ramnit | 681c48072a1d1fda5e7b57e7442faf65313a884998a537dac888d31dd76106eb

Analysis

max time kernel
130s
max time network
146s
platform
windows10_x64
resource
win10v20210410
submitted
11-05-2021 15:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

681c48072a1d1fda5e7b57e7442faf65313a884998a537dac888d31dd76106eb.dll
Size

450KB
MD5

dd1b9b35147cd5810a94c1a0fa07b77c
SHA1

6c3914d682172b5bfa0fae5804a7f56d5b5b60f6
SHA256

681c48072a1d1fda5e7b57e7442faf65313a884998a537dac888d31dd76106eb
SHA512

cdb6654feec55cbc4dbc9cb6a70d3f8ca59b1f63fa8bc381e643b14942e2e5891d7674fe6ca82bfe5f3a225ab48383cc3f8bd71fcdf44b32e76928dd5c3b5daf

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 6 IoCs

Processes:

rundll32Srv.exerundll32SrvSrv.exeDesktopLayer.exerundll32SrvSrvSrv.exeDesktopLayerSrv.exeDesktopLayerSrvSrv.exe

pid process

812 rundll32Srv.exe
1256 rundll32SrvSrv.exe
2780 DesktopLayer.exe
800 rundll32SrvSrvSrv.exe
1028 DesktopLayerSrv.exe
1812 DesktopLayerSrvSrv.exe

pid	process
812	rundll32Srv.exe
1256	rundll32SrvSrv.exe
2780	DesktopLayer.exe
800	rundll32SrvSrvSrv.exe
1028	DesktopLayerSrv.exe
1812	DesktopLayerSrvSrv.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\SysWOW64\rundll32Srv.exe	upx
C:\Windows\SysWOW64\rundll32SrvSrv.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Windows\SysWOW64\rundll32SrvSrv.exe	upx
C:\Windows\SysWOW64\rundll32SrvSrvSrv.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe	upx
behavioral2/memory/1028-149-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral2/memory/800-158-0x0000000000400000-0x000000000042E000-memory.dmp	upx
C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe	upx
behavioral2/memory/812-138-0x0000000000400000-0x000000000044B000-memory.dmp	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe	upx
C:\Windows\SysWOW64\rundll32SrvSrvSrv.exe	upx
C:\Windows\SysWOW64\rundll32Srv.exe	upx

Drops file in System32 directory 3 IoCs

Processes:

rundll32SrvSrv.exerundll32.exerundll32Srv.exe

description	ioc	process
File created	C:\Windows\SysWOW64\rundll32SrvSrvSrv.exe	rundll32SrvSrv.exe
File created	C:\Windows\SysWOW64\rundll32Srv.exe	rundll32.exe
File created	C:\Windows\SysWOW64\rundll32SrvSrv.exe	rundll32Srv.exe

Drops file in Program Files directory 13 IoCs

Processes:

rundll32SrvSrvSrv.exerundll32Srv.exerundll32SrvSrv.exeDesktopLayerSrv.exeDesktopLayerSrvSrv.exeDesktopLayer.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\pxFC3D.tmp	rundll32SrvSrvSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	rundll32SrvSrvSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	rundll32Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	rundll32Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxFBCF.tmp	rundll32SrvSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe	DesktopLayerSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxFD27.tmp	DesktopLayerSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	DesktopLayerSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxFD75.tmp	DesktopLayerSrvSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	DesktopLayerSrvSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxFAB6.tmp	rundll32Srv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe	DesktopLayer.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	rundll32SrvSrv.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2632 4028 WerFault.exe rundll32.exe

pid	pid_target	process	target process
2632	4028	WerFault.exe	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEIEXPLORE.EXEiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30885574"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "844245057"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30885574"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5D6F075F-B2B9-11EB-A11C-D21259778703} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30885574"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "327544454"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "844089032"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30885574"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30885574"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "844245057"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5D29EAD0-B2B9-11EB-A11C-D21259778703} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "327593039"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "844245057"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5D599102-B2B9-11EB-A11C-D21259778703} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5D261A0F-B2B9-11EB-A11C-D21259778703} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5D18AD10-B2B9-11EB-A11C-D21259778703} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "844245057"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30885574"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "844245057"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30885574"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe

Suspicious behavior: EnumeratesProcesses 55 IoCs

Processes:

rundll32SrvSrv.exeDesktopLayer.exerundll32SrvSrvSrv.exeDesktopLayerSrv.exeDesktopLayerSrvSrv.exeWerFault.exe

pid	process
1256	rundll32SrvSrv.exe
1256	rundll32SrvSrv.exe
2780	DesktopLayer.exe
2780	DesktopLayer.exe
800	rundll32SrvSrvSrv.exe
800	rundll32SrvSrvSrv.exe
1256	rundll32SrvSrv.exe
1256	rundll32SrvSrv.exe
2780	DesktopLayer.exe
2780	DesktopLayer.exe
800	rundll32SrvSrvSrv.exe
800	rundll32SrvSrvSrv.exe
1256	rundll32SrvSrv.exe
1256	rundll32SrvSrv.exe
1256	rundll32SrvSrv.exe
1256	rundll32SrvSrv.exe
2780	DesktopLayer.exe
2780	DesktopLayer.exe
1028	DesktopLayerSrv.exe
1028	DesktopLayerSrv.exe
2780	DesktopLayer.exe
2780	DesktopLayer.exe
800	rundll32SrvSrvSrv.exe
800	rundll32SrvSrvSrv.exe
800	rundll32SrvSrvSrv.exe
800	rundll32SrvSrvSrv.exe
1812	DesktopLayerSrvSrv.exe
1812	DesktopLayerSrvSrv.exe
1028	DesktopLayerSrv.exe
1028	DesktopLayerSrv.exe
1812	DesktopLayerSrvSrv.exe
1812	DesktopLayerSrvSrv.exe
1812	DesktopLayerSrvSrv.exe
1812	DesktopLayerSrvSrv.exe
1812	DesktopLayerSrvSrv.exe
1812	DesktopLayerSrvSrv.exe
1028	DesktopLayerSrv.exe
1028	DesktopLayerSrv.exe
1028	DesktopLayerSrv.exe
1028	DesktopLayerSrv.exe
2632	WerFault.exe
2632	WerFault.exe
2632	WerFault.exe
2632	WerFault.exe
2632	WerFault.exe
2632	WerFault.exe
2632	WerFault.exe
2632	WerFault.exe
2632	WerFault.exe
2632	WerFault.exe
2632	WerFault.exe
2632	WerFault.exe
2632	WerFault.exe
2632	WerFault.exe
2632	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

2104 iexplore.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 2632 WerFault.exe
Token: SeBackupPrivilege 2632 WerFault.exe
Token: SeDebugPrivilege 2632 WerFault.exe
Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exe

pid process

2680 iexplore.exe
1852 iexplore.exe
416 iexplore.exe
2104 iexplore.exe
1704 iexplore.exe

pid	process
2104	iexplore.exe

description	pid	process
Token: SeRestorePrivilege	2632	WerFault.exe
Token: SeBackupPrivilege	2632	WerFault.exe
Token: SeDebugPrivilege	2632	WerFault.exe

pid	process
2680	iexplore.exe
1852	iexplore.exe
416	iexplore.exe
2104	iexplore.exe
1704	iexplore.exe

Suspicious use of SetWindowsHookEx 20 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
1852	iexplore.exe
1852	iexplore.exe
1704	iexplore.exe
1704	iexplore.exe
416	iexplore.exe
416	iexplore.exe
2680	iexplore.exe
2680	iexplore.exe
2104	iexplore.exe
2104	iexplore.exe
2712	IEXPLORE.EXE
2712	IEXPLORE.EXE
336	IEXPLORE.EXE
336	IEXPLORE.EXE
3332	IEXPLORE.EXE
3332	IEXPLORE.EXE
1056	IEXPLORE.EXE
1056	IEXPLORE.EXE
2404	IEXPLORE.EXE
2404	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

rundll32.exerundll32.exerundll32Srv.exerundll32SrvSrv.exeDesktopLayer.exeDesktopLayerSrv.exerundll32SrvSrvSrv.exeDesktopLayerSrvSrv.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 3872 wrote to memory of 4028	3872	rundll32.exe	rundll32.exe
PID 3872 wrote to memory of 4028	3872	rundll32.exe	rundll32.exe
PID 3872 wrote to memory of 4028	3872	rundll32.exe	rundll32.exe
PID 4028 wrote to memory of 812	4028	rundll32.exe	rundll32Srv.exe
PID 4028 wrote to memory of 812	4028	rundll32.exe	rundll32Srv.exe
PID 4028 wrote to memory of 812	4028	rundll32.exe	rundll32Srv.exe
PID 812 wrote to memory of 1256	812	rundll32Srv.exe	rundll32SrvSrv.exe
PID 812 wrote to memory of 1256	812	rundll32Srv.exe	rundll32SrvSrv.exe
PID 812 wrote to memory of 1256	812	rundll32Srv.exe	rundll32SrvSrv.exe
PID 812 wrote to memory of 2780	812	rundll32Srv.exe	DesktopLayer.exe
PID 812 wrote to memory of 2780	812	rundll32Srv.exe	DesktopLayer.exe
PID 812 wrote to memory of 2780	812	rundll32Srv.exe	DesktopLayer.exe
PID 1256 wrote to memory of 800	1256	rundll32SrvSrv.exe	rundll32SrvSrvSrv.exe
PID 1256 wrote to memory of 800	1256	rundll32SrvSrv.exe	rundll32SrvSrvSrv.exe
PID 1256 wrote to memory of 800	1256	rundll32SrvSrv.exe	rundll32SrvSrvSrv.exe
PID 2780 wrote to memory of 1028	2780	DesktopLayer.exe	DesktopLayerSrv.exe
PID 2780 wrote to memory of 1028	2780	DesktopLayer.exe	DesktopLayerSrv.exe
PID 2780 wrote to memory of 1028	2780	DesktopLayer.exe	DesktopLayerSrv.exe
PID 1256 wrote to memory of 1704	1256	rundll32SrvSrv.exe	iexplore.exe
PID 1256 wrote to memory of 1704	1256	rundll32SrvSrv.exe	iexplore.exe
PID 1028 wrote to memory of 1812	1028	DesktopLayerSrv.exe	DesktopLayerSrvSrv.exe
PID 1028 wrote to memory of 1812	1028	DesktopLayerSrv.exe	DesktopLayerSrvSrv.exe
PID 1028 wrote to memory of 1812	1028	DesktopLayerSrv.exe	DesktopLayerSrvSrv.exe
PID 2780 wrote to memory of 1852	2780	DesktopLayer.exe	iexplore.exe
PID 2780 wrote to memory of 1852	2780	DesktopLayer.exe	iexplore.exe
PID 800 wrote to memory of 2104	800	rundll32SrvSrvSrv.exe	iexplore.exe
PID 800 wrote to memory of 2104	800	rundll32SrvSrvSrv.exe	iexplore.exe
PID 1812 wrote to memory of 2680	1812	DesktopLayerSrvSrv.exe	iexplore.exe
PID 1812 wrote to memory of 2680	1812	DesktopLayerSrvSrv.exe	iexplore.exe
PID 1028 wrote to memory of 416	1028	DesktopLayerSrv.exe	iexplore.exe
PID 1028 wrote to memory of 416	1028	DesktopLayerSrv.exe	iexplore.exe
PID 1704 wrote to memory of 336	1704	iexplore.exe	IEXPLORE.EXE
PID 1704 wrote to memory of 336	1704	iexplore.exe	IEXPLORE.EXE
PID 1704 wrote to memory of 336	1704	iexplore.exe	IEXPLORE.EXE
PID 1852 wrote to memory of 2712	1852	iexplore.exe	IEXPLORE.EXE
PID 1852 wrote to memory of 2712	1852	iexplore.exe	IEXPLORE.EXE
PID 1852 wrote to memory of 2712	1852	iexplore.exe	IEXPLORE.EXE
PID 416 wrote to memory of 1056	416	iexplore.exe	IEXPLORE.EXE
PID 416 wrote to memory of 1056	416	iexplore.exe	IEXPLORE.EXE
PID 416 wrote to memory of 1056	416	iexplore.exe	IEXPLORE.EXE
PID 2680 wrote to memory of 2404	2680	iexplore.exe	IEXPLORE.EXE
PID 2680 wrote to memory of 2404	2680	iexplore.exe	IEXPLORE.EXE
PID 2680 wrote to memory of 2404	2680	iexplore.exe	IEXPLORE.EXE
PID 2104 wrote to memory of 3332	2104	iexplore.exe	IEXPLORE.EXE
PID 2104 wrote to memory of 3332	2104	iexplore.exe	IEXPLORE.EXE
PID 2104 wrote to memory of 3332	2104	iexplore.exe	IEXPLORE.EXE

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\681c48072a1d1fda5e7b57e7442faf65313a884998a537dac888d31dd76106eb.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3872

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\681c48072a1d1fda5e7b57e7442faf65313a884998a537dac888d31dd76106eb.dll,#1
2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4028

C:\Windows\SysWOW64\rundll32Srv.exe
C:\Windows\SysWOW64\rundll32Srv.exe
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:812

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2780

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1852

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1852 CREDAT:82945 /prefetch:2
6⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2712

C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
"C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe"
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1028

C:\Windows\SysWOW64\rundll32SrvSrv.exe
C:\Windows\SysWOW64\rundll32SrvSrv.exe
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4028 -s 628
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2632

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2680

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2680 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2404

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:416

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:416 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1056

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2104

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2104 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3332

C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe
"C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1812

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1704

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1704 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:336

C:\Windows\SysWOW64\rundll32SrvSrvSrv.exe
C:\Windows\SysWOW64\rundll32SrvSrvSrv.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:800

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
MD5
395a1a546b4424e3f11cd3ea26066ff9

SHA1
2f18bf153ed75cd9f33f356d1b9b02219c3a1279

SHA256
5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6a

SHA512
2a5a398a56f895bffb245b830fd9b3003d887c2a71c6f1e022fd25bcec303cacd691dc744c0121f1d93f1f6e9887da386b3fab096ec0090a607d2d1aa72710a7

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
MD5
395a1a546b4424e3f11cd3ea26066ff9

SHA1
2f18bf153ed75cd9f33f356d1b9b02219c3a1279

SHA256
5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6a

SHA512
2a5a398a56f895bffb245b830fd9b3003d887c2a71c6f1e022fd25bcec303cacd691dc744c0121f1d93f1f6e9887da386b3fab096ec0090a607d2d1aa72710a7

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
MD5
f018e9eb66dc53d840ee98c5926f1e2e

SHA1
8e736010173688f982e5713fa8b70c978f17ba42

SHA256
8e9e93a7ae39aa3c6e17a11d567cf52e6190b726d76e6f60b57e9db99ee58bb6

SHA512
30b1fb67767eb5b15bd9d45091d9f184811d4934faeed47b672315d8c8d05b9dc031a6a02addb4b71de1c6b286cc62ef61db2f55dfe4df4bd3c584f256ca49a2

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
MD5
f018e9eb66dc53d840ee98c5926f1e2e

SHA1
8e736010173688f982e5713fa8b70c978f17ba42

SHA256
8e9e93a7ae39aa3c6e17a11d567cf52e6190b726d76e6f60b57e9db99ee58bb6

SHA512
30b1fb67767eb5b15bd9d45091d9f184811d4934faeed47b672315d8c8d05b9dc031a6a02addb4b71de1c6b286cc62ef61db2f55dfe4df4bd3c584f256ca49a2

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe
MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe
MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
MD5
f7dcb24540769805e5bb30d193944dce

SHA1
e26c583c562293356794937d9e2e6155d15449ee

SHA256
6b88c6ac55bbd6fea0ebe5a760d1ad2cfce251c59d0151a1400701cb927e36ea

SHA512
cb5ad678b0ef642bf492f32079fe77e8be20c02de267f04b545df346b25f3e4eb98bb568c4c2c483bb88f7d1826863cb515b570d620766e52476c8ee2931ea94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
MD5
f7dcb24540769805e5bb30d193944dce

SHA1
e26c583c562293356794937d9e2e6155d15449ee

SHA256
6b88c6ac55bbd6fea0ebe5a760d1ad2cfce251c59d0151a1400701cb927e36ea

SHA512
cb5ad678b0ef642bf492f32079fe77e8be20c02de267f04b545df346b25f3e4eb98bb568c4c2c483bb88f7d1826863cb515b570d620766e52476c8ee2931ea94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
MD5
f7dcb24540769805e5bb30d193944dce

SHA1
e26c583c562293356794937d9e2e6155d15449ee

SHA256
6b88c6ac55bbd6fea0ebe5a760d1ad2cfce251c59d0151a1400701cb927e36ea

SHA512
cb5ad678b0ef642bf492f32079fe77e8be20c02de267f04b545df346b25f3e4eb98bb568c4c2c483bb88f7d1826863cb515b570d620766e52476c8ee2931ea94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
MD5
f7dcb24540769805e5bb30d193944dce

SHA1
e26c583c562293356794937d9e2e6155d15449ee

SHA256
6b88c6ac55bbd6fea0ebe5a760d1ad2cfce251c59d0151a1400701cb927e36ea

SHA512
cb5ad678b0ef642bf492f32079fe77e8be20c02de267f04b545df346b25f3e4eb98bb568c4c2c483bb88f7d1826863cb515b570d620766e52476c8ee2931ea94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
06165dea77d5d10217992bd74f065006

SHA1
964d97611d8050aaf7d8a3a5e641cd20df6afd92

SHA256
9b125647f3ede14fa37214fe956f3b906f8bf58510bdc1eecfdf2ca4c827fe8f

SHA512
e126e1fdd45d2b08c37724b568a1ee9eef95895f2c31f5626186032293eb7f2a62f907fea96f1f0fca4c7de3cd9bac45df28bb69d42b2cd7ea5468e1aefdfee2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
06165dea77d5d10217992bd74f065006

SHA1
964d97611d8050aaf7d8a3a5e641cd20df6afd92

SHA256
9b125647f3ede14fa37214fe956f3b906f8bf58510bdc1eecfdf2ca4c827fe8f

SHA512
e126e1fdd45d2b08c37724b568a1ee9eef95895f2c31f5626186032293eb7f2a62f907fea96f1f0fca4c7de3cd9bac45df28bb69d42b2cd7ea5468e1aefdfee2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
06165dea77d5d10217992bd74f065006

SHA1
964d97611d8050aaf7d8a3a5e641cd20df6afd92

SHA256
9b125647f3ede14fa37214fe956f3b906f8bf58510bdc1eecfdf2ca4c827fe8f

SHA512
e126e1fdd45d2b08c37724b568a1ee9eef95895f2c31f5626186032293eb7f2a62f907fea96f1f0fca4c7de3cd9bac45df28bb69d42b2cd7ea5468e1aefdfee2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
06165dea77d5d10217992bd74f065006

SHA1
964d97611d8050aaf7d8a3a5e641cd20df6afd92

SHA256
9b125647f3ede14fa37214fe956f3b906f8bf58510bdc1eecfdf2ca4c827fe8f

SHA512
e126e1fdd45d2b08c37724b568a1ee9eef95895f2c31f5626186032293eb7f2a62f907fea96f1f0fca4c7de3cd9bac45df28bb69d42b2cd7ea5468e1aefdfee2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
06165dea77d5d10217992bd74f065006

SHA1
964d97611d8050aaf7d8a3a5e641cd20df6afd92

SHA256
9b125647f3ede14fa37214fe956f3b906f8bf58510bdc1eecfdf2ca4c827fe8f

SHA512
e126e1fdd45d2b08c37724b568a1ee9eef95895f2c31f5626186032293eb7f2a62f907fea96f1f0fca4c7de3cd9bac45df28bb69d42b2cd7ea5468e1aefdfee2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
MD5
f2416ca153cd0420f5db8cd8a51d5d5a

SHA1
8c83b591e6a0d34f82955ccb1681edbfa7960a47

SHA256
1c048a3f4667d1a5c6cafeec5c462f1df113e492f88222dafbabed34d5706db2

SHA512
0e9e1f3d8fe8aab34b47969ebe92af6ef2414c1166b3881f3fab3c3545a6a559312ea05b0a3a24b4707be2b23700f82e6919a6e56af8abf546d77c67e50039d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
MD5
f2416ca153cd0420f5db8cd8a51d5d5a

SHA1
8c83b591e6a0d34f82955ccb1681edbfa7960a47

SHA256
1c048a3f4667d1a5c6cafeec5c462f1df113e492f88222dafbabed34d5706db2

SHA512
0e9e1f3d8fe8aab34b47969ebe92af6ef2414c1166b3881f3fab3c3545a6a559312ea05b0a3a24b4707be2b23700f82e6919a6e56af8abf546d77c67e50039d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
MD5
2d4ec7c4035149777e406199e30892de

SHA1
31129548676f1f6fb168284dde04818e9a61243e

SHA256
c15acade0fa8bc96c65c7a618d47dfd1cd58e3429826771e6fa97721e5b4036e

SHA512
9d7c1e3075d38486570ed06d46ed8cf2366788e4e0826ef9bf068ffbbb97002e3df2cfba4395ed8de8f36c4f40c8e5fb425774f70db387c11aaab69360d88aec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
MD5
2d4ec7c4035149777e406199e30892de

SHA1
31129548676f1f6fb168284dde04818e9a61243e

SHA256
c15acade0fa8bc96c65c7a618d47dfd1cd58e3429826771e6fa97721e5b4036e

SHA512
9d7c1e3075d38486570ed06d46ed8cf2366788e4e0826ef9bf068ffbbb97002e3df2cfba4395ed8de8f36c4f40c8e5fb425774f70db387c11aaab69360d88aec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
7fec444a87eec4f419db1ae1e77df851

SHA1
378b85e1d557880aa1512da344dfa270bf6f5b7c

SHA256
9ccc9a7b7f489cc33beb728be2abdbbae6e094d2159a9456f8f9cb23d25d9be8

SHA512
b37d2961472bdd75eb132e0b82bc94533b986f092933b34e6c9297ecd5ab756a4d64661689ee68680cce8bd15ee327baf5797b2ec50b744db8c59dbaeb21c02d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
7fec444a87eec4f419db1ae1e77df851

SHA1
378b85e1d557880aa1512da344dfa270bf6f5b7c

SHA256
9ccc9a7b7f489cc33beb728be2abdbbae6e094d2159a9456f8f9cb23d25d9be8

SHA512
b37d2961472bdd75eb132e0b82bc94533b986f092933b34e6c9297ecd5ab756a4d64661689ee68680cce8bd15ee327baf5797b2ec50b744db8c59dbaeb21c02d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
20ea79a905b501b3bd4d4c04529c0b3a

SHA1
01ca383024b27d37f6e5a4cc7146e5fee0910857

SHA256
f9747cf318950274f54f8aa05a9f8ddfff00d0b3df10d748eaf6b966b49334d7

SHA512
9de6553396c29d111a733d0b3049c711420185aa11f69bd705b0fbddd4e3c3974c2cec76c5a1ad21283ce3192364f8e44c9a6e5b056ab85f5d9048503f3496e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
20ea79a905b501b3bd4d4c04529c0b3a

SHA1
01ca383024b27d37f6e5a4cc7146e5fee0910857

SHA256
f9747cf318950274f54f8aa05a9f8ddfff00d0b3df10d748eaf6b966b49334d7

SHA512
9de6553396c29d111a733d0b3049c711420185aa11f69bd705b0fbddd4e3c3974c2cec76c5a1ad21283ce3192364f8e44c9a6e5b056ab85f5d9048503f3496e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
d69f75a218137965cef287966bd5ffc9

SHA1
b7baf431451172f420dba462604e0b345240091a

SHA256
eec3c6b26ef3c1de46c0c19f30f6a98d70bc4335a722c6125ab3a6a53964925f

SHA512
6ac2e36d6adbf6e54a9c32544cd432b48a3d10080dfeabade288679c703f7dd38c287f2995607bd9d2108d69da605f69942353296353ac05aba208d1082c7266

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
83f8336460a0d5babe43c449eb19dbaa

SHA1
e951e46d538200ece22fd410a9ff85062fb7e8d1

SHA256
40fa28b8c76356ec66e3927d368328bb7bb093e0bbf07dfcdd769fe72b79b63a

SHA512
652ab11f1ec226721be7a40e7bda3c7e214f9f41333acad8c7a3e54a4b9c5dea383aba0aac73558160c1d18784b8d18e02d47c158aa0e39a6a296399d8fb862b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
83f8336460a0d5babe43c449eb19dbaa

SHA1
e951e46d538200ece22fd410a9ff85062fb7e8d1

SHA256
40fa28b8c76356ec66e3927d368328bb7bb093e0bbf07dfcdd769fe72b79b63a

SHA512
652ab11f1ec226721be7a40e7bda3c7e214f9f41333acad8c7a3e54a4b9c5dea383aba0aac73558160c1d18784b8d18e02d47c158aa0e39a6a296399d8fb862b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5D18AD10-B2B9-11EB-A11C-D21259778703}.dat
MD5
b17b04df777d07a2bd50a6ed1e22b258

SHA1
5c926b5e63fdaff6f111d5d108199d35bd4734de

SHA256
934ff8f7c7131922d75ca0fe7fce15aaad28408ef5adc1ca6706657127f0d5cd

SHA512
ebfb3f33efe87cd72f72e1096d630d1cd24e0665f3302c2eafd142d1168fdc7d2ab7fb08fa329dd4f334f46d8847f0f55cddf24e0b63ec57aae959ee6f1290af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5D261A0F-B2B9-11EB-A11C-D21259778703}.dat
MD5
94f4ebceea118234711341ce53b4827b

SHA1
540bfe4c4ba872493d2ce73c42456897b91e7cc6

SHA256
f9ad79c93232bf9d304e571074d2b89f5d225ccda6614aca9881d0603c27dc18

SHA512
f51a0ddadf3cf49e14b6fe9b58dfa909e0d6999aa12c368258e44b7660c8336b473f2e899dcefe9358c267dfd6f3750a23b9e936b609a11aa6b8f8cb5e7ea1fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5D29EAD0-B2B9-11EB-A11C-D21259778703}.dat
MD5
f98bf749392d98f0fdeb3b997a662643

SHA1
15934d383f350d61ff965a7a8e19cf826d6e6692

SHA256
177480f12ff6f0c4a75cfd6b0288ef30aa19f25e81a874a171591fc5d946aa52

SHA512
6165cc48d5672b3d3b7dd332af696783e2b0aee77700e20def7b155bc1b0cbf652cf4cac48f26fc8ca5599b7283935ebb25879e0f6bad0922d588e6ff6fa4b9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5D6F075F-B2B9-11EB-A11C-D21259778703}.dat
MD5
fd064000498b67e7c17fe44729e5a786

SHA1
509e47ce4f5f23c5f88efe4d5986c73bcd630f55

SHA256
5f2b01122fcf588c6ee81967d1d477ab86e705480f45a6b7f93349b200789b71

SHA512
b73e865619dd458977038fc8d971868d616d9d36731a40c12a732a047288a2346f3adc7bf611d17290774afa2e4c5aab1f6e390d68de6ad100bac7bf7a47be69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5D6F075F-B2B9-11EB-A11C-D21259778703}.dat
MD5
7ab8751d7e313fae7b29ab5a3d83703c

SHA1
0be2b498acf77ee73184c67d949ebdfe1f3a44f4

SHA256
bc6eec2775792e60ca137d0a0588964f20f3f461bc54cc66f367032224207b6f

SHA512
340588aacc61d17317baf16f3a64858d6401caf6f1cc3284e1b13d8b9e140074b1136f847a802bf8a39d457a2159313552bae7665d53a53c255aa1f53cdf49f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\9K9Z3T27.cookie
MD5
52c572f95678b1d2452683e13acdf441

SHA1
fce124a3f35cc7cc5327dd54577678667f752573

SHA256
ab8175e0055e9855c0ffe06a1993d5455bce7590274a126c67c50f6d344697ef

SHA512
217edbcb47611842ca7e105e19302efd35a6fe8a336821501699c8f799a82eaaf7f2c78ce02beddcc7f44ed4d0c9554a169eee516b10a0f7495877f67d222e4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\VOWKHB96.cookie
MD5
88f187f259cb4ad0fe48a7429f4720dd

SHA1
1f7a0493e6a6197b4eb87c2a39e728110361308b

SHA256
132e365bb55300e86232984dcb96cdf06ee123a56103a781da17509eef96e5e2

SHA512
976d4d804fe32ccfc80c8e1f128fe70684248308472cb8bf649b1c254d1d6a4466378a363eaba769b231e6b4f08279504dac3535936e3d6900f4f08401cca235

Download Submit
C:\Windows\SysWOW64\rundll32Srv.exe
MD5
395a1a546b4424e3f11cd3ea26066ff9

SHA1
2f18bf153ed75cd9f33f356d1b9b02219c3a1279

SHA256
5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6a

SHA512
2a5a398a56f895bffb245b830fd9b3003d887c2a71c6f1e022fd25bcec303cacd691dc744c0121f1d93f1f6e9887da386b3fab096ec0090a607d2d1aa72710a7

Download Submit
C:\Windows\SysWOW64\rundll32Srv.exe
MD5
395a1a546b4424e3f11cd3ea26066ff9

SHA1
2f18bf153ed75cd9f33f356d1b9b02219c3a1279

SHA256
5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6a

SHA512
2a5a398a56f895bffb245b830fd9b3003d887c2a71c6f1e022fd25bcec303cacd691dc744c0121f1d93f1f6e9887da386b3fab096ec0090a607d2d1aa72710a7

Download Submit
C:\Windows\SysWOW64\rundll32SrvSrv.exe
MD5
f018e9eb66dc53d840ee98c5926f1e2e

SHA1
8e736010173688f982e5713fa8b70c978f17ba42

SHA256
8e9e93a7ae39aa3c6e17a11d567cf52e6190b726d76e6f60b57e9db99ee58bb6

SHA512
30b1fb67767eb5b15bd9d45091d9f184811d4934faeed47b672315d8c8d05b9dc031a6a02addb4b71de1c6b286cc62ef61db2f55dfe4df4bd3c584f256ca49a2

Download Submit
C:\Windows\SysWOW64\rundll32SrvSrv.exe
MD5
f018e9eb66dc53d840ee98c5926f1e2e

SHA1
8e736010173688f982e5713fa8b70c978f17ba42

SHA256
8e9e93a7ae39aa3c6e17a11d567cf52e6190b726d76e6f60b57e9db99ee58bb6

SHA512
30b1fb67767eb5b15bd9d45091d9f184811d4934faeed47b672315d8c8d05b9dc031a6a02addb4b71de1c6b286cc62ef61db2f55dfe4df4bd3c584f256ca49a2

Download Submit
C:\Windows\SysWOW64\rundll32SrvSrvSrv.exe
MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Windows\SysWOW64\rundll32SrvSrvSrv.exe
MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/336-160-0x0000000000000000-mapping.dmp

Download
memory/416-150-0x0000000000000000-mapping.dmp

Download
memory/416-155-0x00007FF8F2470000-0x00007FF8F24DB000-memory.dmp

Filesize
428KB

Download
memory/800-158-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/800-121-0x0000000000000000-mapping.dmp

Download
memory/812-138-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/812-115-0x0000000000000000-mapping.dmp

Download
memory/812-126-0x00000000001F0000-0x00000000001FF000-memory.dmp

Filesize
60KB

Download
memory/1028-123-0x0000000000000000-mapping.dmp

Download
memory/1028-149-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1056-162-0x0000000000000000-mapping.dmp

Download
memory/1256-117-0x0000000000000000-mapping.dmp

Download
memory/1256-125-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1704-147-0x00007FF8F2470000-0x00007FF8F24DB000-memory.dmp

Filesize
428KB

Download
memory/1704-132-0x0000000000000000-mapping.dmp

Download
memory/1812-135-0x0000000000000000-mapping.dmp

Download
memory/1852-148-0x00007FF8F2470000-0x00007FF8F24DB000-memory.dmp

Filesize
428KB

Download
memory/1852-136-0x0000000000000000-mapping.dmp

Download
memory/2104-137-0x0000000000000000-mapping.dmp

Download
memory/2104-151-0x00007FF8F2470000-0x00007FF8F24DB000-memory.dmp

Filesize
428KB

Download
memory/2404-163-0x0000000000000000-mapping.dmp

Download
memory/2680-146-0x0000000000000000-mapping.dmp

Download
memory/2680-153-0x00007FF8F2470000-0x00007FF8F24DB000-memory.dmp

Filesize
428KB

Download
memory/2712-161-0x0000000000000000-mapping.dmp

Download
memory/2780-119-0x0000000000000000-mapping.dmp

Download
memory/3332-164-0x0000000000000000-mapping.dmp

Download
memory/4028-114-0x0000000000000000-mapping.dmp

Download