ramnit | 2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cf

Analysis

max time kernel
120s
max time network
151s
platform
windows7_x64
resource
win7-20220414-en
submitted
22-06-2022 12:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cf.exe
Size

6.2MB
MD5

0fe34c125e732e7410d5135ee5c35d18
SHA1

4b5e14fafd6b427ab565f3060bf22c075b564ff7
SHA256

2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cf
SHA512

f25e0f92d84fe7682e1547eeae8d0781015732752fc4c6706e9a9687efc21d68916fbd638f7b87538b5931dd935f143ca8638b488ddc0a0d544d66ece1fff272

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 6 IoCs

Processes:

2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exeDesktopLayer.exe2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exeDesktopLayer.exe2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exeDesktopLayer.exe

pid	process
1844	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe
1420	DesktopLayer.exe
1700	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe
1960	DesktopLayer.exe
1564	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe
1176	DesktopLayer.exe

UPX packed file 33 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe	upx
C:\Users\Admin\AppData\Local\Temp\2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe	upx
\Users\Admin\AppData\Local\Temp\2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe	upx
\Users\Admin\AppData\Local\Temp\2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe	upx
C:\Users\Admin\AppData\Local\Temp\2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe	upx
\Users\Admin\AppData\Local\Temp\nst293.tmp\nsRandom.dll	upx
\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
behavioral1/memory/1844-66-0x0000000000400000-0x000000000042E000-memory.dmp	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
behavioral1/memory/1420-73-0x0000000000400000-0x000000000042E000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe	upx
C:\Users\Admin\AppData\Local\Temp\2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
\Users\Admin\AppData\Local\Temp\2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe	upx
\Users\Admin\AppData\Local\Temp\2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe	upx
\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Users\Admin\AppData\Local\Temp\2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe	upx
\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
\Users\Admin\AppData\Local\Temp\2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe	upx
C:\Users\Admin\AppData\Local\Temp\2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe	upx
C:\Users\Admin\AppData\Local\Temp\2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe	upx
\Users\Admin\AppData\Local\Temp\2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe	upx
\Users\Admin\AppData\Local\Temp\2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe	upx
\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
\Program Files (x86)\Microsoft\DesktopLayer.exe	upx

Loads dropped DLL 24 IoCs

Processes:

2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cf.exe2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exeDesktopLayer.exe2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exeDesktopLayer.exe2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exeDesktopLayer.exe

pid	process
1556	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cf.exe
1556	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cf.exe
1844	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe
1844	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe
1556	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cf.exe
1844	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe
1420	DesktopLayer.exe
1420	DesktopLayer.exe
1556	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cf.exe
1556	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cf.exe
1700	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe
1700	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe
1700	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe
1960	DesktopLayer.exe
1960	DesktopLayer.exe
1556	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cf.exe
1556	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cf.exe
1564	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe
1564	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe
1564	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe
1176	DesktopLayer.exe
1176	DesktopLayer.exe
1556	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cf.exe
1556	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cf.exe

Drops file in Program Files directory 7 IoCs

Processes:

2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\px32D.tmp	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px4A3.tmp	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px83C.tmp	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F5376D61-F23D-11EC-8EBB-4E28EF19992D} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F5F7E6D1-F23D-11EC-8EBB-4E28EF19992D} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "362675829"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F5691451-F23D-11EC-8EBB-4E28EF19992D} = "0"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

DesktopLayer.exeDesktopLayer.exeDesktopLayer.exe

pid	process
1420	DesktopLayer.exe
1420	DesktopLayer.exe
1420	DesktopLayer.exe
1420	DesktopLayer.exe
1960	DesktopLayer.exe
1960	DesktopLayer.exe
1960	DesktopLayer.exe
1960	DesktopLayer.exe
1176	DesktopLayer.exe
1176	DesktopLayer.exe
1176	DesktopLayer.exe
1176	DesktopLayer.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exe

pid process

1156 iexplore.exe
1264 iexplore.exe
1480 iexplore.exe

pid	process
1156	iexplore.exe
1264	iexplore.exe
1480	iexplore.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cf.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEiexplore.exeIEXPLORE.EXE

pid	process
1556	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cf.exe
1264	iexplore.exe
1264	iexplore.exe
1156	iexplore.exe
1156	iexplore.exe
1768	IEXPLORE.EXE
1768	IEXPLORE.EXE
1056	IEXPLORE.EXE
1056	IEXPLORE.EXE
1480	iexplore.exe
1480	iexplore.exe
1396	IEXPLORE.EXE
1396	IEXPLORE.EXE
1396	IEXPLORE.EXE
1396	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 1556 wrote to memory of 1844	1556	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cf.exe	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe
PID 1556 wrote to memory of 1844	1556	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cf.exe	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe
PID 1556 wrote to memory of 1844	1556	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cf.exe	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe
PID 1556 wrote to memory of 1844	1556	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cf.exe	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe
PID 1556 wrote to memory of 1844	1556	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cf.exe	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe
PID 1556 wrote to memory of 1844	1556	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cf.exe	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe
PID 1556 wrote to memory of 1844	1556	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cf.exe	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe
PID 1844 wrote to memory of 1420	1844	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe	DesktopLayer.exe
PID 1844 wrote to memory of 1420	1844	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe	DesktopLayer.exe
PID 1844 wrote to memory of 1420	1844	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe	DesktopLayer.exe
PID 1844 wrote to memory of 1420	1844	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe	DesktopLayer.exe
PID 1844 wrote to memory of 1420	1844	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe	DesktopLayer.exe
PID 1844 wrote to memory of 1420	1844	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe	DesktopLayer.exe
PID 1844 wrote to memory of 1420	1844	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe	DesktopLayer.exe
PID 1420 wrote to memory of 1264	1420	DesktopLayer.exe	iexplore.exe
PID 1420 wrote to memory of 1264	1420	DesktopLayer.exe	iexplore.exe
PID 1420 wrote to memory of 1264	1420	DesktopLayer.exe	iexplore.exe
PID 1420 wrote to memory of 1264	1420	DesktopLayer.exe	iexplore.exe
PID 1556 wrote to memory of 1700	1556	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cf.exe	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe
PID 1556 wrote to memory of 1700	1556	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cf.exe	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe
PID 1556 wrote to memory of 1700	1556	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cf.exe	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe
PID 1556 wrote to memory of 1700	1556	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cf.exe	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe
PID 1556 wrote to memory of 1700	1556	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cf.exe	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe
PID 1556 wrote to memory of 1700	1556	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cf.exe	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe
PID 1556 wrote to memory of 1700	1556	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cf.exe	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe
PID 1700 wrote to memory of 1960	1700	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe	DesktopLayer.exe
PID 1700 wrote to memory of 1960	1700	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe	DesktopLayer.exe
PID 1700 wrote to memory of 1960	1700	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe	DesktopLayer.exe
PID 1700 wrote to memory of 1960	1700	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe	DesktopLayer.exe
PID 1700 wrote to memory of 1960	1700	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe	DesktopLayer.exe
PID 1700 wrote to memory of 1960	1700	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe	DesktopLayer.exe
PID 1700 wrote to memory of 1960	1700	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe	DesktopLayer.exe
PID 1960 wrote to memory of 1156	1960	DesktopLayer.exe	iexplore.exe
PID 1960 wrote to memory of 1156	1960	DesktopLayer.exe	iexplore.exe
PID 1960 wrote to memory of 1156	1960	DesktopLayer.exe	iexplore.exe
PID 1960 wrote to memory of 1156	1960	DesktopLayer.exe	iexplore.exe
PID 1556 wrote to memory of 1564	1556	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cf.exe	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe
PID 1556 wrote to memory of 1564	1556	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cf.exe	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe
PID 1556 wrote to memory of 1564	1556	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cf.exe	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe
PID 1556 wrote to memory of 1564	1556	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cf.exe	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe
PID 1556 wrote to memory of 1564	1556	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cf.exe	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe
PID 1556 wrote to memory of 1564	1556	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cf.exe	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe
PID 1556 wrote to memory of 1564	1556	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cf.exe	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe
PID 1564 wrote to memory of 1176	1564	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe	DesktopLayer.exe
PID 1564 wrote to memory of 1176	1564	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe	DesktopLayer.exe
PID 1564 wrote to memory of 1176	1564	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe	DesktopLayer.exe
PID 1564 wrote to memory of 1176	1564	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe	DesktopLayer.exe
PID 1564 wrote to memory of 1176	1564	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe	DesktopLayer.exe
PID 1564 wrote to memory of 1176	1564	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe	DesktopLayer.exe
PID 1564 wrote to memory of 1176	1564	2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe	DesktopLayer.exe
PID 1176 wrote to memory of 1480	1176	DesktopLayer.exe	iexplore.exe
PID 1176 wrote to memory of 1480	1176	DesktopLayer.exe	iexplore.exe
PID 1176 wrote to memory of 1480	1176	DesktopLayer.exe	iexplore.exe
PID 1176 wrote to memory of 1480	1176	DesktopLayer.exe	iexplore.exe
PID 1264 wrote to memory of 1768	1264	iexplore.exe	IEXPLORE.EXE
PID 1264 wrote to memory of 1768	1264	iexplore.exe	IEXPLORE.EXE
PID 1264 wrote to memory of 1768	1264	iexplore.exe	IEXPLORE.EXE
PID 1264 wrote to memory of 1768	1264	iexplore.exe	IEXPLORE.EXE
PID 1264 wrote to memory of 1768	1264	iexplore.exe	IEXPLORE.EXE
PID 1264 wrote to memory of 1768	1264	iexplore.exe	IEXPLORE.EXE
PID 1264 wrote to memory of 1768	1264	iexplore.exe	IEXPLORE.EXE
PID 1156 wrote to memory of 1056	1156	iexplore.exe	IEXPLORE.EXE
PID 1156 wrote to memory of 1056	1156	iexplore.exe	IEXPLORE.EXE
PID 1156 wrote to memory of 1056	1156	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cf.exe
"C:\Users\Admin\AppData\Local\Temp\2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cf.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1556

C:\Users\Admin\AppData\Local\Temp\2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe
C:\Users\Admin\AppData\Local\Temp\2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1844

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1420

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1264

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1264 CREDAT:275457 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1768

C:\Users\Admin\AppData\Local\Temp\2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe
C:\Users\Admin\AppData\Local\Temp\2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1700

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1960

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1156

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1156 CREDAT:340993 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1056

C:\Users\Admin\AppData\Local\Temp\2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe
C:\Users\Admin\AppData\Local\Temp\2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1564

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1176

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1480

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1480 CREDAT:275457 /prefetch:2
5⤵
- Suspicious use of SetWindowsHookEx
PID:1396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F5376D61-F23D-11EC-8EBB-4E28EF19992D}.dat
Filesize
5KB

MD5
b60b4724eb029be86d01854458638108

SHA1
9263a4f2326818f6441889d1836f905d4a8b2e45

SHA256
c04ce97082e01d15572055311f22a1fe5fc3fd3aa877d33a39e45abe0d996f0d

SHA512
c60a24f4b444bf56ba170a50e03fc5f1f9d081cf283701e41bb8e8a22bb90bbad56c46e241ae861cfb84f4d5b830b517e66759d597a5cb67c23c4add63024fa5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F5376D61-F23D-11EC-8EBB-4E28EF19992D}.dat
Filesize
5KB

MD5
69eeaf8e5c37b8de6e2942ecd7afb5ba

SHA1
fd881d32c4481bfe5d150cb6b7ffca1ad5b2eb9f

SHA256
56efb7bc30e652140c2b84848de1a27faed89f6a4495ae1a4084923ba68097a1

SHA512
e7d7b9ac46e62dced59621dff0eaebcd4d1129d5b8367e75c91ee8f82bdb7d38ab9d521bd8c69ea5437a55bd53401d4280941ed02f52b2dfd8aeee07b052a1c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F5691451-F23D-11EC-8EBB-4E28EF19992D}.dat
Filesize
3KB

MD5
b8bbd76de0d0d90134415e174f9c6c4c

SHA1
b655dab3dd8843ce4f87a7c63ace751b9c236a6e

SHA256
b2e59bb90d7dd38e81b31e33d35e8a3a1b928c6e37ee1837ddf697200cc13243

SHA512
f621ecc195c7d63b8f58bed3fc26e44143951098cd8ba2f0c80de25bd06a20c845738288bdcfb6732bb1962296d3a1ad3268cd1b2426a95cab41b366eb327d01

Download Submit
C:\Users\Admin\AppData\Local\Temp\2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\OMDL56IA.txt
Filesize
604B

MD5
5a7729da6e5c648fee597da6ee5b4ec7

SHA1
f811aa4cb67c40975bbec98440d530ec0e0e1d29

SHA256
403a2572cf9eb73501e2a48640dc99d69f7c4cd523f7c9c2427e8ef38ca13f4b

SHA512
64faf06247be926961607a69a117f8a479fa95ebc50c3076e2151a7822b85cdcecd08133319c4b79dc4112f61546b60f28d1bb9e182ddd8ccf3a02d5ad95bd84

Download Submit
\Program Files (x86)\Microsoft\DesktopLayer.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Program Files (x86)\Microsoft\DesktopLayer.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Program Files (x86)\Microsoft\DesktopLayer.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Program Files (x86)\Microsoft\DesktopLayer.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Program Files (x86)\Microsoft\DesktopLayer.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Program Files (x86)\Microsoft\DesktopLayer.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Program Files (x86)\Microsoft\DesktopLayer.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Program Files (x86)\Microsoft\DesktopLayer.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Program Files (x86)\Microsoft\DesktopLayer.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Users\Admin\AppData\Local\Temp\2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Users\Admin\AppData\Local\Temp\2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Users\Admin\AppData\Local\Temp\2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Users\Admin\AppData\Local\Temp\2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Users\Admin\AppData\Local\Temp\2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Users\Admin\AppData\Local\Temp\2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Users\Admin\AppData\Local\Temp\2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Users\Admin\AppData\Local\Temp\2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Users\Admin\AppData\Local\Temp\2e1241e9ef1417a857892aaa1705cf89f5759bcf8f7b33e61cd19ca33fc7c4cfSrv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Users\Admin\AppData\Local\Temp\756838\MyNsisSkin.dll
Filesize
384KB

MD5
bf8624dd749fcd34042da56f412c3e21

SHA1
4b9f939c342af6fcd7eb02a6fb5aced062b0c7ef

SHA256
1298994ddf1de1c9876ad886b613ac8668d1d9d805123bfe63d60dc92ae1b538

SHA512
43914e3cc5a822d434859d47147a40e72ab562a4f07aca16d8ed7b7660a3ae60fdaba3d855338067e481bb2acd8db9e258e437a3e5ea73f44d09d7395b0f431c

Download Submit
\Users\Admin\AppData\Local\Temp\nst293.tmp\ButtonEvent.dll
Filesize
4KB

MD5
fad9d09fc0267e8513b8628e767b2604

SHA1
bea76a7621c07b30ed90bedef4d608a5b9e15300

SHA256
5d913c6be9c9e13801acc5d78b11d9f3cd42c1b3b3cad8272eb6e1bfb06730c2

SHA512
b39c5ea8aea0640f5a32a1fc03e8c8382a621c168980b3bc5e2897932878003b2b8ef75b3ad68149c35420d652143e2ef763b6a47d84ec73621017f0273e2805

Download Submit
\Users\Admin\AppData\Local\Temp\nst293.tmp\MyNsisExtend.dll
Filesize
596KB

MD5
6040db1da245c3cab9afedbc5354c0ac

SHA1
1acbd486cd536b5f46d57a5f444c07b9082585e8

SHA256
7c213725d242bc07c27859697f9d8b1edce6769fad64ce3f55e7fe89041c467d

SHA512
a58793278ee299e05f44bc63db087df1d381738033acb6053bb7e2e285bb62729507b72bd89adc0974c41f27ec3033db229c84035c4cbf8d28391bc9274b1fd5

Download Submit
\Users\Admin\AppData\Local\Temp\nst293.tmp\System.dll
Filesize
67KB

MD5
fd52c2b9314cf3baab19213ffe358e32

SHA1
7cdd39c03c20fcb17034ab46fed0bdb7e9f4e964

SHA256
fe91ad0da776e7e20f524afa0f94f36d08c436f9ceb632cecd2e8b0fc252ee99

SHA512
28d10765b88dd3e38d82f48de447774cea7cf57513d38d1feac39c1f8282658b16ee0510c8dc45f22167bdacfc963ae1f0d8defcacf578456536a5ea13dd2a53

Download Submit
\Users\Admin\AppData\Local\Temp\nst293.tmp\nsDialogs.dll
Filesize
9KB

MD5
c10e04dd4ad4277d5adc951bb331c777

SHA1
b1e30808198a3ae6d6d1cca62df8893dc2a7ad43

SHA256
e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a

SHA512
853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

Download Submit
\Users\Admin\AppData\Local\Temp\nst293.tmp\nsRandom.dll
Filesize
77KB

MD5
1ab62d438f2f0066503c3c4f6ee93a9c

SHA1
b0d3af7d801cb12f68484e7adb7ebaa3980e3fbf

SHA256
ec30a85f07692ee579cb6fcd0a90e027c6c6f1a1c1805682f70b02d2e6a23e1c

SHA512
405c4f971ebb4bb7aca09501e52dec01c62f8c8e79d130a1fd47243507ec2706eae45ccbedff537e853133e237e52a4388cd7420a0687f56713445ed6eb05a5c

Download Submit
memory/1176-102-0x0000000000000000-mapping.dmp

Download
memory/1420-65-0x0000000000000000-mapping.dmp

Download
memory/1420-73-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1556-121-0x0000000001E10000-0x0000000001E3E000-memory.dmp

Filesize
184KB

Download
memory/1556-119-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/1556-54-0x0000000075541000-0x0000000075543000-memory.dmp

Filesize
8KB

Download
memory/1556-111-0x0000000001DA0000-0x0000000001DCE000-memory.dmp

Filesize
184KB

Download
memory/1556-123-0x0000000002E80000-0x0000000002F1A000-memory.dmp

Filesize
616KB

Download
memory/1556-112-0x0000000001DA0000-0x0000000001E02000-memory.dmp

Filesize
392KB

Download
memory/1556-114-0x0000000001DA0000-0x0000000001DC1000-memory.dmp

Filesize
132KB

Download
memory/1556-115-0x0000000002E80000-0x0000000002F1A000-memory.dmp

Filesize
616KB

Download
memory/1556-76-0x0000000001DA0000-0x0000000001E02000-memory.dmp

Filesize
392KB

Download
memory/1556-110-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/1556-113-0x0000000001E10000-0x0000000001E3E000-memory.dmp

Filesize
184KB

Download
memory/1556-120-0x0000000001DA0000-0x0000000001E02000-memory.dmp

Filesize
392KB

Download
memory/1556-122-0x0000000001E10000-0x0000000001E3E000-memory.dmp

Filesize
184KB

Download
memory/1556-75-0x0000000001DA1000-0x0000000001DE2000-memory.dmp

Filesize
260KB

Download
memory/1564-95-0x0000000000000000-mapping.dmp

Download
memory/1700-78-0x0000000000000000-mapping.dmp

Download
memory/1844-57-0x0000000000000000-mapping.dmp

Download
memory/1844-68-0x0000000000240000-0x000000000024D000-memory.dmp

Filesize
52KB

Download
memory/1844-66-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1960-85-0x0000000000000000-mapping.dmp

Download