5
f018e9eb66dc53d840ee98c5926f1e2e

SHA1
8e736010173688f982e5713fa8b70c978f17ba42

SHA256
8e9e93a7ae39aa3c6e17a11d567cf52e6190b726d76e6f60b57e9db99ee58bb6

SHA512
30b1fb67767eb5b15bd9d45091d9f184811d4934faeed47b672315d8c8d05b9dc031a6a02addb4b71de1c6b286cc62ef61db2f55dfe4df4bd3c584f256ca49a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83SrvSrvSrv.exe
MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\99919dfafd59775c4a8963a56064866c5d6cd9e13d7bcdd5d02c067b9b3dfa83SrvSrvSrv.exe
MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/908-114-0x0000000000000000-mapping.dmp

Download
memory/908-146-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/908-142-0x00000000001E0000-0x00000000001EF000-memory.dmp

Filesize
60KB

Download
memory/1172-122-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1172-150-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1172-116-0x0000000000000000-mapping.dmp

Download
memory/1508-118-0x0000000000000000-mapping.dmp

Download
memory/1596-120-0x0000000000000000-mapping.dmp

Download
memory/1596-152-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2012-126-0x0000000000000000-mapping.dmp

Download
memory/2012-160-0x0000000000000000-mapping.dmp

Download
memory/2168-144-0x00007FFDD5690000-0x00007FFDD56FB000-memory.dmp

Filesize
428KB

Download
memory/2168-128-0x0000000000000000-mapping.dmp

Download
memory/2184-129-0x0000000000000000-mapping.dmp

Download
memory/2184-143-0x00007FFDD5690000-0x00007FFDD56FB000-memory.dmp

Filesize
428KB

Download
memory/2416-133-0x0000000000000000-mapping.dmp

Download
memory/2416-139-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/2464-140-0x00007FFDD5690000-0x00007FFDD56FB000-memory.dmp

Filesize
428KB

Download
memory/2464-134-0x0000000000000000-mapping.dmp

Download
memory/3340-145-0x0000000000000000-mapping.dmp

Download
memory/3340-148-0x00007FFDD5690000-0x00007FFDD56FB000-memory.dmp

Filesize
428KB

Download
memory/3520-141-0x0000000000000000-mapping.dmp

Download
memory/3520-147-0x00007FFDD5690000-0x00007FFDD56FB000-memory.dmp

Filesize
428KB

Download
memory/3872-159-0x0000000000000000-mapping.dmp

Download
memory/3896-161-0x0000000000000000-mapping.dmp

Download
memory/3980-162-0x0000000000000000-mapping.dmp

Download
memory/4132-163-0x0000000000000000-mapping.dmp

Download