ramnit | 2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572

Analysis

max time kernel
116s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
15-06-2022 01:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572.exe
Size

10.1MB
MD5

c4d1b9121ad973a18e928ac20882d4f9
SHA1

002019e5c2436898d0647e08a1175d4debd6dcdb
SHA256

2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572
SHA512

fc8dc2c6d9536543c09d46e40cbf56772b7aa3c1aeb795fcd52aba8b154aab64f708ad65659bed3cf4faf065dbdf258e58c707f4b0341ea1aacd81383167e317

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 5 IoCs

Processes:

2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572Srv.exeDesktopLayer.exe2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572Srv.exeDesktopLayer.exe2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572Srv.exe

pid	process
2740	2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572Srv.exe
4604	DesktopLayer.exe
4872	2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572Srv.exe
4376	DesktopLayer.exe
4288	2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572Srv.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572Srv.exe	upx
C:\Users\Admin\AppData\Local\Temp\2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572Srv.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Users\Admin\AppData\Local\Temp\2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572Srv.exe	upx
behavioral2/memory/4604-148-0x0000000000400000-0x000000000042E000-memory.dmp	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
behavioral2/memory/2740-137-0x0000000000400000-0x000000000042E000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\nsjAC73.tmp\nsRandom.dll	upx
C:\Users\Admin\AppData\Local\Temp\nsjAC73.tmp\nsRandom.dll	upx
C:\Users\Admin\AppData\Local\Temp\2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572Srv.exe	upx
C:\Users\Admin\AppData\Local\Temp\2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572Srv.exe	upx
behavioral2/memory/4288-168-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Loads dropped DLL 11 IoCs

Processes:

2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572.exe

pid	process
3428	2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572.exe
3428	2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572.exe
3428	2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572.exe
3428	2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572.exe
3428	2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572.exe
3428	2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572.exe
3428	2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572.exe
3428	2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572.exe
3428	2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572.exe
3428	2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572.exe
3428	2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572.exe

Drops file in Program Files directory 5 IoCs

Processes:

2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572Srv.exe2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572Srv.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\pxACEE.tmp	2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572Srv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxAE36.tmp	2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572Srv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
208	3428	WerFault.exe	2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572.exe
212	3428	WerFault.exe	2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572.exe
492	3428	WerFault.exe	2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{69AA723E-EC6F-11EC-AC67-7E7E0F8D8E49} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences\2BB20B33B4171CDAAB6469225AE6A582ED33D7B488 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009ca67aad6973c147a14e4257979b0915000000000200000000001066000000010000200000004e69f112ad19bc73f68ad9df176642fc47718b42e5dcaa177d2031e27a9951e6000000000e8000000002000020000000974f67bf76d7074798c1f31242e8901da6248329bd19603ab2fe09ca558fb5e510000000c7597c2bc6377eb57cb6b8361bf51fc140000000e0a6390e6f5929cec75e7b1fa5f3b2e67f7c27ca2247db3f48a4457531ec9ecde47dee34917887e4f13ca03b8f8150a815db7a60002f339977793477badddee3	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTURL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTSR"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "362037362"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1126811407"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1162592851"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTTopResultURL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTTR"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30965884"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTSuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&market={language}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IENTSS"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1162592851"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\User Preferences	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\UpgradeTime = f982cdb29d50d801	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTLogoURL = "http://go.microsoft.com/fwlink/?LinkID=403856&language={language}&scale={scalelevel}&contrast={contrast}"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IESS02&market={language}"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30965884"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1126811407"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURL = "http://www.bing.com/favicon.ico"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30965884"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IESS02&market={language}"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{69A5AF21-EC6F-11EC-AC67-7E7E0F8D8E49} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1162592851"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30965884"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\Version = "5"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTLogoPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1162592851"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences\3DB9590C4C4C26C4CCBDD94ECAD790359708C3267B = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009ca67aad6973c147a14e4257979b091500000000020000000000106600000001000020000000be372779d76e279c87299cef6c3c7dceeb8156ebc63201507feded6cc44d9c5b000000000e8000000002000020000000f6cf16139d4b37f1af95d300287582481189a1c354906d38b5e5da6bfb1416ce50000000fce2db69277649df82b629641ba5aaacf25b680bb37250a056b030dbf1a91d391fcdb836da3aac388e0af6f599a775c9bfcb93fb15592a50cbe024e71217bf5c3c188243fece2392cbece2f0891e18dd400000002079d90284a38a0020e4b70063f5091e0ad0c0d079db5de25b9d225c921a845d7178a165d25c9ed55d545ac24bb57e8ffe3c896d7114dd46948a9451ae26999e	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30965884"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30965884"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

DesktopLayer.exeDesktopLayer.exe

pid	process
4604	DesktopLayer.exe
4604	DesktopLayer.exe
4604	DesktopLayer.exe
4604	DesktopLayer.exe
4604	DesktopLayer.exe
4604	DesktopLayer.exe
4604	DesktopLayer.exe
4604	DesktopLayer.exe
4376	DesktopLayer.exe
4376	DesktopLayer.exe
4376	DesktopLayer.exe
4376	DesktopLayer.exe
4376	DesktopLayer.exe
4376	DesktopLayer.exe
4376	DesktopLayer.exe
4376	DesktopLayer.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeiexplore.exe

pid process

4388 iexplore.exe
2344 iexplore.exe

pid	process
4388	iexplore.exe
2344	iexplore.exe

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
3428	2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572.exe
2344	iexplore.exe
2344	iexplore.exe
4388	iexplore.exe
4388	iexplore.exe
3992	IEXPLORE.EXE
3992	IEXPLORE.EXE
4500	IEXPLORE.EXE
4500	IEXPLORE.EXE
3992	IEXPLORE.EXE
3992	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572.exe2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572Srv.exeDesktopLayer.exe2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572Srv.exeDesktopLayer.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 3428 wrote to memory of 2740	3428	2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572.exe	2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572Srv.exe
PID 3428 wrote to memory of 2740	3428	2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572.exe	2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572Srv.exe
PID 3428 wrote to memory of 2740	3428	2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572.exe	2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572Srv.exe
PID 2740 wrote to memory of 4604	2740	2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572Srv.exe	DesktopLayer.exe
PID 2740 wrote to memory of 4604	2740	2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572Srv.exe	DesktopLayer.exe
PID 2740 wrote to memory of 4604	2740	2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572Srv.exe	DesktopLayer.exe
PID 4604 wrote to memory of 4388	4604	DesktopLayer.exe	iexplore.exe
PID 4604 wrote to memory of 4388	4604	DesktopLayer.exe	iexplore.exe
PID 3428 wrote to memory of 4872	3428	2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572.exe	2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572Srv.exe
PID 3428 wrote to memory of 4872	3428	2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572.exe	2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572Srv.exe
PID 3428 wrote to memory of 4872	3428	2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572.exe	2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572Srv.exe
PID 4872 wrote to memory of 4376	4872	2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572Srv.exe	DesktopLayer.exe
PID 4872 wrote to memory of 4376	4872	2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572Srv.exe	DesktopLayer.exe
PID 4872 wrote to memory of 4376	4872	2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572Srv.exe	DesktopLayer.exe
PID 4376 wrote to memory of 2344	4376	DesktopLayer.exe	iexplore.exe
PID 4376 wrote to memory of 2344	4376	DesktopLayer.exe	iexplore.exe
PID 3428 wrote to memory of 4288	3428	2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572.exe	2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572Srv.exe
PID 3428 wrote to memory of 4288	3428	2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572.exe	2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572Srv.exe
PID 3428 wrote to memory of 4288	3428	2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572.exe	2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572Srv.exe
PID 2344 wrote to memory of 4500	2344	iexplore.exe	IEXPLORE.EXE
PID 2344 wrote to memory of 4500	2344	iexplore.exe	IEXPLORE.EXE
PID 2344 wrote to memory of 4500	2344	iexplore.exe	IEXPLORE.EXE
PID 4388 wrote to memory of 3992	4388	iexplore.exe	IEXPLORE.EXE
PID 4388 wrote to memory of 3992	4388	iexplore.exe	IEXPLORE.EXE
PID 4388 wrote to memory of 3992	4388	iexplore.exe	IEXPLORE.EXE
PID 3428 wrote to memory of 208	3428	2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572.exe	WerFault.exe
PID 3428 wrote to memory of 208	3428	2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572.exe	WerFault.exe
PID 3428 wrote to memory of 208	3428	2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572.exe
"C:\Users\Admin\AppData\Local\Temp\2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3428

C:\Users\Admin\AppData\Local\Temp\2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572Srv.exe
C:\Users\Admin\AppData\Local\Temp\2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572Srv.exe
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2740

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4604

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4388

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4388 CREDAT:17410 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3992

C:\Users\Admin\AppData\Local\Temp\2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572Srv.exe
C:\Users\Admin\AppData\Local\Temp\2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572Srv.exe
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4872

C:\Users\Admin\AppData\Local\Temp\2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572Srv.exe
C:\Users\Admin\AppData\Local\Temp\2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572Srv.exe
2⤵
- Executes dropped EXE
PID:4288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3428 -s 932
2⤵
- Program crash
PID:208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3428 -s 932
2⤵
- Program crash
PID:212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3428 -s 932
2⤵
- Program crash
PID:492

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2344

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2344 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4500

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3428 -ip 3428
1⤵
PID:4264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3428 -ip 3428
1⤵
PID:2432

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63

Filesize
1KB

MD5
d4b2bdaad5a5b0740a5ec6e1e76f3202

SHA1
64dd3e8b735731b2559415f900c6a33dbd65fa1a

SHA256
9fbfca2bd00366816eab07791b13b2f75495af40a1442d6c30f892a4e1c18ed7

SHA512
cea4e51bf6eb0df840ad5c40af516727df683133e38fda7f554bc0664fd0da0edc78eaef30ea5399d438251250d877bb09d8306cb5bfa29756d8e60066b16b96

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
a8696dcae743f8427ce3c8f8d3c2961f

SHA1
dda2affe386f5c676179ccfec8bdfa5c3ba3dbb9

SHA256
0f42277f2a8f4168d408f335b5fe27849e19fe384ba31bc16d529293b700ffcf

SHA512
45b2e531a1ea34ac8f68775cd3a13ed2ac63d83f422c65b622cfda7537a14ca37048af51414aef13d47cc604a502d3294aa036ab0e1eb1c4973363f222bb1a2b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
a8696dcae743f8427ce3c8f8d3c2961f

SHA1
dda2affe386f5c676179ccfec8bdfa5c3ba3dbb9

SHA256
0f42277f2a8f4168d408f335b5fe27849e19fe384ba31bc16d529293b700ffcf

SHA512
45b2e531a1ea34ac8f68775cd3a13ed2ac63d83f422c65b622cfda7537a14ca37048af51414aef13d47cc604a502d3294aa036ab0e1eb1c4973363f222bb1a2b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63

Filesize
434B

MD5
df50ff93e1d0bb78e0efc78654c8dde0

SHA1
5ed9964662b5f6f7490457f31aea32d07602535d

SHA256
12441ac53642d94b2698b6c88c39ab17b61efde5f4f52d9bdcc06ceee97f7fe3

SHA512
6f8cff9ad3901e3b48549494441ea2f0e2ba2dcd58beb5c488bb5d85617b8776f7913ec9c5fd1965d008c9451564a376e73909f0592d72a00095c7294157ee4d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
c04cd190f8ba418100e5cf6e8fd20c42

SHA1
b6a4984745165bfa3abdf2f0a1c01191e56ed847

SHA256
cd020fc7f055872d7c993bdd488cdb880f88923538b0a30549b9ed65356b6599

SHA512
ba0090825d4927d0b5567b0db71e4298d5c9675a88b587805ccffe1403332531335921d34e92d122d98e94ae8477193cbe642dfb270217bd96716f2ccb3b174e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
2cd8083e4b5b5644034ae4a12a3bc431

SHA1
5f69e58f8015318c7bebbc1b6ff47eaf487a004d

SHA256
4ce3e99208c5a0418b287987f62b8c17351d73899e82cde388dbd1b12039c876

SHA512
59a306d8b34de33914d4288b1992f297d6024f1165337faca9600502999cc9fd5c65a7c028f472a535fa5a0032c997f1edee891b5cb454a971c651796f148f20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{69A5AF21-EC6F-11EC-AC67-7E7E0F8D8E49}.dat

Filesize
3KB

MD5
7087a8eb86ec108ba743902bba854218

SHA1
e7c87bc360530c011995c66a6b6ce1147b4e94b4

SHA256
25a3466c45111c681f6b37a214803ca3fab684163975d9adc19f701c71c27d60

SHA512
ecf7941b71e46542ff48099282253f32d2d4bf8ece6e55e1dbcf1d9bd8d13fe89af38ec4e32a43675af2f411b574ca7a24b54d9e77da9348336d82884015febb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{69AA723E-EC6F-11EC-AC67-7E7E0F8D8E49}.dat

Filesize
3KB

MD5
3c7e93ea259bc98d94809ba17eea8d3e

SHA1
ffa09b05b264b6a2be1f0e47e581c97c6f4239c9

SHA256
ea2b021d4ba835558c25b512c655a21d6aa38b92c37833c30aab9d6581b063ca

SHA512
58e8430c1758d45cf44adac377e5b311bfaa45268dd85df7940bc7a8a759923e092b3ef0e1fee960242e6d194dc4265aaa011dd98d86fb04c1b8e7c763f25d6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572Srv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572Srv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572Srv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572Srv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2bb2e3b6eae9a898f9686255c1c7a0bf6b17ccee7f422aee571179acb5f1b572Srv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\662749\MyNsisSkin.dll

Filesize
384KB

MD5
a6039ed51a4c143794345b29f5f09c64

SHA1
ef08cb5dfa598d9d5b43b8af49f54b2c7dac00d4

SHA256
95ae945504972cadcf2ccfb2b3d02ea8cade3ee53f2f2082e8b40b61f660877a

SHA512
0ed3d0c070bfd91e2355aec5a30ad5cbaf6949c965af5e0ee1ecf2edd5f5aeba3819b4667a0301f8b52c8fd56d3bae35fa4f77063d56c8f89055784d0c0a30a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\662749\MyNsisSkin.dll

Filesize
384KB

MD5
a6039ed51a4c143794345b29f5f09c64

SHA1
ef08cb5dfa598d9d5b43b8af49f54b2c7dac00d4

SHA256
95ae945504972cadcf2ccfb2b3d02ea8cade3ee53f2f2082e8b40b61f660877a

SHA512
0ed3d0c070bfd91e2355aec5a30ad5cbaf6949c965af5e0ee1ecf2edd5f5aeba3819b4667a0301f8b52c8fd56d3bae35fa4f77063d56c8f89055784d0c0a30a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjAC73.tmp\ButtonEvent.dll

Filesize
4KB

MD5
fad9d09fc0267e8513b8628e767b2604

SHA1
bea76a7621c07b30ed90bedef4d608a5b9e15300

SHA256
5d913c6be9c9e13801acc5d78b11d9f3cd42c1b3b3cad8272eb6e1bfb06730c2

SHA512
b39c5ea8aea0640f5a32a1fc03e8c8382a621c168980b3bc5e2897932878003b2b8ef75b3ad68149c35420d652143e2ef763b6a47d84ec73621017f0273e2805

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjAC73.tmp\ButtonEvent.dll

Filesize
4KB

MD5
fad9d09fc0267e8513b8628e767b2604

SHA1
bea76a7621c07b30ed90bedef4d608a5b9e15300

SHA256
5d913c6be9c9e13801acc5d78b11d9f3cd42c1b3b3cad8272eb6e1bfb06730c2

SHA512
b39c5ea8aea0640f5a32a1fc03e8c8382a621c168980b3bc5e2897932878003b2b8ef75b3ad68149c35420d652143e2ef763b6a47d84ec73621017f0273e2805

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjAC73.tmp\MyNsisExtend.dll

Filesize
596KB

MD5
37e4e1ab9aee0596c2fa5888357a63b0

SHA1
a5dba8c0a1bd936dca2b6a81f2dc9a3005f1a2b6

SHA256
ff4b245fea98cedd881ca102468623a449a0b40df0c557dd8a6ea32e788d56fe

SHA512
5cbab2872683079c6cc09423a2baf7107b5ac5731f336cd237fa93a4a4ee53a127963dc0ec0dbc6168b9b3d2c3a881c7663ce4ecd84d964628dd566395d49bb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjAC73.tmp\MyNsisExtend.dll

Filesize
596KB

MD5
37e4e1ab9aee0596c2fa5888357a63b0

SHA1
a5dba8c0a1bd936dca2b6a81f2dc9a3005f1a2b6

SHA256
ff4b245fea98cedd881ca102468623a449a0b40df0c557dd8a6ea32e788d56fe

SHA512
5cbab2872683079c6cc09423a2baf7107b5ac5731f336cd237fa93a4a4ee53a127963dc0ec0dbc6168b9b3d2c3a881c7663ce4ecd84d964628dd566395d49bb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjAC73.tmp\System.dll

Filesize
67KB

MD5
bd05feb8825b15dcdd9100d478f04e17

SHA1
a67d82be96a439ce1c5400740da5c528f7f550e0

SHA256
4972cca9555b7e5dcb6feef63605305193835ea63f343df78902bbcd432ba496

SHA512
67f1894c79bbcef4c7fedd91e33ec48617d5d34c2d9ebcd700c935b7fe1b08971d4c68a71d5281abac97e62d6b8c8f318cc6ff15ea210ddcf21ff04a9e5a7f95

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjAC73.tmp\nsDialogs.dll

Filesize
9KB

MD5
c10e04dd4ad4277d5adc951bb331c777

SHA1
b1e30808198a3ae6d6d1cca62df8893dc2a7ad43

SHA256
e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a

SHA512
853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjAC73.tmp\nsDialogs.dll

Filesize
9KB

MD5
c10e04dd4ad4277d5adc951bb331c777

SHA1
b1e30808198a3ae6d6d1cca62df8893dc2a7ad43

SHA256
e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a

SHA512
853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjAC73.tmp\nsRandom.dll

Filesize
77KB

MD5
d86b2899f423931131b696ff659aa7ed

SHA1
007ca98f5d7921fe26fb9b8bd8a822dd5ae09ed6

SHA256
8935cba8e9b276daa357a809e0eca3bebf3fdc6d0d3466ab37fb2cbbfacd3a94

SHA512
9a4437ab484e4e22597c642d21b0107a063a208a582df3a5bf276466ad8d0ba9aeebac6de8dcf1372939984bb187d58e94c799918cfbe80e85c958bf0a537fc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjAC73.tmp\nsRandom.dll

Filesize
77KB

MD5
d86b2899f423931131b696ff659aa7ed

SHA1
007ca98f5d7921fe26fb9b8bd8a822dd5ae09ed6

SHA256
8935cba8e9b276daa357a809e0eca3bebf3fdc6d0d3466ab37fb2cbbfacd3a94

SHA512
9a4437ab484e4e22597c642d21b0107a063a208a582df3a5bf276466ad8d0ba9aeebac6de8dcf1372939984bb187d58e94c799918cfbe80e85c958bf0a537fc7

Download Submit
memory/208-177-0x0000000000000000-mapping.dmp

Download
memory/2740-131-0x0000000000000000-mapping.dmp

Download
memory/2740-137-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2740-139-0x0000000000550000-0x000000000055F000-memory.dmp

Filesize
60KB

Download
memory/3428-167-0x00000000031C0000-0x000000000325A000-memory.dmp

Filesize
616KB

Download
memory/3428-145-0x0000000003021000-0x0000000003062000-memory.dmp

Filesize
260KB

Download
memory/3428-166-0x00000000031C0000-0x000000000325A000-memory.dmp

Filesize
616KB

Download
memory/3428-171-0x0000000004541000-0x0000000004543000-memory.dmp

Filesize
8KB

Download
memory/3428-162-0x00000000031C0000-0x000000000325A000-memory.dmp

Filesize
616KB

Download
memory/3428-183-0x0000000003020000-0x0000000003082000-memory.dmp

Filesize
392KB

Download
memory/3428-158-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/3428-150-0x0000000003020000-0x0000000003082000-memory.dmp

Filesize
392KB

Download
memory/3428-159-0x0000000003020000-0x0000000003082000-memory.dmp

Filesize
392KB

Download
memory/3428-134-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/3428-157-0x0000000003020000-0x0000000003041000-memory.dmp

Filesize
132KB

Download
memory/3428-149-0x0000000003020000-0x0000000003082000-memory.dmp

Filesize
392KB

Download
memory/3428-140-0x0000000003020000-0x0000000003041000-memory.dmp

Filesize
132KB

Download
memory/3428-182-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/4288-164-0x0000000000000000-mapping.dmp

Download
memory/4288-168-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4288-172-0x0000000000480000-0x000000000048F000-memory.dmp

Filesize
60KB

Download
memory/4376-154-0x0000000000000000-mapping.dmp

Download
memory/4604-138-0x0000000000000000-mapping.dmp

Download
memory/4604-148-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4604-146-0x0000000000470000-0x000000000047F000-memory.dmp

Filesize
60KB

Download
memory/4872-151-0x0000000000000000-mapping.dmp

Download