ramnit | 26dabe0dcfdda0b276272aa36803e9c68d16c0c9be268bfcb63d5004b639db21

Analysis

max time kernel
106s
max time network
144s
platform
windows7_x64
resource
win7-20220414-en
submitted
16-06-2022 07:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26dabe0dcfdda0b276272aa36803e9c68d16c0c9be268bfcb63d5004b639db21.exe
Size

3.6MB
MD5

8ac6048052fe6d058ea3c6b5a386e8c6
SHA1

d1421972e36d14ec459b610eae60f1887d095038
SHA256

26dabe0dcfdda0b276272aa36803e9c68d16c0c9be268bfcb63d5004b639db21
SHA512

90830292633117c2b6990abed881dc39dfeb7cefdb060fda4748fcae3e37a82b20ee2b9fd7e3d6398af345e81c7a7827b52b7738a4e8e574233c5d5aad6918c3

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 7 IoCs

Processes:

26dabe0dcfdda0b276272aa36803e9c68d16c0c9be268bfcb63d5004b639db21Srv.exeDesktopLayer.exeHEU_KMS_Activator_v11.2.0.EXEDownLoader.sfx.exe7Z.EXEDownLoader.exekms_x64.exe

pid	process
1684	26dabe0dcfdda0b276272aa36803e9c68d16c0c9be268bfcb63d5004b639db21Srv.exe
996	DesktopLayer.exe
528	HEU_KMS_Activator_v11.2.0.EXE
964	DownLoader.sfx.exe
972	7Z.EXE
1776	DownLoader.exe
948	kms_x64.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\26dabe0dcfdda0b276272aa36803e9c68d16c0c9be268bfcb63d5004b639db21Srv.exe	upx
C:\Users\Admin\AppData\Local\Temp\26dabe0dcfdda0b276272aa36803e9c68d16c0c9be268bfcb63d5004b639db21Srv.exe	upx
C:\Users\Admin\AppData\Local\Temp\26dabe0dcfdda0b276272aa36803e9c68d16c0c9be268bfcb63d5004b639db21Srv.exe	upx
behavioral1/memory/1684-63-0x0000000000400000-0x000000000042E000-memory.dmp	upx
\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
behavioral1/memory/996-67-0x0000000000400000-0x000000000042E000-memory.dmp	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx

Loads dropped DLL 12 IoCs

Processes:

26dabe0dcfdda0b276272aa36803e9c68d16c0c9be268bfcb63d5004b639db21.exe26dabe0dcfdda0b276272aa36803e9c68d16c0c9be268bfcb63d5004b639db21Srv.exeHEU_KMS_Activator_v11.2.0.EXEDownLoader.sfx.exe

pid	process
1800	26dabe0dcfdda0b276272aa36803e9c68d16c0c9be268bfcb63d5004b639db21.exe
1800	26dabe0dcfdda0b276272aa36803e9c68d16c0c9be268bfcb63d5004b639db21.exe
1684	26dabe0dcfdda0b276272aa36803e9c68d16c0c9be268bfcb63d5004b639db21Srv.exe
1800	26dabe0dcfdda0b276272aa36803e9c68d16c0c9be268bfcb63d5004b639db21.exe
1800	26dabe0dcfdda0b276272aa36803e9c68d16c0c9be268bfcb63d5004b639db21.exe
528	HEU_KMS_Activator_v11.2.0.EXE
528	HEU_KMS_Activator_v11.2.0.EXE
964	DownLoader.sfx.exe
964	DownLoader.sfx.exe
964	DownLoader.sfx.exe
964	DownLoader.sfx.exe
528	HEU_KMS_Activator_v11.2.0.EXE

AutoIT Executable 6 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
\Windows\Temp\HEU_KMS_Activator_v11.2.0.exe	autoit_exe
C:\Windows\Temp\HEU_KMS_Activator_v11.2.0.exe	autoit_exe
C:\Windows\Temp\HEU_KMS_Activator_v11.2.0.EXE	autoit_exe
\Users\Admin\AppData\Local\Temp\HEU_KMS_Mini_112\kms_x64.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\HEU_KMS_Mini_112\kms_x64.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\HEU_KMS_Mini_112\kms_x64.exe	autoit_exe

Drops file in Program Files directory 3 IoCs

Processes:

26dabe0dcfdda0b276272aa36803e9c68d16c0c9be268bfcb63d5004b639db21Srv.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\pxF98C.tmp	26dabe0dcfdda0b276272aa36803e9c68d16c0c9be268bfcb63d5004b639db21Srv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	26dabe0dcfdda0b276272aa36803e9c68d16c0c9be268bfcb63d5004b639db21Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	26dabe0dcfdda0b276272aa36803e9c68d16c0c9be268bfcb63d5004b639db21Srv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "362133740"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CE716521-ED4F-11EC-BA79-C6DEEDF3EE1E} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

DesktopLayer.exe

pid process

996 DesktopLayer.exe
996 DesktopLayer.exe
996 DesktopLayer.exe
996 DesktopLayer.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

kms_x64.exe

pid process

948 kms_x64.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1516 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1516 iexplore.exe
1516 iexplore.exe
1624 IEXPLORE.EXE
1624 IEXPLORE.EXE

pid	process
996	DesktopLayer.exe
996	DesktopLayer.exe
996	DesktopLayer.exe
996	DesktopLayer.exe

pid	process
948	kms_x64.exe

pid	process
1516	iexplore.exe

pid	process
1516	iexplore.exe
1516	iexplore.exe
1624	IEXPLORE.EXE
1624	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

26dabe0dcfdda0b276272aa36803e9c68d16c0c9be268bfcb63d5004b639db21.exe26dabe0dcfdda0b276272aa36803e9c68d16c0c9be268bfcb63d5004b639db21Srv.exeDesktopLayer.exeiexplore.exeHEU_KMS_Activator_v11.2.0.EXEDownLoader.sfx.exeDownLoader.exe

description	pid	process	target process
PID 1800 wrote to memory of 1684	1800	26dabe0dcfdda0b276272aa36803e9c68d16c0c9be268bfcb63d5004b639db21.exe	26dabe0dcfdda0b276272aa36803e9c68d16c0c9be268bfcb63d5004b639db21Srv.exe
PID 1800 wrote to memory of 1684	1800	26dabe0dcfdda0b276272aa36803e9c68d16c0c9be268bfcb63d5004b639db21.exe	26dabe0dcfdda0b276272aa36803e9c68d16c0c9be268bfcb63d5004b639db21Srv.exe
PID 1800 wrote to memory of 1684	1800	26dabe0dcfdda0b276272aa36803e9c68d16c0c9be268bfcb63d5004b639db21.exe	26dabe0dcfdda0b276272aa36803e9c68d16c0c9be268bfcb63d5004b639db21Srv.exe
PID 1800 wrote to memory of 1684	1800	26dabe0dcfdda0b276272aa36803e9c68d16c0c9be268bfcb63d5004b639db21.exe	26dabe0dcfdda0b276272aa36803e9c68d16c0c9be268bfcb63d5004b639db21Srv.exe
PID 1684 wrote to memory of 996	1684	26dabe0dcfdda0b276272aa36803e9c68d16c0c9be268bfcb63d5004b639db21Srv.exe	DesktopLayer.exe
PID 1684 wrote to memory of 996	1684	26dabe0dcfdda0b276272aa36803e9c68d16c0c9be268bfcb63d5004b639db21Srv.exe	DesktopLayer.exe
PID 1684 wrote to memory of 996	1684	26dabe0dcfdda0b276272aa36803e9c68d16c0c9be268bfcb63d5004b639db21Srv.exe	DesktopLayer.exe
PID 1684 wrote to memory of 996	1684	26dabe0dcfdda0b276272aa36803e9c68d16c0c9be268bfcb63d5004b639db21Srv.exe	DesktopLayer.exe
PID 996 wrote to memory of 1516	996	DesktopLayer.exe	iexplore.exe
PID 996 wrote to memory of 1516	996	DesktopLayer.exe	iexplore.exe
PID 996 wrote to memory of 1516	996	DesktopLayer.exe	iexplore.exe
PID 996 wrote to memory of 1516	996	DesktopLayer.exe	iexplore.exe
PID 1800 wrote to memory of 528	1800	26dabe0dcfdda0b276272aa36803e9c68d16c0c9be268bfcb63d5004b639db21.exe	HEU_KMS_Activator_v11.2.0.EXE
PID 1800 wrote to memory of 528	1800	26dabe0dcfdda0b276272aa36803e9c68d16c0c9be268bfcb63d5004b639db21.exe	HEU_KMS_Activator_v11.2.0.EXE
PID 1800 wrote to memory of 528	1800	26dabe0dcfdda0b276272aa36803e9c68d16c0c9be268bfcb63d5004b639db21.exe	HEU_KMS_Activator_v11.2.0.EXE
PID 1800 wrote to memory of 528	1800	26dabe0dcfdda0b276272aa36803e9c68d16c0c9be268bfcb63d5004b639db21.exe	HEU_KMS_Activator_v11.2.0.EXE
PID 1516 wrote to memory of 1624	1516	iexplore.exe	IEXPLORE.EXE
PID 1516 wrote to memory of 1624	1516	iexplore.exe	IEXPLORE.EXE
PID 1516 wrote to memory of 1624	1516	iexplore.exe	IEXPLORE.EXE
PID 1516 wrote to memory of 1624	1516	iexplore.exe	IEXPLORE.EXE
PID 1800 wrote to memory of 964	1800	26dabe0dcfdda0b276272aa36803e9c68d16c0c9be268bfcb63d5004b639db21.exe	DownLoader.sfx.exe
PID 1800 wrote to memory of 964	1800	26dabe0dcfdda0b276272aa36803e9c68d16c0c9be268bfcb63d5004b639db21.exe	DownLoader.sfx.exe
PID 1800 wrote to memory of 964	1800	26dabe0dcfdda0b276272aa36803e9c68d16c0c9be268bfcb63d5004b639db21.exe	DownLoader.sfx.exe
PID 1800 wrote to memory of 964	1800	26dabe0dcfdda0b276272aa36803e9c68d16c0c9be268bfcb63d5004b639db21.exe	DownLoader.sfx.exe
PID 528 wrote to memory of 972	528	HEU_KMS_Activator_v11.2.0.EXE	7Z.EXE
PID 528 wrote to memory of 972	528	HEU_KMS_Activator_v11.2.0.EXE	7Z.EXE
PID 528 wrote to memory of 972	528	HEU_KMS_Activator_v11.2.0.EXE	7Z.EXE
PID 528 wrote to memory of 972	528	HEU_KMS_Activator_v11.2.0.EXE	7Z.EXE
PID 964 wrote to memory of 1776	964	DownLoader.sfx.exe	DownLoader.exe
PID 964 wrote to memory of 1776	964	DownLoader.sfx.exe	DownLoader.exe
PID 964 wrote to memory of 1776	964	DownLoader.sfx.exe	DownLoader.exe
PID 964 wrote to memory of 1776	964	DownLoader.sfx.exe	DownLoader.exe
PID 528 wrote to memory of 948	528	HEU_KMS_Activator_v11.2.0.EXE	kms_x64.exe
PID 528 wrote to memory of 948	528	HEU_KMS_Activator_v11.2.0.EXE	kms_x64.exe
PID 528 wrote to memory of 948	528	HEU_KMS_Activator_v11.2.0.EXE	kms_x64.exe
PID 528 wrote to memory of 948	528	HEU_KMS_Activator_v11.2.0.EXE	kms_x64.exe
PID 1776 wrote to memory of 452	1776	DownLoader.exe	cmd.exe
PID 1776 wrote to memory of 452	1776	DownLoader.exe	cmd.exe
PID 1776 wrote to memory of 452	1776	DownLoader.exe	cmd.exe
PID 1776 wrote to memory of 452	1776	DownLoader.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\26dabe0dcfdda0b276272aa36803e9c68d16c0c9be268bfcb63d5004b639db21.exe
"C:\Users\Admin\AppData\Local\Temp\26dabe0dcfdda0b276272aa36803e9c68d16c0c9be268bfcb63d5004b639db21.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1800

C:\Users\Admin\AppData\Local\Temp\26dabe0dcfdda0b276272aa36803e9c68d16c0c9be268bfcb63d5004b639db21Srv.exe
C:\Users\Admin\AppData\Local\Temp\26dabe0dcfdda0b276272aa36803e9c68d16c0c9be268bfcb63d5004b639db21Srv.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1684

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:996

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1516

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1516 CREDAT:275457 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1624

C:\Windows\Temp\HEU_KMS_Activator_v11.2.0.EXE
C:\Windows\Temp\HEU_KMS_Activator_v11.2.0.EXE
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:528

C:\Users\Admin\AppData\Local\Temp\7Z.EXE
C:\Users\Admin\AppData\Local\Temp\7Z.EXE x C:\Users\Admin\AppData\Local\Temp\KMSmini.7z -y -oC:\Users\Admin\AppData\Local\Temp\HEU_KMS_Mini_112\
3⤵
- Executes dropped EXE
PID:972

C:\Users\Admin\AppData\Local\Temp\HEU_KMS_Mini_112\kms_x64.exe
C:\Users\Admin\AppData\Local\Temp\HEU_KMS_Mini_112\kms_x64.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:948

C:\Windows\Temp\DownLoader.sfx.exe
C:\Windows\Temp\DownLoader.sfx.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:964

C:\Windows\Temp\DownLoader.exe
"C:\Windows\Temp\DownLoader.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1776

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Windows\Temp\Clear.bat" "
4⤵
PID:452

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\26dabe0dcfdda0b276272aa36803e9c68d16c0c9be268bfcb63d5004b639db21Srv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\26dabe0dcfdda0b276272aa36803e9c68d16c0c9be268bfcb63d5004b639db21Srv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7Z.EXE
Filesize
491KB

MD5
2c3378903654f844d818fc2f0d619617

SHA1
4ef8a59d7997d0baa3224110e1ae911d2d9dad88

SHA256
c360ca3555f426d0c66d23998e4fb01be4d1fdfa71fc29102c8cfe821303abdf

SHA512
da9a690235dc8f08373631c2e1573da2c4e1f4ec04a0cf0d7d38c52d0c242f3add554c96a3e2df252371eee3af083bc1c6420b7b5da93e0db8ba272c2d48536d

Download Submit
C:\Users\Admin\AppData\Local\Temp\HEU_KMS_Mini_112\ICO_211.ico
Filesize
43KB

MD5
c6c1bffd7d5c3173449b8af7707dfd3b

SHA1
79b84d448e48b3fec5aabb7bee8c48cd2d1d9ab3

SHA256
b100298eec4cca9dc3af40cd9897d10c37d70441e04a4b855c22503a53602916

SHA512
7082205405c6fb0de32011a5dcf1c14fb3c1adea40e96d8a3cd234e84334266ac3642659c56dc7e8ac9c57c3c513258e69b21c0ee84078e6d793821400775b0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\HEU_KMS_Mini_112\ICO_221.ico
Filesize
24KB

MD5
94306384efdadfdcea096a022738bf1e

SHA1
72385c23173686ac2500ba3bca094c0c94e76212

SHA256
9672b50641ba9f9f1735fee2d3ba4fdc5bda18545530ee1869e01c25618c1345

SHA512
38f7de2ab148daea9f879665459fe374b1032b10eb1be6769fa17ffc8fc9b12a4bf8b9822a3bca2c8704aec7a996d5fe058e2a759a21f351162a8fcca729bbdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\HEU_KMS_Mini_112\kms_x64.exe
Filesize
883KB

MD5
d702b034f55f71ba716d62d18931ea76

SHA1
8b5e078c803f6e91175926bd034755f8c61b4153

SHA256
d746ccb0ec85a812bc6d1c32208f738a784d27064fdd70a9adf7289eef8ac47a

SHA512
5f7010d86fc8ff8dd4c209b4b643677f27ad5552f561b5be7330f5affbe9cc20fc03fe5de89267b42495665bcbc33997125798ba5530d87a53379552f28c076b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HEU_KMS_Mini_112\kms_x64.exe
Filesize
883KB

MD5
d702b034f55f71ba716d62d18931ea76

SHA1
8b5e078c803f6e91175926bd034755f8c61b4153

SHA256
d746ccb0ec85a812bc6d1c32208f738a784d27064fdd70a9adf7289eef8ac47a

SHA512
5f7010d86fc8ff8dd4c209b4b643677f27ad5552f561b5be7330f5affbe9cc20fc03fe5de89267b42495665bcbc33997125798ba5530d87a53379552f28c076b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HEU_KMS_Mini_112\left.jpg
Filesize
2KB

MD5
a19310fde49bedc57b9a3b15ac12c7ca

SHA1
4cb249d62ccda681dfbd8fd898ffc9d428dd9710

SHA256
606f8a834ac0570de63b1dc3f7235f05e333338e8de5e5774c76caa1c338cef9

SHA512
3e6f425e848b2ab246c9f188c7adb769e952b46d948ee4e5dae4aebdd099325e3aa94529998c1e1e794cfbf83bf89091a18c8ca0e16dd6a3b39d27c0849f2be2

Download Submit
C:\Users\Admin\AppData\Local\Temp\HEU_KMS_Mini_112\theme.jpg
Filesize
3KB

MD5
8106fe4184c10cd16e50d7d991faad53

SHA1
6f0424df7d885933489535780e7a405f51e0df1e

SHA256
cd78691dfe096dc99d2a46c921884922511616937efe51018eaf500c8c77314a

SHA512
117030f208d3a8b110b932e300ea13abdff5498e1263639a714a2e3319b53145b1d0763364c6e4b036057df84cfd45ce68515cde9cdf6c1d09a6d1eb83cbcc89

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMSmini.7z
Filesize
2.5MB

MD5
a8280fdb0a5878114cd2f199a8b3d17f

SHA1
43a3e4a2ee95fd0e5fc0982166ee11f230b86c58

SHA256
7901ae0b153cdb7dbdd1085207055d9ebbad12cca56b404471d63de3eb8b41b5

SHA512
4c0f8357c3c53c6d086cb60f776df55f6b9d3039f860d9d3749128dc91c5dc2e096e13be1c07f5f1e848364740c92dfb9ca50ad159f60e0548a169a94d5e9df0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\XY3TZS2S.txt
Filesize
606B

MD5
b02689cae3c13378b54ee530734e9a63

SHA1
fc218f14df42079f5d78742d564694a1a1dbcfa2

SHA256
8e058d579f04ea3d73f1a407c356bf95e39d98bd53c4997e6f435e1f0f05f95c

SHA512
843c86cabf2fe60bb809319e7033167cd99201a7199e9bc3306729bbd6a4cce1dc59f3c2d4bfc97284d8b839c8dda15b80070a09c0b45415fc5fdce50c7d7090

Download Submit
C:\Windows\Temp\Clear.bat
Filesize
61B

MD5
76115ac3115a6c590fe4bb994d15986b

SHA1
7a01270bcbd16629a12476365236c8983b3a74c8

SHA256
4bdefe9687d6c58ed1ce893569c87b3a8d6c74f5bd86f8374429acfa4c19e451

SHA512
cd63c685a04bb8030183659b27c3d261337c742a89eda7c7f5945bd6583d08aeab51854213a43724b9fa40de520f30cf3aac85286de8bfe5ed106aa13d9604cf

Download Submit
C:\Windows\Temp\DownLoader.exe
Filesize
485KB

MD5
df154813ef3a3c693850f803dde4af18

SHA1
ef626c3ecfc3471c2caac053ebdf544c296f8bda

SHA256
aac5d2ffc5666f54794f723e2c9d76622da575bc7efd5537c47cb5477baf2ceb

SHA512
cad09a54c2ec1f23361788bbbdda217b54dd984cbc59c09129a1297ec2019d7194b775b3cc317159bb5cd609e48600dfc6cfce5001a6e6eccbef7e6358f23f28

Download Submit
C:\Windows\Temp\DownLoader.exe
Filesize
485KB

MD5
df154813ef3a3c693850f803dde4af18

SHA1
ef626c3ecfc3471c2caac053ebdf544c296f8bda

SHA256
aac5d2ffc5666f54794f723e2c9d76622da575bc7efd5537c47cb5477baf2ceb

SHA512
cad09a54c2ec1f23361788bbbdda217b54dd984cbc59c09129a1297ec2019d7194b775b3cc317159bb5cd609e48600dfc6cfce5001a6e6eccbef7e6358f23f28

Download Submit
C:\Windows\Temp\DownLoader.sfx.exe
Filesize
474KB

MD5
00c17a881372fde0633380a3f0940b1d

SHA1
73edd702b87d9531d6afd87da25a6ff51e264577

SHA256
8ed6d14f635f64e1a09c6addac90011044c0fef021f6a459bafcfa41a109ecbb

SHA512
4d23c04f8c626cfcf36fe3b6c6b672982cf473213591f3db12b976593a6bebcf2301c921df47e42388461eafa60ca3118ec781fa495fa607c0ffe559b4f69b06

Download Submit
C:\Windows\Temp\DownLoader.sfx.exe
Filesize
474KB

MD5
00c17a881372fde0633380a3f0940b1d

SHA1
73edd702b87d9531d6afd87da25a6ff51e264577

SHA256
8ed6d14f635f64e1a09c6addac90011044c0fef021f6a459bafcfa41a109ecbb

SHA512
4d23c04f8c626cfcf36fe3b6c6b672982cf473213591f3db12b976593a6bebcf2301c921df47e42388461eafa60ca3118ec781fa495fa607c0ffe559b4f69b06

Download Submit
C:\Windows\Temp\HEU_KMS_Activator_v11.2.0.EXE
Filesize
3.5MB

MD5
1a48e0e1dd4473eb30a45d8860dba038

SHA1
47bde7ab37badebd731c3f8579bb3bb15b773163

SHA256
5ad3ba6a79e8c71c06738c0ac0a078b43d208d99bc458b5dd9724682894fd204

SHA512
398d00f486232a829d562734ff0800fc16c1bc93cbd37a103d58c2692100cf061bc0fbee3855c4b5abc816730a631369fff25c7c0f0d3a5f8bfd71c30dfde9c1

Download Submit
C:\Windows\Temp\HEU_KMS_Activator_v11.2.0.exe
Filesize
3.5MB

MD5
1a48e0e1dd4473eb30a45d8860dba038

SHA1
47bde7ab37badebd731c3f8579bb3bb15b773163

SHA256
5ad3ba6a79e8c71c06738c0ac0a078b43d208d99bc458b5dd9724682894fd204

SHA512
398d00f486232a829d562734ff0800fc16c1bc93cbd37a103d58c2692100cf061bc0fbee3855c4b5abc816730a631369fff25c7c0f0d3a5f8bfd71c30dfde9c1

Download Submit
\Program Files (x86)\Microsoft\DesktopLayer.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Users\Admin\AppData\Local\Temp\26dabe0dcfdda0b276272aa36803e9c68d16c0c9be268bfcb63d5004b639db21Srv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Users\Admin\AppData\Local\Temp\7Z.EXE
Filesize
491KB

MD5
2c3378903654f844d818fc2f0d619617

SHA1
4ef8a59d7997d0baa3224110e1ae911d2d9dad88

SHA256
c360ca3555f426d0c66d23998e4fb01be4d1fdfa71fc29102c8cfe821303abdf

SHA512
da9a690235dc8f08373631c2e1573da2c4e1f4ec04a0cf0d7d38c52d0c242f3add554c96a3e2df252371eee3af083bc1c6420b7b5da93e0db8ba272c2d48536d

Download Submit
\Users\Admin\AppData\Local\Temp\7Z.EXE
Filesize
491KB

MD5
2c3378903654f844d818fc2f0d619617

SHA1
4ef8a59d7997d0baa3224110e1ae911d2d9dad88

SHA256
c360ca3555f426d0c66d23998e4fb01be4d1fdfa71fc29102c8cfe821303abdf

SHA512
da9a690235dc8f08373631c2e1573da2c4e1f4ec04a0cf0d7d38c52d0c242f3add554c96a3e2df252371eee3af083bc1c6420b7b5da93e0db8ba272c2d48536d

Download Submit
\Users\Admin\AppData\Local\Temp\HEU_KMS_Mini_112\kms_x64.exe
Filesize
883KB

MD5
d702b034f55f71ba716d62d18931ea76

SHA1
8b5e078c803f6e91175926bd034755f8c61b4153

SHA256
d746ccb0ec85a812bc6d1c32208f738a784d27064fdd70a9adf7289eef8ac47a

SHA512
5f7010d86fc8ff8dd4c209b4b643677f27ad5552f561b5be7330f5affbe9cc20fc03fe5de89267b42495665bcbc33997125798ba5530d87a53379552f28c076b

Download Submit
\Users\Admin\AppData\Local\Temp\nsdF911.tmp\System.dll
Filesize
67KB

MD5
6694bcd5ecd125cacfb99b6884b1f66b

SHA1
1479e93a913fa44eb017c2b36a6518782d9179e2

SHA256
60b4baa11dcbcab53c55cf45d49b324a785c8cbf51c33ea97c38ed8f11d0e9c6

SHA512
2bc99433c006a86f631f57adf6c57eb16b9c84b6eb05f0a73741127fab6bd2e1685cfbe9d2a653c4b590d10a7bd36b0be79392a3058e199e7a18158c75dc14eb

Download Submit
\Windows\Temp\DownLoader.exe
Filesize
485KB

MD5
df154813ef3a3c693850f803dde4af18

SHA1
ef626c3ecfc3471c2caac053ebdf544c296f8bda

SHA256
aac5d2ffc5666f54794f723e2c9d76622da575bc7efd5537c47cb5477baf2ceb

SHA512
cad09a54c2ec1f23361788bbbdda217b54dd984cbc59c09129a1297ec2019d7194b775b3cc317159bb5cd609e48600dfc6cfce5001a6e6eccbef7e6358f23f28

Download Submit
\Windows\Temp\DownLoader.exe
Filesize
485KB

MD5
df154813ef3a3c693850f803dde4af18

SHA1
ef626c3ecfc3471c2caac053ebdf544c296f8bda

SHA256
aac5d2ffc5666f54794f723e2c9d76622da575bc7efd5537c47cb5477baf2ceb

SHA512
cad09a54c2ec1f23361788bbbdda217b54dd984cbc59c09129a1297ec2019d7194b775b3cc317159bb5cd609e48600dfc6cfce5001a6e6eccbef7e6358f23f28

Download Submit
\Windows\Temp\DownLoader.exe
Filesize
485KB

MD5
df154813ef3a3c693850f803dde4af18

SHA1
ef626c3ecfc3471c2caac053ebdf544c296f8bda

SHA256
aac5d2ffc5666f54794f723e2c9d76622da575bc7efd5537c47cb5477baf2ceb

SHA512
cad09a54c2ec1f23361788bbbdda217b54dd984cbc59c09129a1297ec2019d7194b775b3cc317159bb5cd609e48600dfc6cfce5001a6e6eccbef7e6358f23f28

Download Submit
\Windows\Temp\DownLoader.exe
Filesize
485KB

MD5
df154813ef3a3c693850f803dde4af18

SHA1
ef626c3ecfc3471c2caac053ebdf544c296f8bda

SHA256
aac5d2ffc5666f54794f723e2c9d76622da575bc7efd5537c47cb5477baf2ceb

SHA512
cad09a54c2ec1f23361788bbbdda217b54dd984cbc59c09129a1297ec2019d7194b775b3cc317159bb5cd609e48600dfc6cfce5001a6e6eccbef7e6358f23f28

Download Submit
\Windows\Temp\DownLoader.sfx.exe
Filesize
474KB

MD5
00c17a881372fde0633380a3f0940b1d

SHA1
73edd702b87d9531d6afd87da25a6ff51e264577

SHA256
8ed6d14f635f64e1a09c6addac90011044c0fef021f6a459bafcfa41a109ecbb

SHA512
4d23c04f8c626cfcf36fe3b6c6b672982cf473213591f3db12b976593a6bebcf2301c921df47e42388461eafa60ca3118ec781fa495fa607c0ffe559b4f69b06

Download Submit
\Windows\Temp\HEU_KMS_Activator_v11.2.0.exe
Filesize
3.5MB

MD5
1a48e0e1dd4473eb30a45d8860dba038

SHA1
47bde7ab37badebd731c3f8579bb3bb15b773163

SHA256
5ad3ba6a79e8c71c06738c0ac0a078b43d208d99bc458b5dd9724682894fd204

SHA512
398d00f486232a829d562734ff0800fc16c1bc93cbd37a103d58c2692100cf061bc0fbee3855c4b5abc816730a631369fff25c7c0f0d3a5f8bfd71c30dfde9c1

Download Submit
memory/452-105-0x0000000000000000-mapping.dmp

Download
memory/528-92-0x0000000002550000-0x00000000025E5000-memory.dmp

Filesize
596KB

Download
memory/528-93-0x0000000002550000-0x00000000025E5000-memory.dmp

Filesize
596KB

Download
memory/528-69-0x0000000000000000-mapping.dmp

Download
memory/948-97-0x0000000000000000-mapping.dmp

Download
memory/948-99-0x000007FEFBA91000-0x000007FEFBA93000-memory.dmp

Filesize
8KB

Download
memory/964-75-0x0000000000000000-mapping.dmp

Download
memory/972-95-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/972-82-0x0000000000000000-mapping.dmp

Download
memory/972-94-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/996-67-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/996-62-0x0000000000000000-mapping.dmp

Download
memory/1684-63-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1684-57-0x0000000000000000-mapping.dmp

Download
memory/1776-89-0x0000000000000000-mapping.dmp

Download
memory/1800-72-0x00000000003A0000-0x00000000003CE000-memory.dmp

Filesize
184KB

Download
memory/1800-70-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/1800-54-0x0000000074E91000-0x0000000074E93000-memory.dmp

Filesize
8KB

Download