ramnit | 1f5d2bceb828eb93c595b991184a9a07983e9369ee1f589cee614d9761927ff8

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20220414-en
submitted
12-06-2022 18:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f5d2bceb828eb93c595b991184a9a07983e9369ee1f589cee614d9761927ff8.exe
Size

4.1MB
MD5

c91a409e386c36cf75ac6431871dcfa6
SHA1

e1816085481134ad5881863e5add28f36428830e
SHA256

1f5d2bceb828eb93c595b991184a9a07983e9369ee1f589cee614d9761927ff8
SHA512

0e4042f54c8eef2ba494aba4d4ed678b79807c3af18ff3ce787bf3741d9e0096852880a416f5517b9ea7af22ebea0c3c17c9c0fd701a530728c5425a9b96ab32

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 6 IoCs

Processes:

Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXELeisure Suit Larry Reloaded trainer for cash MrAntiFunSrv.exeLeisure Suit Larry Reloaded trainer for cash MrAntiFun.EXEDesktopLayer.exeLeisure Suit Larry Reloaded trainer for cash MrAntiFun.EXExmplayer.exe

pid	process
1260	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
2040	Leisure Suit Larry Reloaded trainer for cash MrAntiFunSrv.exe
1692	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
1724	DesktopLayer.exe
776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
780	xmplayer.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Leisure Suit Larry Reloaded trainer for cash MrAntiFunSrv.exe	upx
\Users\Admin\AppData\Local\Temp\Leisure Suit Larry Reloaded trainer for cash MrAntiFunSrv.exe	upx
\Users\Admin\AppData\Local\Temp\Leisure Suit Larry Reloaded trainer for cash MrAntiFunSrv.exe	upx
\Users\Admin\AppData\Local\Temp\Leisure Suit Larry Reloaded trainer for cash MrAntiFunSrv.exe	upx
\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Users\Admin\AppData\Local\Temp\Leisure Suit Larry Reloaded trainer for cash MrAntiFunSrv.exe	upx
behavioral1/memory/2040-78-0x0000000000400000-0x000000000042E000-memory.dmp	upx
\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
behavioral1/memory/1724-91-0x0000000000400000-0x000000000042E000-memory.dmp	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx

Loads dropped DLL 23 IoCs

Processes:

1f5d2bceb828eb93c595b991184a9a07983e9369ee1f589cee614d9761927ff8.exeLeisure Suit Larry Reloaded trainer for cash MrAntiFun.EXELeisure Suit Larry Reloaded trainer for cash MrAntiFunSrv.exeLeisure Suit Larry Reloaded trainer for cash MrAntiFun.EXEDesktopLayer.exeLeisure Suit Larry Reloaded trainer for cash MrAntiFun.EXExmplayer.exe

pid	process
1048	1f5d2bceb828eb93c595b991184a9a07983e9369ee1f589cee614d9761927ff8.exe
1048	1f5d2bceb828eb93c595b991184a9a07983e9369ee1f589cee614d9761927ff8.exe
1048	1f5d2bceb828eb93c595b991184a9a07983e9369ee1f589cee614d9761927ff8.exe
1260	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
1260	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
1260	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
1260	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
2040	Leisure Suit Larry Reloaded trainer for cash MrAntiFunSrv.exe
2040	Leisure Suit Larry Reloaded trainer for cash MrAntiFunSrv.exe
2040	Leisure Suit Larry Reloaded trainer for cash MrAntiFunSrv.exe
1692	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
1692	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
1724	DesktopLayer.exe
1724	DesktopLayer.exe
1692	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
780	xmplayer.exe
780	xmplayer.exe

Drops file in Program Files directory 3 IoCs

Processes:

Leisure Suit Larry Reloaded trainer for cash MrAntiFunSrv.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\pxFF18.tmp	Leisure Suit Larry Reloaded trainer for cash MrAntiFunSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	Leisure Suit Larry Reloaded trainer for cash MrAntiFunSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	Leisure Suit Larry Reloaded trainer for cash MrAntiFunSrv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E9A57B11-EAB1-11EC-A0BC-6AE9FCDE30C7} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "361846022"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

DesktopLayer.exeLeisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE

pid	process
1724	DesktopLayer.exe
1724	DesktopLayer.exe
1724	DesktopLayer.exe
1724	DesktopLayer.exe
776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXEAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
Token: SeLoadDriverPrivilege	776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
Token: SeCreateGlobalPrivilege	776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
Token: 33	776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
Token: SeSecurityPrivilege	776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
Token: SeTakeOwnershipPrivilege	776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
Token: SeManageVolumePrivilege	776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
Token: SeBackupPrivilege	776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
Token: SeCreatePagefilePrivilege	776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
Token: SeShutdownPrivilege	776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
Token: SeRestorePrivilege	776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
Token: 33	776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
Token: SeIncBasePriorityPrivilege	776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
Token: 33	1728	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1728	AUDIODG.EXE
Token: 33	1728	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1728	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXEiexplore.exe

pid process

776 Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
1184 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1184 iexplore.exe
1184 iexplore.exe
1672 IEXPLORE.EXE
1672 IEXPLORE.EXE

pid	process
776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
1184	iexplore.exe

pid	process
1184	iexplore.exe
1184	iexplore.exe
1672	IEXPLORE.EXE
1672	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

1f5d2bceb828eb93c595b991184a9a07983e9369ee1f589cee614d9761927ff8.exeLeisure Suit Larry Reloaded trainer for cash MrAntiFun.EXELeisure Suit Larry Reloaded trainer for cash MrAntiFunSrv.exeDesktopLayer.exeiexplore.exeLeisure Suit Larry Reloaded trainer for cash MrAntiFun.EXELeisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE

description	pid	process	target process
PID 1048 wrote to memory of 1260	1048	1f5d2bceb828eb93c595b991184a9a07983e9369ee1f589cee614d9761927ff8.exe	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
PID 1048 wrote to memory of 1260	1048	1f5d2bceb828eb93c595b991184a9a07983e9369ee1f589cee614d9761927ff8.exe	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
PID 1048 wrote to memory of 1260	1048	1f5d2bceb828eb93c595b991184a9a07983e9369ee1f589cee614d9761927ff8.exe	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
PID 1048 wrote to memory of 1260	1048	1f5d2bceb828eb93c595b991184a9a07983e9369ee1f589cee614d9761927ff8.exe	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
PID 1048 wrote to memory of 1260	1048	1f5d2bceb828eb93c595b991184a9a07983e9369ee1f589cee614d9761927ff8.exe	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
PID 1048 wrote to memory of 1260	1048	1f5d2bceb828eb93c595b991184a9a07983e9369ee1f589cee614d9761927ff8.exe	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
PID 1048 wrote to memory of 1260	1048	1f5d2bceb828eb93c595b991184a9a07983e9369ee1f589cee614d9761927ff8.exe	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
PID 1260 wrote to memory of 2040	1260	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE	Leisure Suit Larry Reloaded trainer for cash MrAntiFunSrv.exe
PID 1260 wrote to memory of 2040	1260	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE	Leisure Suit Larry Reloaded trainer for cash MrAntiFunSrv.exe
PID 1260 wrote to memory of 2040	1260	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE	Leisure Suit Larry Reloaded trainer for cash MrAntiFunSrv.exe
PID 1260 wrote to memory of 2040	1260	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE	Leisure Suit Larry Reloaded trainer for cash MrAntiFunSrv.exe
PID 1260 wrote to memory of 2040	1260	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE	Leisure Suit Larry Reloaded trainer for cash MrAntiFunSrv.exe
PID 1260 wrote to memory of 2040	1260	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE	Leisure Suit Larry Reloaded trainer for cash MrAntiFunSrv.exe
PID 1260 wrote to memory of 2040	1260	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE	Leisure Suit Larry Reloaded trainer for cash MrAntiFunSrv.exe
PID 1260 wrote to memory of 1692	1260	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
PID 1260 wrote to memory of 1692	1260	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
PID 1260 wrote to memory of 1692	1260	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
PID 1260 wrote to memory of 1692	1260	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
PID 1260 wrote to memory of 1692	1260	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
PID 1260 wrote to memory of 1692	1260	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
PID 1260 wrote to memory of 1692	1260	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
PID 2040 wrote to memory of 1724	2040	Leisure Suit Larry Reloaded trainer for cash MrAntiFunSrv.exe	DesktopLayer.exe
PID 2040 wrote to memory of 1724	2040	Leisure Suit Larry Reloaded trainer for cash MrAntiFunSrv.exe	DesktopLayer.exe
PID 2040 wrote to memory of 1724	2040	Leisure Suit Larry Reloaded trainer for cash MrAntiFunSrv.exe	DesktopLayer.exe
PID 2040 wrote to memory of 1724	2040	Leisure Suit Larry Reloaded trainer for cash MrAntiFunSrv.exe	DesktopLayer.exe
PID 2040 wrote to memory of 1724	2040	Leisure Suit Larry Reloaded trainer for cash MrAntiFunSrv.exe	DesktopLayer.exe
PID 2040 wrote to memory of 1724	2040	Leisure Suit Larry Reloaded trainer for cash MrAntiFunSrv.exe	DesktopLayer.exe
PID 2040 wrote to memory of 1724	2040	Leisure Suit Larry Reloaded trainer for cash MrAntiFunSrv.exe	DesktopLayer.exe
PID 1724 wrote to memory of 1184	1724	DesktopLayer.exe	iexplore.exe
PID 1724 wrote to memory of 1184	1724	DesktopLayer.exe	iexplore.exe
PID 1724 wrote to memory of 1184	1724	DesktopLayer.exe	iexplore.exe
PID 1724 wrote to memory of 1184	1724	DesktopLayer.exe	iexplore.exe
PID 1184 wrote to memory of 1672	1184	iexplore.exe	IEXPLORE.EXE
PID 1184 wrote to memory of 1672	1184	iexplore.exe	IEXPLORE.EXE
PID 1184 wrote to memory of 1672	1184	iexplore.exe	IEXPLORE.EXE
PID 1184 wrote to memory of 1672	1184	iexplore.exe	IEXPLORE.EXE
PID 1184 wrote to memory of 1672	1184	iexplore.exe	IEXPLORE.EXE
PID 1184 wrote to memory of 1672	1184	iexplore.exe	IEXPLORE.EXE
PID 1184 wrote to memory of 1672	1184	iexplore.exe	IEXPLORE.EXE
PID 1692 wrote to memory of 776	1692	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
PID 1692 wrote to memory of 776	1692	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
PID 1692 wrote to memory of 776	1692	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
PID 1692 wrote to memory of 776	1692	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
PID 1692 wrote to memory of 776	1692	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
PID 1692 wrote to memory of 776	1692	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
PID 1692 wrote to memory of 776	1692	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
PID 776 wrote to memory of 780	776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE	xmplayer.exe
PID 776 wrote to memory of 780	776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE	xmplayer.exe
PID 776 wrote to memory of 780	776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE	xmplayer.exe
PID 776 wrote to memory of 780	776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE	xmplayer.exe
PID 776 wrote to memory of 780	776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE	xmplayer.exe
PID 776 wrote to memory of 780	776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE	xmplayer.exe
PID 776 wrote to memory of 780	776	Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE	xmplayer.exe

C:\Users\Admin\AppData\Local\Temp\1f5d2bceb828eb93c595b991184a9a07983e9369ee1f589cee614d9761927ff8.exe
"C:\Users\Admin\AppData\Local\Temp\1f5d2bceb828eb93c595b991184a9a07983e9369ee1f589cee614d9761927ff8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1048

C:\Users\Admin\AppData\Local\Temp\Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
"C:\Users\Admin\AppData\Local\Temp\Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1260

C:\Users\Admin\AppData\Local\Temp\Leisure Suit Larry Reloaded trainer for cash MrAntiFunSrv.exe
"C:\Users\Admin\AppData\Local\Temp\Leisure Suit Larry Reloaded trainer for cash MrAntiFunSrv.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2040

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1724

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1184

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1184 CREDAT:275457 /prefetch:2
6⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1672

C:\Users\Admin\AppData\Local\Temp\cetrainers\CETFEAA.tmp\Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
"C:\Users\Admin\AppData\Local\Temp\cetrainers\CETFEAA.tmp\Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE" -ORIGIN:"C:\Users\Admin\AppData\Local\Temp\"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1692

C:\Users\Admin\AppData\Local\Temp\cetrainers\CETFEAA.tmp\extracted\Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE
"C:\Users\Admin\AppData\Local\Temp\cetrainers\CETFEAA.tmp\extracted\Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE" "C:\Users\Admin\AppData\Local\Temp\cetrainers\CETFEAA.tmp\extracted\CET_TRAINER.CETRAINER" "-ORIGIN:C:\Users\Admin\AppData\Local\Temp\"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:776

C:\Users\Admin\AppData\Local\Temp\cetrainers\CETFEAA.tmp\extracted\xmplayer.exe
"C:\Users\Admin\AppData\Local\Temp\cetrainers\CETFEAA.tmp\extracted\xmplayer.exe" CEA0581AFC0_E62D_47D3_BA7EFB79C58222FF
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:780

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x174
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE

Filesize
4.0MB

MD5
6297e887800a6d442fad01c2ae2eaaec

SHA1
07c08a54e5268ff579b291412fa774f7e3f8c8ec

SHA256
ac000c4e2d902530f49740184123c8704344f3005b0876cf956b1d8e85dd83e3

SHA512
cf1735ca60053b85269929c8c129b106d0f1cd1037709b82c929c4c2bde351acbc6cfd600942944c83d42c92e9f2bf7df6faf8cc564285bb3e89a99350041354

Download Submit
C:\Users\Admin\AppData\Local\Temp\Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE

Filesize
4.0MB

MD5
6297e887800a6d442fad01c2ae2eaaec

SHA1
07c08a54e5268ff579b291412fa774f7e3f8c8ec

SHA256
ac000c4e2d902530f49740184123c8704344f3005b0876cf956b1d8e85dd83e3

SHA512
cf1735ca60053b85269929c8c129b106d0f1cd1037709b82c929c4c2bde351acbc6cfd600942944c83d42c92e9f2bf7df6faf8cc564285bb3e89a99350041354

Download Submit
C:\Users\Admin\AppData\Local\Temp\Leisure Suit Larry Reloaded trainer for cash MrAntiFunSrv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Leisure Suit Larry Reloaded trainer for cash MrAntiFunSrv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CETFEAA.tmp\CET_Archive.dat

Filesize
3.7MB

MD5
ab450656856cb712d95a0b4cbd0884d5

SHA1
ad43b369a27d00abb3837bb30dc230f33bda6019

SHA256
63b34d51f449bddaf98720458126680f55240cac9b686a825095b1eb70ba0959

SHA512
796f3148e65565e42c88a7fa5b0c9f568025650d924e858250cdba7b82aa06b770b95deb9f3da32df93446a238ea8e897074612064358d5cc23b942068048f41

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CETFEAA.tmp\Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE

Filesize
196KB

MD5
808de473370ef6b5d98ab752f245a3ca

SHA1
800bd4ad10c17471829693fac3cee4502b14f029

SHA256
65cbed2e8db313b8966638e40eb27f94156c294eb060b28a02c130d146518c39

SHA512
fafaff03ad502523b3627e59e1026b8af4217a80215782a90667bc4f4c330871d8c3d890f2601b68ec9a42c0171d12b9e5b87067c95dcad1132b0a8979c56a4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CETFEAA.tmp\Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE

Filesize
196KB

MD5
808de473370ef6b5d98ab752f245a3ca

SHA1
800bd4ad10c17471829693fac3cee4502b14f029

SHA256
65cbed2e8db313b8966638e40eb27f94156c294eb060b28a02c130d146518c39

SHA512
fafaff03ad502523b3627e59e1026b8af4217a80215782a90667bc4f4c330871d8c3d890f2601b68ec9a42c0171d12b9e5b87067c95dcad1132b0a8979c56a4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CETFEAA.tmp\extracted\CET_TRAINER.CETRAINER

Filesize
333KB

MD5
7dcdf2208f4f6039a83af5b5c19aaab8

SHA1
e6d74e22becb969b7c0cfd114cf64ef2f793ad3c

SHA256
3b0e78904b52806c1e36fd2bb45c48e85f4ee21df879e1a09cb21fbf7ec3187a

SHA512
594278a5161e8f3af557543dbd76a6f4c9bd7dc4751524ae1b0e2246cb1e1ca0cdf35972065be8964c999917ba0507e4d22311b4b8be682a51af32160f127e48

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CETFEAA.tmp\extracted\Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE

Filesize
6.5MB

MD5
a43446255da1b8dd977f1ba5a8aeccde

SHA1
430bdafd218f4d7caab3bc6a7bbd37ec5ecf073e

SHA256
62679b24532b92512e5413511a665a02cbbf193dbc12eececc9bdf4b7ff2441d

SHA512
f0ea888532786a249a66c770bcd3a4e68560362ffdb72c1cae1ee6fe1088a572994cc054e821c5824a92bbc28b8eb8f2ee53e62fc364f6c5bd00becf340fcfbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CETFEAA.tmp\extracted\Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE

Filesize
6.5MB

MD5
a43446255da1b8dd977f1ba5a8aeccde

SHA1
430bdafd218f4d7caab3bc6a7bbd37ec5ecf073e

SHA256
62679b24532b92512e5413511a665a02cbbf193dbc12eececc9bdf4b7ff2441d

SHA512
f0ea888532786a249a66c770bcd3a4e68560362ffdb72c1cae1ee6fe1088a572994cc054e821c5824a92bbc28b8eb8f2ee53e62fc364f6c5bd00becf340fcfbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CETFEAA.tmp\extracted\defines.lua

Filesize
4KB

MD5
137698460f16dd9d7c5dcd95497fde8c

SHA1
f271fd46db36fe597afb103cb5285d504b51e519

SHA256
69cc27cc19c4f47586d4e65f5b22329f66d5d6dc9b86670cdc8e3c19d2e39829

SHA512
3c6e21781e6855f551fc5c6d04f8a14029256d1d8c4e83071d3648103be28adbbfe45d548e918772e9cb2ba386d025171ea578581d7ee193c2af7d4545f1319a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CETFEAA.tmp\extracted\lua5.1-32.dll

Filesize
329KB

MD5
8abe7dd2963502fe189f42fa7cba4f74

SHA1
53122c0d89c956411cfa2cdbe3334d3fa434713e

SHA256
bb89ed00c1974e376e8faada62a2eee7c3229ff3c2734771ea16d2d5df97e74a

SHA512
9df601cc2b9ada2df59885149007db4afb9c965b5981685949996e1a05174c24b5b9cefeb4dd09dbae7aae21485bcffbefb83fe6ce5ffff74875b231eada993f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CETFEAA.tmp\extracted\win32\dbghelp.dll

Filesize
1.2MB

MD5
4003e34416ebd25e4c115d49dc15e1a7

SHA1
faf95ec65cde5bd833ce610bb8523363310ec4ad

SHA256
c06430b8cb025be506be50a756488e1bcc3827c4f45158d93e4e3eeb98ce1e4f

SHA512
88f5d417377cd62bde417640a79b6ac493e80f0c8b1f63a99378a2a67695ef8e4a541cedb91acfa296ed608e821fee466983806f0d082ed2e74b0cd93eb4fb84

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CETFEAA.tmp\extracted\xmplayer.exe

Filesize
190KB

MD5
1c84fe15cd4649dfbd903aa883f139ae

SHA1
faddaf0d9e1fa1843f1a010a5d8531de2d53fba8

SHA256
3f120f522e9a00975d0a9c1a724303e5a16a4d52c35091810f00f82482308e7d

SHA512
b1453ab5aa3f7ac7386e412f075c6818e7e07931c72b3331ec77a070023f143f0d745852dbae2c7615d1045e95f49226de3db4e6c95691e475a93bf9a89ebcc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CETFEAA.tmp\extracted\xmplayer.exe

Filesize
190KB

MD5
1c84fe15cd4649dfbd903aa883f139ae

SHA1
faddaf0d9e1fa1843f1a010a5d8531de2d53fba8

SHA256
3f120f522e9a00975d0a9c1a724303e5a16a4d52c35091810f00f82482308e7d

SHA512
b1453ab5aa3f7ac7386e412f075c6818e7e07931c72b3331ec77a070023f143f0d745852dbae2c7615d1045e95f49226de3db4e6c95691e475a93bf9a89ebcc1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\M4BQEWNX.txt

Filesize
604B

MD5
5cf9430f2b68e0816ba37b225e78289e

SHA1
4d62e786d903f49418c0be9af6f738c29490d3b9

SHA256
a92a020514f7b2e3925605237dfb2f9201b9c8ed0eed1416897fa3c414a939c0

SHA512
cd315ac6bae088e2fc69a329648087874650173868364e8c0cafed056b02f87bea6b4841c2b7ae39c3f390cf82c4c5b1d3e76404969b6877bdd2d7c60e8c9d90

Download Submit
\Program Files (x86)\Microsoft\DesktopLayer.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Program Files (x86)\Microsoft\DesktopLayer.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Program Files (x86)\Microsoft\DesktopLayer.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Users\Admin\AppData\Local\Temp\Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE

Filesize
4.0MB

MD5
6297e887800a6d442fad01c2ae2eaaec

SHA1
07c08a54e5268ff579b291412fa774f7e3f8c8ec

SHA256
ac000c4e2d902530f49740184123c8704344f3005b0876cf956b1d8e85dd83e3

SHA512
cf1735ca60053b85269929c8c129b106d0f1cd1037709b82c929c4c2bde351acbc6cfd600942944c83d42c92e9f2bf7df6faf8cc564285bb3e89a99350041354

Download Submit
\Users\Admin\AppData\Local\Temp\Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE

Filesize
4.0MB

MD5
6297e887800a6d442fad01c2ae2eaaec

SHA1
07c08a54e5268ff579b291412fa774f7e3f8c8ec

SHA256
ac000c4e2d902530f49740184123c8704344f3005b0876cf956b1d8e85dd83e3

SHA512
cf1735ca60053b85269929c8c129b106d0f1cd1037709b82c929c4c2bde351acbc6cfd600942944c83d42c92e9f2bf7df6faf8cc564285bb3e89a99350041354

Download Submit
\Users\Admin\AppData\Local\Temp\Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE

Filesize
4.0MB

MD5
6297e887800a6d442fad01c2ae2eaaec

SHA1
07c08a54e5268ff579b291412fa774f7e3f8c8ec

SHA256
ac000c4e2d902530f49740184123c8704344f3005b0876cf956b1d8e85dd83e3

SHA512
cf1735ca60053b85269929c8c129b106d0f1cd1037709b82c929c4c2bde351acbc6cfd600942944c83d42c92e9f2bf7df6faf8cc564285bb3e89a99350041354

Download Submit
\Users\Admin\AppData\Local\Temp\Leisure Suit Larry Reloaded trainer for cash MrAntiFunSrv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Users\Admin\AppData\Local\Temp\Leisure Suit Larry Reloaded trainer for cash MrAntiFunSrv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Users\Admin\AppData\Local\Temp\Leisure Suit Larry Reloaded trainer for cash MrAntiFunSrv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Users\Admin\AppData\Local\Temp\cetrainers\CETFEAA.tmp\Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE

Filesize
196KB

MD5
808de473370ef6b5d98ab752f245a3ca

SHA1
800bd4ad10c17471829693fac3cee4502b14f029

SHA256
65cbed2e8db313b8966638e40eb27f94156c294eb060b28a02c130d146518c39

SHA512
fafaff03ad502523b3627e59e1026b8af4217a80215782a90667bc4f4c330871d8c3d890f2601b68ec9a42c0171d12b9e5b87067c95dcad1132b0a8979c56a4c

Download Submit
\Users\Admin\AppData\Local\Temp\cetrainers\CETFEAA.tmp\Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE

Filesize
196KB

MD5
808de473370ef6b5d98ab752f245a3ca

SHA1
800bd4ad10c17471829693fac3cee4502b14f029

SHA256
65cbed2e8db313b8966638e40eb27f94156c294eb060b28a02c130d146518c39

SHA512
fafaff03ad502523b3627e59e1026b8af4217a80215782a90667bc4f4c330871d8c3d890f2601b68ec9a42c0171d12b9e5b87067c95dcad1132b0a8979c56a4c

Download Submit
\Users\Admin\AppData\Local\Temp\cetrainers\CETFEAA.tmp\Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE

Filesize
196KB

MD5
808de473370ef6b5d98ab752f245a3ca

SHA1
800bd4ad10c17471829693fac3cee4502b14f029

SHA256
65cbed2e8db313b8966638e40eb27f94156c294eb060b28a02c130d146518c39

SHA512
fafaff03ad502523b3627e59e1026b8af4217a80215782a90667bc4f4c330871d8c3d890f2601b68ec9a42c0171d12b9e5b87067c95dcad1132b0a8979c56a4c

Download Submit
\Users\Admin\AppData\Local\Temp\cetrainers\CETFEAA.tmp\extracted\Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE

Filesize
6.5MB

MD5
a43446255da1b8dd977f1ba5a8aeccde

SHA1
430bdafd218f4d7caab3bc6a7bbd37ec5ecf073e

SHA256
62679b24532b92512e5413511a665a02cbbf193dbc12eececc9bdf4b7ff2441d

SHA512
f0ea888532786a249a66c770bcd3a4e68560362ffdb72c1cae1ee6fe1088a572994cc054e821c5824a92bbc28b8eb8f2ee53e62fc364f6c5bd00becf340fcfbd

Download Submit
\Users\Admin\AppData\Local\Temp\cetrainers\CETFEAA.tmp\extracted\Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE

Filesize
6.5MB

MD5
a43446255da1b8dd977f1ba5a8aeccde

SHA1
430bdafd218f4d7caab3bc6a7bbd37ec5ecf073e

SHA256
62679b24532b92512e5413511a665a02cbbf193dbc12eececc9bdf4b7ff2441d

SHA512
f0ea888532786a249a66c770bcd3a4e68560362ffdb72c1cae1ee6fe1088a572994cc054e821c5824a92bbc28b8eb8f2ee53e62fc364f6c5bd00becf340fcfbd

Download Submit
\Users\Admin\AppData\Local\Temp\cetrainers\CETFEAA.tmp\extracted\Leisure Suit Larry Reloaded trainer for cash MrAntiFun.EXE

Filesize
6.5MB

MD5
a43446255da1b8dd977f1ba5a8aeccde

SHA1
430bdafd218f4d7caab3bc6a7bbd37ec5ecf073e

SHA256
62679b24532b92512e5413511a665a02cbbf193dbc12eececc9bdf4b7ff2441d

SHA512
f0ea888532786a249a66c770bcd3a4e68560362ffdb72c1cae1ee6fe1088a572994cc054e821c5824a92bbc28b8eb8f2ee53e62fc364f6c5bd00becf340fcfbd

Download Submit
\Users\Admin\AppData\Local\Temp\cetrainers\CETFEAA.tmp\extracted\lua5.1-32.dll

Filesize
329KB

MD5
8abe7dd2963502fe189f42fa7cba4f74

SHA1
53122c0d89c956411cfa2cdbe3334d3fa434713e

SHA256
bb89ed00c1974e376e8faada62a2eee7c3229ff3c2734771ea16d2d5df97e74a

SHA512
9df601cc2b9ada2df59885149007db4afb9c965b5981685949996e1a05174c24b5b9cefeb4dd09dbae7aae21485bcffbefb83fe6ce5ffff74875b231eada993f

Download Submit
\Users\Admin\AppData\Local\Temp\cetrainers\CETFEAA.tmp\extracted\win32\dbghelp.dll

Filesize
1.2MB

MD5
4003e34416ebd25e4c115d49dc15e1a7

SHA1
faf95ec65cde5bd833ce610bb8523363310ec4ad

SHA256
c06430b8cb025be506be50a756488e1bcc3827c4f45158d93e4e3eeb98ce1e4f

SHA512
88f5d417377cd62bde417640a79b6ac493e80f0c8b1f63a99378a2a67695ef8e4a541cedb91acfa296ed608e821fee466983806f0d082ed2e74b0cd93eb4fb84

Download Submit
\Users\Admin\AppData\Local\Temp\cetrainers\CETFEAA.tmp\extracted\xmplayer.exe

Filesize
190KB

MD5
1c84fe15cd4649dfbd903aa883f139ae

SHA1
faddaf0d9e1fa1843f1a010a5d8531de2d53fba8

SHA256
3f120f522e9a00975d0a9c1a724303e5a16a4d52c35091810f00f82482308e7d

SHA512
b1453ab5aa3f7ac7386e412f075c6818e7e07931c72b3331ec77a070023f143f0d745852dbae2c7615d1045e95f49226de3db4e6c95691e475a93bf9a89ebcc1

Download Submit
\Users\Admin\AppData\Local\Temp\cetrainers\CETFEAA.tmp\extracted\xmplayer.exe

Filesize
190KB

MD5
1c84fe15cd4649dfbd903aa883f139ae

SHA1
faddaf0d9e1fa1843f1a010a5d8531de2d53fba8

SHA256
3f120f522e9a00975d0a9c1a724303e5a16a4d52c35091810f00f82482308e7d

SHA512
b1453ab5aa3f7ac7386e412f075c6818e7e07931c72b3331ec77a070023f143f0d745852dbae2c7615d1045e95f49226de3db4e6c95691e475a93bf9a89ebcc1

Download Submit
\Users\Admin\AppData\Local\Temp\cetrainers\CETFEAA.tmp\extracted\xmplayer.exe

Filesize
190KB

MD5
1c84fe15cd4649dfbd903aa883f139ae

SHA1
faddaf0d9e1fa1843f1a010a5d8531de2d53fba8

SHA256
3f120f522e9a00975d0a9c1a724303e5a16a4d52c35091810f00f82482308e7d

SHA512
b1453ab5aa3f7ac7386e412f075c6818e7e07931c72b3331ec77a070023f143f0d745852dbae2c7615d1045e95f49226de3db4e6c95691e475a93bf9a89ebcc1

Download Submit
\Users\Admin\AppData\Local\Temp\cetrainers\CETFEAA.tmp\extracted\xmplayer.exe

Filesize
190KB

MD5
1c84fe15cd4649dfbd903aa883f139ae

SHA1
faddaf0d9e1fa1843f1a010a5d8531de2d53fba8

SHA256
3f120f522e9a00975d0a9c1a724303e5a16a4d52c35091810f00f82482308e7d

SHA512
b1453ab5aa3f7ac7386e412f075c6818e7e07931c72b3331ec77a070023f143f0d745852dbae2c7615d1045e95f49226de3db4e6c95691e475a93bf9a89ebcc1

Download Submit
\Users\Admin\AppData\Local\Temp\nsoE88E.tmp\AdvSplash.dll

Filesize
6KB

MD5
a1bba35c752b36f575350cb7ddf238e4

SHA1
9603b691ae71d4fbc7a14dbb837bd97cecac8aab

SHA256
0667863d71a3021ab844069b6dd0485f874bf638af478ab11c6fb8b7d6c834b6

SHA512
eb5d3498dd994bec42a437cf91343665d3c35bfe3f6277a7393af6a0b8348772c3166d9be48955edddf6ef79fa508ec8d4f96d7d5df37ecdc52c90042e0a2967

Download Submit
\Users\Admin\AppData\Local\Temp\nsoE88E.tmp\NSISdl.dll

Filesize
14KB

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit
memory/776-102-0x00000000743C1000-0x00000000743C3000-memory.dmp

Filesize
8KB

Download
memory/776-94-0x0000000000000000-mapping.dmp

Download
memory/780-110-0x0000000000000000-mapping.dmp

Download
memory/1048-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/1048-84-0x00000000033A0000-0x000000000379A000-memory.dmp

Filesize
4.0MB

Download
memory/1260-58-0x0000000000000000-mapping.dmp

Download
memory/1260-88-0x00000000011D0000-0x00000000015CA000-memory.dmp

Filesize
4.0MB

Download
memory/1260-89-0x0000000000A20000-0x0000000000E1A000-memory.dmp

Filesize
4.0MB

Download
memory/1260-115-0x0000000000A20000-0x0000000000E1A000-memory.dmp

Filesize
4.0MB

Download
memory/1692-69-0x0000000000000000-mapping.dmp

Download
memory/1724-74-0x0000000000000000-mapping.dmp

Download
memory/1724-91-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1724-90-0x0000000000240000-0x000000000024D000-memory.dmp

Filesize
52KB

Download
memory/2040-78-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2040-65-0x0000000000000000-mapping.dmp

Download
memory/2040-80-0x0000000000820000-0x000000000084E000-memory.dmp

Filesize
184KB

Download