ramnit | 32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029ea

Analysis

max time kernel
99s
max time network
142s
platform
windows7_x64
resource
win7-20220414-en
submitted
20-06-2022 05:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029ea.exe
Size

15.0MB
MD5

291c23b98eea441ca97d286801aadac5
SHA1

2557aaa16a7bd1a5d04126354395b0efbb5d7f52
SHA256

32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029ea
SHA512

a738ce705c75d6f2014397d41b0d580e75ddb5abb50c0a3f3e28ae0894325e7821c8e7756cb9b3242fd57585adc2c45f2f14733feec43b2fa502174688319210

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 6 IoCs

Processes:

32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exeDesktopLayer.exe32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exeDesktopLayer.exe32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exeDesktopLayer.exe

pid	process
1536	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe
1472	DesktopLayer.exe
528	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe
280	DesktopLayer.exe
364	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe
1760	DesktopLayer.exe

UPX packed file 33 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe	upx
C:\Users\Admin\AppData\Local\Temp\32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe	upx
\Users\Admin\AppData\Local\Temp\32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe	upx
\Users\Admin\AppData\Local\Temp\32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe	upx
C:\Users\Admin\AppData\Local\Temp\32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe	upx
\Users\Admin\AppData\Local\Temp\nsi560.tmp\nsRandom.dll	upx
\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
behavioral1/memory/1536-69-0x0000000000400000-0x000000000042E000-memory.dmp	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
behavioral1/memory/1472-74-0x0000000000400000-0x000000000042E000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe	upx
C:\Users\Admin\AppData\Local\Temp\32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe	upx
\Users\Admin\AppData\Local\Temp\32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe	upx
\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
\Users\Admin\AppData\Local\Temp\32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe	upx
C:\Users\Admin\AppData\Local\Temp\32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
\Users\Admin\AppData\Local\Temp\32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe	upx
C:\Users\Admin\AppData\Local\Temp\32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe	upx
C:\Users\Admin\AppData\Local\Temp\32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe	upx
\Users\Admin\AppData\Local\Temp\32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe	upx
\Users\Admin\AppData\Local\Temp\32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe	upx
\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
\Program Files (x86)\Microsoft\DesktopLayer.exe	upx

Loads dropped DLL 24 IoCs

Processes:

32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029ea.exe32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exeDesktopLayer.exe32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exeDesktopLayer.exe32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exeDesktopLayer.exe

pid	process
1980	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029ea.exe
1980	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029ea.exe
1536	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe
1536	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe
1980	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029ea.exe
1536	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe
1472	DesktopLayer.exe
1472	DesktopLayer.exe
1980	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029ea.exe
1980	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029ea.exe
528	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe
528	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe
528	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe
280	DesktopLayer.exe
280	DesktopLayer.exe
1980	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029ea.exe
1980	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029ea.exe
364	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe
364	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe
364	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe
1760	DesktopLayer.exe
1980	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029ea.exe
1760	DesktopLayer.exe
1980	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029ea.exe

Drops file in Program Files directory 7 IoCs

Processes:

32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px723.tmp	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px87A.tmp	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px5EB.tmp	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{EB8D9491-F05A-11EC-AF2C-D2F97027F5CF} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{EBB65241-F05A-11EC-AF2C-D2F97027F5CF} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{EBEAB081-F05A-11EC-AF2C-D2F97027F5CF} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

DesktopLayer.exeDesktopLayer.exeDesktopLayer.exe

pid	process
1472	DesktopLayer.exe
1472	DesktopLayer.exe
1472	DesktopLayer.exe
1472	DesktopLayer.exe
280	DesktopLayer.exe
280	DesktopLayer.exe
280	DesktopLayer.exe
280	DesktopLayer.exe
1760	DesktopLayer.exe
1760	DesktopLayer.exe
1760	DesktopLayer.exe
1760	DesktopLayer.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exe

pid process

1088 iexplore.exe
1732 iexplore.exe
1944 iexplore.exe

pid	process
1088	iexplore.exe
1732	iexplore.exe
1944	iexplore.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029ea.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEiexplore.exeIEXPLORE.EXE

pid	process
1980	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029ea.exe
1732	iexplore.exe
1732	iexplore.exe
1088	iexplore.exe
1088	iexplore.exe
1360	IEXPLORE.EXE
1360	IEXPLORE.EXE
984	IEXPLORE.EXE
984	IEXPLORE.EXE
1944	iexplore.exe
1944	iexplore.exe
1640	IEXPLORE.EXE
1640	IEXPLORE.EXE
1640	IEXPLORE.EXE
1640	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 1980 wrote to memory of 1536	1980	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029ea.exe	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe
PID 1980 wrote to memory of 1536	1980	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029ea.exe	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe
PID 1980 wrote to memory of 1536	1980	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029ea.exe	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe
PID 1980 wrote to memory of 1536	1980	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029ea.exe	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe
PID 1980 wrote to memory of 1536	1980	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029ea.exe	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe
PID 1980 wrote to memory of 1536	1980	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029ea.exe	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe
PID 1980 wrote to memory of 1536	1980	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029ea.exe	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe
PID 1536 wrote to memory of 1472	1536	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe	DesktopLayer.exe
PID 1536 wrote to memory of 1472	1536	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe	DesktopLayer.exe
PID 1536 wrote to memory of 1472	1536	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe	DesktopLayer.exe
PID 1536 wrote to memory of 1472	1536	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe	DesktopLayer.exe
PID 1536 wrote to memory of 1472	1536	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe	DesktopLayer.exe
PID 1536 wrote to memory of 1472	1536	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe	DesktopLayer.exe
PID 1536 wrote to memory of 1472	1536	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe	DesktopLayer.exe
PID 1472 wrote to memory of 1732	1472	DesktopLayer.exe	iexplore.exe
PID 1472 wrote to memory of 1732	1472	DesktopLayer.exe	iexplore.exe
PID 1472 wrote to memory of 1732	1472	DesktopLayer.exe	iexplore.exe
PID 1472 wrote to memory of 1732	1472	DesktopLayer.exe	iexplore.exe
PID 1980 wrote to memory of 528	1980	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029ea.exe	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe
PID 1980 wrote to memory of 528	1980	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029ea.exe	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe
PID 1980 wrote to memory of 528	1980	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029ea.exe	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe
PID 1980 wrote to memory of 528	1980	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029ea.exe	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe
PID 1980 wrote to memory of 528	1980	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029ea.exe	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe
PID 1980 wrote to memory of 528	1980	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029ea.exe	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe
PID 1980 wrote to memory of 528	1980	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029ea.exe	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe
PID 528 wrote to memory of 280	528	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe	DesktopLayer.exe
PID 528 wrote to memory of 280	528	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe	DesktopLayer.exe
PID 528 wrote to memory of 280	528	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe	DesktopLayer.exe
PID 528 wrote to memory of 280	528	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe	DesktopLayer.exe
PID 528 wrote to memory of 280	528	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe	DesktopLayer.exe
PID 528 wrote to memory of 280	528	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe	DesktopLayer.exe
PID 528 wrote to memory of 280	528	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe	DesktopLayer.exe
PID 280 wrote to memory of 1088	280	DesktopLayer.exe	iexplore.exe
PID 280 wrote to memory of 1088	280	DesktopLayer.exe	iexplore.exe
PID 280 wrote to memory of 1088	280	DesktopLayer.exe	iexplore.exe
PID 280 wrote to memory of 1088	280	DesktopLayer.exe	iexplore.exe
PID 1980 wrote to memory of 364	1980	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029ea.exe	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe
PID 1980 wrote to memory of 364	1980	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029ea.exe	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe
PID 1980 wrote to memory of 364	1980	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029ea.exe	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe
PID 1980 wrote to memory of 364	1980	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029ea.exe	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe
PID 1980 wrote to memory of 364	1980	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029ea.exe	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe
PID 1980 wrote to memory of 364	1980	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029ea.exe	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe
PID 1980 wrote to memory of 364	1980	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029ea.exe	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe
PID 364 wrote to memory of 1760	364	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe	DesktopLayer.exe
PID 364 wrote to memory of 1760	364	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe	DesktopLayer.exe
PID 364 wrote to memory of 1760	364	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe	DesktopLayer.exe
PID 364 wrote to memory of 1760	364	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe	DesktopLayer.exe
PID 364 wrote to memory of 1760	364	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe	DesktopLayer.exe
PID 364 wrote to memory of 1760	364	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe	DesktopLayer.exe
PID 364 wrote to memory of 1760	364	32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe	DesktopLayer.exe
PID 1760 wrote to memory of 1944	1760	DesktopLayer.exe	iexplore.exe
PID 1760 wrote to memory of 1944	1760	DesktopLayer.exe	iexplore.exe
PID 1760 wrote to memory of 1944	1760	DesktopLayer.exe	iexplore.exe
PID 1760 wrote to memory of 1944	1760	DesktopLayer.exe	iexplore.exe
PID 1732 wrote to memory of 984	1732	iexplore.exe	IEXPLORE.EXE
PID 1732 wrote to memory of 984	1732	iexplore.exe	IEXPLORE.EXE
PID 1732 wrote to memory of 984	1732	iexplore.exe	IEXPLORE.EXE
PID 1732 wrote to memory of 984	1732	iexplore.exe	IEXPLORE.EXE
PID 1732 wrote to memory of 984	1732	iexplore.exe	IEXPLORE.EXE
PID 1088 wrote to memory of 1360	1088	iexplore.exe	IEXPLORE.EXE
PID 1732 wrote to memory of 984	1732	iexplore.exe	IEXPLORE.EXE
PID 1088 wrote to memory of 1360	1088	iexplore.exe	IEXPLORE.EXE
PID 1088 wrote to memory of 1360	1088	iexplore.exe	IEXPLORE.EXE
PID 1732 wrote to memory of 984	1732	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029ea.exe
"C:\Users\Admin\AppData\Local\Temp\32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029ea.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1980

C:\Users\Admin\AppData\Local\Temp\32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe
C:\Users\Admin\AppData\Local\Temp\32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1536

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1472

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1732

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1732 CREDAT:275457 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:984

C:\Users\Admin\AppData\Local\Temp\32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe
C:\Users\Admin\AppData\Local\Temp\32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:528

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:280

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1088

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1088 CREDAT:340993 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1360

C:\Users\Admin\AppData\Local\Temp\32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe
C:\Users\Admin\AppData\Local\Temp\32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:364

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1760

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1944

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1944 CREDAT:275457 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1640

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EB8D9491-F05A-11EC-AF2C-D2F97027F5CF}.dat
Filesize
4KB

MD5
171505f66b4f22aac26e7dba2c3a71f1

SHA1
a07e1cd9d795852e3e243404708f4d6d08d09f0b

SHA256
25a8272a19d8850ef439b920bee4d7873e64b3c30a67a42b1e04d36e9f1ab145

SHA512
4e88dccfe99a663299f83c27ab3d563b910190da63cf9a361517b85e5bb0f1c78c7b4634246a554c4c2a708fe8d78d6a678170f7518c50b1b67d85ce376833d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EBB65241-F05A-11EC-AF2C-D2F97027F5CF}.dat
Filesize
5KB

MD5
a71ed013698d906f7a915e6abc573145

SHA1
0b34489d3d1db30fd442a8787b9aad1a8f773eb8

SHA256
f02bb82fdbd2325f0ca471cdb5f5dfa78e9219c54315c4ef0518464e423c2016

SHA512
a20ecff371f5eae800e6c73701f088806f88016ac67928155122f44af66035a9b7f4a201934c7ff92548447b48536fe41c29f0eb087a8e738ad78ba458584184

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EBB65241-F05A-11EC-AF2C-D2F97027F5CF}.dat
Filesize
5KB

MD5
f0c7ccfcfa858914ae428c34e3154e6b

SHA1
af1f98722c720058793330a7879d3e52e701b7b1

SHA256
7495ab9ad8b05c35d309800123f7c9a5cf3a78aaee712839f3128f2570c9bf25

SHA512
3d76828cb6185d8d656de26eff5b18c3af8df7ee61e3a6c4b75f003a6694e75b12bdc6b07355147692b156a9aa888d1fc168bad3a77b94dc434ee7a8ec5cce08

Download Submit
C:\Users\Admin\AppData\Local\Temp\32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\NY4CJ83E.txt
Filesize
604B

MD5
d25bd0f5597a10ec906ec81736116f77

SHA1
4ddcd9a803bc3372ca1d0bc828392c72bb5f45c2

SHA256
6378bb34f15dec91b0bbbf6fa2a69833329e47c2ba8baf7af478d2e479d2fb5c

SHA512
ad5d06fb125d1ed8c895bafaa81360233751479cd9241aa1fbd9f73f5f5195a796c167063c86aa2f60872ed20409aa4877841e12d1131a53eed36fd389040e41

Download Submit
\Program Files (x86)\Microsoft\DesktopLayer.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Program Files (x86)\Microsoft\DesktopLayer.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Program Files (x86)\Microsoft\DesktopLayer.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Program Files (x86)\Microsoft\DesktopLayer.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Program Files (x86)\Microsoft\DesktopLayer.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Program Files (x86)\Microsoft\DesktopLayer.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Program Files (x86)\Microsoft\DesktopLayer.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Program Files (x86)\Microsoft\DesktopLayer.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Program Files (x86)\Microsoft\DesktopLayer.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Users\Admin\AppData\Local\Temp\1937704\MyNsisSkin.dll
Filesize
384KB

MD5
a6039ed51a4c143794345b29f5f09c64

SHA1
ef08cb5dfa598d9d5b43b8af49f54b2c7dac00d4

SHA256
95ae945504972cadcf2ccfb2b3d02ea8cade3ee53f2f2082e8b40b61f660877a

SHA512
0ed3d0c070bfd91e2355aec5a30ad5cbaf6949c965af5e0ee1ecf2edd5f5aeba3819b4667a0301f8b52c8fd56d3bae35fa4f77063d56c8f89055784d0c0a30a8

Download Submit
\Users\Admin\AppData\Local\Temp\32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Users\Admin\AppData\Local\Temp\32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Users\Admin\AppData\Local\Temp\32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Users\Admin\AppData\Local\Temp\32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Users\Admin\AppData\Local\Temp\32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Users\Admin\AppData\Local\Temp\32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Users\Admin\AppData\Local\Temp\32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Users\Admin\AppData\Local\Temp\32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Users\Admin\AppData\Local\Temp\32b695b0032ae53bbfb3533ff70d8c22d0e65ce16115e5ef3bc82d5ce0e029eaSrv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Users\Admin\AppData\Local\Temp\nsi560.tmp\ButtonEvent.dll
Filesize
4KB

MD5
fad9d09fc0267e8513b8628e767b2604

SHA1
bea76a7621c07b30ed90bedef4d608a5b9e15300

SHA256
5d913c6be9c9e13801acc5d78b11d9f3cd42c1b3b3cad8272eb6e1bfb06730c2

SHA512
b39c5ea8aea0640f5a32a1fc03e8c8382a621c168980b3bc5e2897932878003b2b8ef75b3ad68149c35420d652143e2ef763b6a47d84ec73621017f0273e2805

Download Submit
\Users\Admin\AppData\Local\Temp\nsi560.tmp\MyNsisExtend.dll
Filesize
596KB

MD5
37e4e1ab9aee0596c2fa5888357a63b0

SHA1
a5dba8c0a1bd936dca2b6a81f2dc9a3005f1a2b6

SHA256
ff4b245fea98cedd881ca102468623a449a0b40df0c557dd8a6ea32e788d56fe

SHA512
5cbab2872683079c6cc09423a2baf7107b5ac5731f336cd237fa93a4a4ee53a127963dc0ec0dbc6168b9b3d2c3a881c7663ce4ecd84d964628dd566395d49bb3

Download Submit
\Users\Admin\AppData\Local\Temp\nsi560.tmp\System.dll
Filesize
67KB

MD5
bd05feb8825b15dcdd9100d478f04e17

SHA1
a67d82be96a439ce1c5400740da5c528f7f550e0

SHA256
4972cca9555b7e5dcb6feef63605305193835ea63f343df78902bbcd432ba496

SHA512
67f1894c79bbcef4c7fedd91e33ec48617d5d34c2d9ebcd700c935b7fe1b08971d4c68a71d5281abac97e62d6b8c8f318cc6ff15ea210ddcf21ff04a9e5a7f95

Download Submit
\Users\Admin\AppData\Local\Temp\nsi560.tmp\nsDialogs.dll
Filesize
9KB

MD5
c10e04dd4ad4277d5adc951bb331c777

SHA1
b1e30808198a3ae6d6d1cca62df8893dc2a7ad43

SHA256
e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a

SHA512
853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

Download Submit
\Users\Admin\AppData\Local\Temp\nsi560.tmp\nsRandom.dll
Filesize
77KB

MD5
d86b2899f423931131b696ff659aa7ed

SHA1
007ca98f5d7921fe26fb9b8bd8a822dd5ae09ed6

SHA256
8935cba8e9b276daa357a809e0eca3bebf3fdc6d0d3466ab37fb2cbbfacd3a94

SHA512
9a4437ab484e4e22597c642d21b0107a063a208a582df3a5bf276466ad8d0ba9aeebac6de8dcf1372939984bb187d58e94c799918cfbe80e85c958bf0a537fc7

Download Submit
memory/280-86-0x0000000000000000-mapping.dmp

Download
memory/364-96-0x0000000000000000-mapping.dmp

Download
memory/528-79-0x0000000000000000-mapping.dmp

Download
memory/1472-74-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1472-66-0x0000000000000000-mapping.dmp

Download
memory/1536-58-0x0000000000000000-mapping.dmp

Download
memory/1536-70-0x0000000000240000-0x000000000024D000-memory.dmp

Filesize
52KB

Download
memory/1536-69-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1760-103-0x0000000000000000-mapping.dmp

Download
memory/1980-116-0x0000000002E10000-0x0000000002EAA000-memory.dmp

Filesize
616KB

Download
memory/1980-114-0x0000000002C90000-0x0000000002CF2000-memory.dmp

Filesize
392KB

Download
memory/1980-115-0x0000000002D00000-0x0000000002D2E000-memory.dmp

Filesize
184KB

Download
memory/1980-54-0x00000000768D1000-0x00000000768D3000-memory.dmp

Filesize
8KB

Download
memory/1980-117-0x0000000002C90000-0x0000000002CB1000-memory.dmp

Filesize
132KB

Download
memory/1980-118-0x0000000002ED0000-0x0000000002EFE000-memory.dmp

Filesize
184KB

Download
memory/1980-56-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/1980-120-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/1980-122-0x0000000002D00000-0x0000000002D2E000-memory.dmp

Filesize
184KB

Download
memory/1980-121-0x0000000002C90000-0x0000000002CF2000-memory.dmp

Filesize
392KB

Download
memory/1980-123-0x0000000002E10000-0x0000000002EAA000-memory.dmp

Filesize
616KB

Download
memory/1980-113-0x0000000002C90000-0x0000000002CBE000-memory.dmp

Filesize
184KB

Download