ramnit | 97cb27f5796a5e2d964d5c9a22aa66266516e555a512b75da2721f1322af730b

Analysis

max time kernel
105s
max time network
143s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
11/10/2022, 12:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

97cb27f5796a5e2d964d5c9a22aa66266516e555a512b75da2721f1322af730b.exe
Size

168KB
MD5

40eaedfce79ed58c76e336b1aa27f980
SHA1

332025147632327713ca42f2165571fb83d62026
SHA256

97cb27f5796a5e2d964d5c9a22aa66266516e555a512b75da2721f1322af730b
SHA512

3af72bb210e932224af473fed4f0c94e72bf0ddce93ce68d7acd1d5fa50d8956ff8bfd59f1d0865c1c08e86335f8bebd0ffa31f7536d8d42d03d177c3a391b4a
SSDEEP

3072:mROzoTq0+RO7IwnYgwj5aIwhyR9gvNGy2EkKW1VZrT7O4d:YkdNwBtqwIR9NFDrm4

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 6 IoCs

pid	Process
1160	97cb27f5796a5e2d964d5c9a22aa66266516e555a512b75da2721f1322af730bSrv.exe
2032	DesktopLayer.exe
2028	97cb27f5796a5e2d964d5c9a22aa66266516e555a512b75da2721f1322af730bSrvSrv.exe
2040	DesktopLayerSrv.exe
1768	DesktopLayerSrvSrv.exe
1772	DesktopLayer.exe

UPX packed file 25 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000005c51-55.dat	upx
behavioral1/files/0x0008000000005c51-57.dat	upx
behavioral1/files/0x0008000000012313-61.dat	upx
behavioral1/files/0x0008000000012313-66.dat	upx
behavioral1/files/0x0008000000005c51-65.dat	upx
behavioral1/files/0x000a00000001230f-64.dat	upx
behavioral1/files/0x000a00000001230f-59.dat	upx
behavioral1/memory/1284-63-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/files/0x0009000000012318-71.dat	upx
behavioral1/files/0x000a00000001230f-76.dat	upx
behavioral1/memory/2032-77-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/files/0x0009000000012318-74.dat	upx
behavioral1/memory/2028-73-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1160-70-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/files/0x0008000000012313-69.dat	upx
behavioral1/files/0x000900000001231c-78.dat	upx
behavioral1/files/0x000900000001231c-81.dat	upx
behavioral1/files/0x0009000000012318-80.dat	upx
behavioral1/files/0x000a00000001230f-82.dat	upx
behavioral1/files/0x000900000001231c-85.dat	upx
behavioral1/files/0x000a00000001230f-86.dat	upx
behavioral1/files/0x000a00000001230f-90.dat	upx
behavioral1/memory/2040-89-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/1768-87-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1772-91-0x0000000000400000-0x000000000043D000-memory.dmp	upx

Loads dropped DLL 6 IoCs

pid	Process
1284	97cb27f5796a5e2d964d5c9a22aa66266516e555a512b75da2721f1322af730b.exe
1284	97cb27f5796a5e2d964d5c9a22aa66266516e555a512b75da2721f1322af730b.exe
1160	97cb27f5796a5e2d964d5c9a22aa66266516e555a512b75da2721f1322af730bSrv.exe
2032	DesktopLayer.exe
2040	DesktopLayerSrv.exe
2040	DesktopLayerSrv.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\px1CD5.tmp	97cb27f5796a5e2d964d5c9a22aa66266516e555a512b75da2721f1322af730b.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px1D51.tmp	97cb27f5796a5e2d964d5c9a22aa66266516e555a512b75da2721f1322af730bSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px1ED7.tmp	DesktopLayerSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	DesktopLayerSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	97cb27f5796a5e2d964d5c9a22aa66266516e555a512b75da2721f1322af730b.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe	DesktopLayer.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	DesktopLayerSrvSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	97cb27f5796a5e2d964d5c9a22aa66266516e555a512b75da2721f1322af730b.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px1DBF.tmp	97cb27f5796a5e2d964d5c9a22aa66266516e555a512b75da2721f1322af730bSrvSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	97cb27f5796a5e2d964d5c9a22aa66266516e555a512b75da2721f1322af730bSrvSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe	DesktopLayerSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe	DesktopLayer.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	97cb27f5796a5e2d964d5c9a22aa66266516e555a512b75da2721f1322af730bSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px1F25.tmp	DesktopLayerSrvSrv.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B4601171-498B-11ED-9201-42465D836E7B} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B49C37E1-498B-11ED-9201-42465D836E7B} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "372274972"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1160	97cb27f5796a5e2d964d5c9a22aa66266516e555a512b75da2721f1322af730bSrv.exe
1160	97cb27f5796a5e2d964d5c9a22aa66266516e555a512b75da2721f1322af730bSrv.exe
1160	97cb27f5796a5e2d964d5c9a22aa66266516e555a512b75da2721f1322af730bSrv.exe
1160	97cb27f5796a5e2d964d5c9a22aa66266516e555a512b75da2721f1322af730bSrv.exe
2028	97cb27f5796a5e2d964d5c9a22aa66266516e555a512b75da2721f1322af730bSrvSrv.exe
2028	97cb27f5796a5e2d964d5c9a22aa66266516e555a512b75da2721f1322af730bSrvSrv.exe
2028	97cb27f5796a5e2d964d5c9a22aa66266516e555a512b75da2721f1322af730bSrvSrv.exe
2028	97cb27f5796a5e2d964d5c9a22aa66266516e555a512b75da2721f1322af730bSrvSrv.exe
2032	DesktopLayer.exe
2032	DesktopLayer.exe
2032	DesktopLayer.exe
2032	DesktopLayer.exe
1768	DesktopLayerSrvSrv.exe
1768	DesktopLayerSrvSrv.exe
1768	DesktopLayerSrvSrv.exe
1768	DesktopLayerSrvSrv.exe
1772	DesktopLayer.exe
1772	DesktopLayer.exe
1772	DesktopLayer.exe
1772	DesktopLayer.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
320	iexplore.exe
1932	iexplore.exe
548	iexplore.exe
268	iexplore.exe
1656	iexplore.exe

Suspicious use of SetWindowsHookEx 22 IoCs

pid	Process
1656	iexplore.exe
1656	iexplore.exe
1932	iexplore.exe
1932	iexplore.exe
320	iexplore.exe
320	iexplore.exe
268	iexplore.exe
268	iexplore.exe
548	iexplore.exe
548	iexplore.exe
1728	IEXPLORE.EXE
1728	IEXPLORE.EXE
1328	IEXPLORE.EXE
1328	IEXPLORE.EXE
1668	IEXPLORE.EXE
1668	IEXPLORE.EXE
1936	IEXPLORE.EXE
1936	IEXPLORE.EXE
1316	IEXPLORE.EXE
1316	IEXPLORE.EXE
1316	IEXPLORE.EXE
1316	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1284 wrote to memory of 1160	1284	97cb27f5796a5e2d964d5c9a22aa66266516e555a512b75da2721f1322af730b.exe	27
PID 1284 wrote to memory of 1160	1284	97cb27f5796a5e2d964d5c9a22aa66266516e555a512b75da2721f1322af730b.exe	27
PID 1284 wrote to memory of 1160	1284	97cb27f5796a5e2d964d5c9a22aa66266516e555a512b75da2721f1322af730b.exe	27
PID 1284 wrote to memory of 1160	1284	97cb27f5796a5e2d964d5c9a22aa66266516e555a512b75da2721f1322af730b.exe	27
PID 1284 wrote to memory of 2032	1284	97cb27f5796a5e2d964d5c9a22aa66266516e555a512b75da2721f1322af730b.exe	28
PID 1284 wrote to memory of 2032	1284	97cb27f5796a5e2d964d5c9a22aa66266516e555a512b75da2721f1322af730b.exe	28
PID 1284 wrote to memory of 2032	1284	97cb27f5796a5e2d964d5c9a22aa66266516e555a512b75da2721f1322af730b.exe	28
PID 1284 wrote to memory of 2032	1284	97cb27f5796a5e2d964d5c9a22aa66266516e555a512b75da2721f1322af730b.exe	28
PID 1160 wrote to memory of 2028	1160	97cb27f5796a5e2d964d5c9a22aa66266516e555a512b75da2721f1322af730bSrv.exe	29
PID 1160 wrote to memory of 2028	1160	97cb27f5796a5e2d964d5c9a22aa66266516e555a512b75da2721f1322af730bSrv.exe	29
PID 1160 wrote to memory of 2028	1160	97cb27f5796a5e2d964d5c9a22aa66266516e555a512b75da2721f1322af730bSrv.exe	29
PID 1160 wrote to memory of 2028	1160	97cb27f5796a5e2d964d5c9a22aa66266516e555a512b75da2721f1322af730bSrv.exe	29
PID 1160 wrote to memory of 268	1160	97cb27f5796a5e2d964d5c9a22aa66266516e555a512b75da2721f1322af730bSrv.exe	30
PID 1160 wrote to memory of 268	1160	97cb27f5796a5e2d964d5c9a22aa66266516e555a512b75da2721f1322af730bSrv.exe	30
PID 1160 wrote to memory of 268	1160	97cb27f5796a5e2d964d5c9a22aa66266516e555a512b75da2721f1322af730bSrv.exe	30
PID 1160 wrote to memory of 268	1160	97cb27f5796a5e2d964d5c9a22aa66266516e555a512b75da2721f1322af730bSrv.exe	30
PID 2028 wrote to memory of 1932	2028	97cb27f5796a5e2d964d5c9a22aa66266516e555a512b75da2721f1322af730bSrvSrv.exe	31
PID 2028 wrote to memory of 1932	2028	97cb27f5796a5e2d964d5c9a22aa66266516e555a512b75da2721f1322af730bSrvSrv.exe	31
PID 2028 wrote to memory of 1932	2028	97cb27f5796a5e2d964d5c9a22aa66266516e555a512b75da2721f1322af730bSrvSrv.exe	31
PID 2028 wrote to memory of 1932	2028	97cb27f5796a5e2d964d5c9a22aa66266516e555a512b75da2721f1322af730bSrvSrv.exe	31
PID 2032 wrote to memory of 2040	2032	DesktopLayer.exe	32
PID 2032 wrote to memory of 2040	2032	DesktopLayer.exe	32
PID 2032 wrote to memory of 2040	2032	DesktopLayer.exe	32
PID 2032 wrote to memory of 2040	2032	DesktopLayer.exe	32
PID 2032 wrote to memory of 320	2032	DesktopLayer.exe	33
PID 2032 wrote to memory of 320	2032	DesktopLayer.exe	33
PID 2032 wrote to memory of 320	2032	DesktopLayer.exe	33
PID 2032 wrote to memory of 320	2032	DesktopLayer.exe	33
PID 2040 wrote to memory of 1768	2040	DesktopLayerSrv.exe	34
PID 2040 wrote to memory of 1768	2040	DesktopLayerSrv.exe	34
PID 2040 wrote to memory of 1768	2040	DesktopLayerSrv.exe	34
PID 2040 wrote to memory of 1768	2040	DesktopLayerSrv.exe	34
PID 2040 wrote to memory of 1772	2040	DesktopLayerSrv.exe	35
PID 2040 wrote to memory of 1772	2040	DesktopLayerSrv.exe	35
PID 2040 wrote to memory of 1772	2040	DesktopLayerSrv.exe	35
PID 2040 wrote to memory of 1772	2040	DesktopLayerSrv.exe	35
PID 1768 wrote to memory of 548	1768	DesktopLayerSrvSrv.exe	36
PID 1768 wrote to memory of 548	1768	DesktopLayerSrvSrv.exe	36
PID 1768 wrote to memory of 548	1768	DesktopLayerSrvSrv.exe	36
PID 1768 wrote to memory of 548	1768	DesktopLayerSrvSrv.exe	36
PID 1772 wrote to memory of 1656	1772	DesktopLayer.exe	37
PID 1772 wrote to memory of 1656	1772	DesktopLayer.exe	37
PID 1772 wrote to memory of 1656	1772	DesktopLayer.exe	37
PID 1772 wrote to memory of 1656	1772	DesktopLayer.exe	37
PID 1656 wrote to memory of 1316	1656	iexplore.exe	41
PID 1656 wrote to memory of 1316	1656	iexplore.exe	41
PID 1656 wrote to memory of 1316	1656	iexplore.exe	41
PID 1656 wrote to memory of 1316	1656	iexplore.exe	41
PID 1932 wrote to memory of 1328	1932	iexplore.exe	42
PID 1932 wrote to memory of 1328	1932	iexplore.exe	42
PID 1932 wrote to memory of 1328	1932	iexplore.exe	42
PID 1932 wrote to memory of 1328	1932	iexplore.exe	42
PID 320 wrote to memory of 1728	320	iexplore.exe	40
PID 320 wrote to memory of 1728	320	iexplore.exe	40
PID 320 wrote to memory of 1728	320	iexplore.exe	40
PID 320 wrote to memory of 1728	320	iexplore.exe	40
PID 268 wrote to memory of 1936	268	iexplore.exe	43
PID 268 wrote to memory of 1936	268	iexplore.exe	43
PID 268 wrote to memory of 1936	268	iexplore.exe	43
PID 268 wrote to memory of 1936	268	iexplore.exe	43
PID 548 wrote to memory of 1668	548	iexplore.exe	39
PID 548 wrote to memory of 1668	548	iexplore.exe	39
PID 548 wrote to memory of 1668	548	iexplore.exe	39
PID 548 wrote to memory of 1668	548	iexplore.exe	39

C:\Users\Admin\AppData\Local\Temp\97cb27f5796a5e2d964d5c9a22aa66266516e555a512b75da2721f1322af730b.exe
"C:\Users\Admin\AppData\Local\Temp\97cb27f5796a5e2d964d5c9a22aa66266516e555a512b75da2721f1322af730b.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1284
- C:\Users\Admin\AppData\Local\Temp\97cb27f5796a5e2d964d5c9a22aa66266516e555a512b75da2721f1322af730bSrv.exe
  C:\Users\Admin\AppData\Local\Temp\97cb27f5796a5e2d964d5c9a22aa66266516e555a512b75da2721f1322af730bSrv.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1160
- - C:\Users\Admin\AppData\Local\Temp\97cb27f5796a5e2d964d5c9a22aa66266516e555a512b75da2721f1322af730bSrvSrv.exe
    C:\Users\Admin\AppData\Local\Temp\97cb27f5796a5e2d964d5c9a22aa66266516e555a512b75da2721f1322af730bSrvSrv.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2028
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1932
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1932 CREDAT:275457 /prefetch:2
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1328
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:268
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:268 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1936
- C:\Program Files (x86)\Microsoft\DesktopLayer.exe
  "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
    "C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:2040
  - - C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1768
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:548
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:548 CREDAT:275457 /prefetch:2
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1668
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1772
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1656
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1656 CREDAT:275457 /prefetch:2
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1316
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:320
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:320 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

Filesize
168KB

MD5
40eaedfce79ed58c76e336b1aa27f980

SHA1
332025147632327713ca42f2165571fb83d62026

SHA256
97cb27f5796a5e2d964d5c9a22aa66266516e555a512b75da2721f1322af730b

SHA512
3af72bb210e932224af473fed4f0c94e72bf0ddce93ce68d7acd1d5fa50d8956ff8bfd59f1d0865c1c08e86335f8bebd0ffa31f7536d8d42d03d177c3a391b4a

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe

Filesize
168KB

MD5
40eaedfce79ed58c76e336b1aa27f980

SHA1
332025147632327713ca42f2165571fb83d62026

SHA256
97cb27f5796a5e2d964d5c9a22aa66266516e555a512b75da2721f1322af730b

SHA512
3af72bb210e932224af473fed4f0c94e72bf0ddce93ce68d7acd1d5fa50d8956ff8bfd59f1d0865c1c08e86335f8bebd0ffa31f7536d8d42d03d177c3a391b4a

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe

Filesize
111KB

MD5
1306a06f8db37adbfa5ed9afe0033c38

SHA1
d8163d41ff88f132593febed331e274a06c69a0a

SHA256
c5017d71a52c7101e3c7fe9b05bf25070bd0d799aee5d70e2108db9c46e5d9cf

SHA512
dbdd6523cf51f7127dcfe34b62b79b14f81c4c83884db0e5792e5d31788f5c3495988f63dad560beff79ff7b71686ef4bc43e6106fe7f1683bcab08296fdcf98

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe

Filesize
111KB

MD5
1306a06f8db37adbfa5ed9afe0033c38

SHA1
d8163d41ff88f132593febed331e274a06c69a0a

SHA256
c5017d71a52c7101e3c7fe9b05bf25070bd0d799aee5d70e2108db9c46e5d9cf

SHA512
dbdd6523cf51f7127dcfe34b62b79b14f81c4c83884db0e5792e5d31788f5c3495988f63dad560beff79ff7b71686ef4bc43e6106fe7f1683bcab08296fdcf98

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe

Filesize
111KB

MD5
1306a06f8db37adbfa5ed9afe0033c38

SHA1
d8163d41ff88f132593febed331e274a06c69a0a

SHA256
c5017d71a52c7101e3c7fe9b05bf25070bd0d799aee5d70e2108db9c46e5d9cf

SHA512
dbdd6523cf51f7127dcfe34b62b79b14f81c4c83884db0e5792e5d31788f5c3495988f63dad560beff79ff7b71686ef4bc43e6106fe7f1683bcab08296fdcf98

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe

Filesize
111KB

MD5
1306a06f8db37adbfa5ed9afe0033c38

SHA1
d8163d41ff88f132593febed331e274a06c69a0a

SHA256
c5017d71a52c7101e3c7fe9b05bf25070bd0d799aee5d70e2108db9c46e5d9cf

SHA512
dbdd6523cf51f7127dcfe34b62b79b14f81c4c83884db0e5792e5d31788f5c3495988f63dad560beff79ff7b71686ef4bc43e6106fe7f1683bcab08296fdcf98

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B45BA4A1-498B-11ED-9201-42465D836E7B}.dat

Filesize
3KB

MD5
2582beed588b399d6217c11c195e01e3

SHA1
7c037be2070d3cd477e55b143fd88db84d2657ba

SHA256
d72fa5fb4558a303ae61a8eaf96c53d9aad403198e2e45c11e1bdb4e367a3c37

SHA512
8513110519b1b874384c21994e4a9f8f053a8751f5dae5c613071a95af3a9c1fc0e446c8a7e84f7fdfb6f21ea9766d265f37e58352b5f9f648a4811fa2953bb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B45BA4A1-498B-11ED-9201-42465D836E7B}.dat

Filesize
5KB

MD5
eee36cdc2ccdde3bbb88cb561d56aeea

SHA1
1374b8352b7b937063285ad522a60939b7880e63

SHA256
38fb3df87d5e8e2de611a1edca59aec58e600fc8d4e1410cca356d8b568e7ba7

SHA512
7daf95aadb9b0d68fc4d86190175307d0a13ac5d4b2304ac730b858f11817eccdd7bc9731686a998f07548e1c8a8d70d70264d94c3b0b2d7401aa4f3b7b59701

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B4601171-498B-11ED-9201-42465D836E7B}.dat

Filesize
5KB

MD5
9c74e449783124140ecea88d0791e40a

SHA1
1693e64d855b4f2087748554438922a37f573a7a

SHA256
2d3030c1de8a6280ff345890cb8888c8089824cd667bf2857ec7cd56faff8122

SHA512
667a52d0c0f85fb1b3568fb04e6b22e8cece8556a8a115663f79c51ed3529f65ed088a92c64fc11e6552823641bd952048f32e3ecb50afb61dbc2e861fcb86bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B49C37E1-498B-11ED-9201-42465D836E7B}.dat

Filesize
4KB

MD5
c68b9f032ecdc9e1c75453f97e3387a1

SHA1
6e57f41c29f1214ddfb0b97aaa668d9b6eb1c3a5

SHA256
d97d8e4accfca2d1fc0a964544b567dac78377b539e1944acb23b0c0cbbf2e60

SHA512
a3361653f247ff99c5e19c7a59af0ed36011de668f760e44f3eb286e3fd47853495d59fe5ad0ae11fa94e405f7932737b89a93972828307cb45f9f429f21d852

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B49C37E1-498B-11ED-9201-42465D836E7B}.dat

Filesize
3KB

MD5
8934c1fc1556d7c4e01ca97b6c6573d3

SHA1
9d9892bd5989426982edae34ce2541ec1311676d

SHA256
3fdf2b9c912a236f72a05185926a4b28f6dd4a9f454e21702cbf9117faccdee4

SHA512
a4d5c60bcb71a08cb132ee23045e7b81955802de00b73ba029456c2188494d7de4c60b024d31d83dd15c81f05ff55b61e59c63a5d71e5ac3ed970db6c43eca89

Download Submit
C:\Users\Admin\AppData\Local\Temp\97cb27f5796a5e2d964d5c9a22aa66266516e555a512b75da2721f1322af730bSrv.exe

Filesize
111KB

MD5
1306a06f8db37adbfa5ed9afe0033c38

SHA1
d8163d41ff88f132593febed331e274a06c69a0a

SHA256
c5017d71a52c7101e3c7fe9b05bf25070bd0d799aee5d70e2108db9c46e5d9cf

SHA512
dbdd6523cf51f7127dcfe34b62b79b14f81c4c83884db0e5792e5d31788f5c3495988f63dad560beff79ff7b71686ef4bc43e6106fe7f1683bcab08296fdcf98

Download Submit
C:\Users\Admin\AppData\Local\Temp\97cb27f5796a5e2d964d5c9a22aa66266516e555a512b75da2721f1322af730bSrv.exe

Filesize
111KB

MD5
1306a06f8db37adbfa5ed9afe0033c38

SHA1
d8163d41ff88f132593febed331e274a06c69a0a

SHA256
c5017d71a52c7101e3c7fe9b05bf25070bd0d799aee5d70e2108db9c46e5d9cf

SHA512
dbdd6523cf51f7127dcfe34b62b79b14f81c4c83884db0e5792e5d31788f5c3495988f63dad560beff79ff7b71686ef4bc43e6106fe7f1683bcab08296fdcf98

Download Submit
C:\Users\Admin\AppData\Local\Temp\97cb27f5796a5e2d964d5c9a22aa66266516e555a512b75da2721f1322af730bSrvSrv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\97cb27f5796a5e2d964d5c9a22aa66266516e555a512b75da2721f1322af730bSrvSrv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\J9IBAI6R.txt

Filesize
607B

MD5
7c31c901bf3049275e51e8dda365ba12

SHA1
730819b3a44166ba70a566cf5d13bda668049d66

SHA256
c8d811c5b8ca190945035989071d9b710afbb2cc65f17d56193ea7444a214f9c

SHA512
6328096b5b20eb98a2de82592b1780eba42257a84b2d3b85100e653b5b9176b322e7a0f7498e571fc5956feeb77e0242fce923a22991848de1be6f98f7070a2b

Download Submit
\Program Files (x86)\Microsoft\DesktopLayer.exe

Filesize
168KB

MD5
40eaedfce79ed58c76e336b1aa27f980

SHA1
332025147632327713ca42f2165571fb83d62026

SHA256
97cb27f5796a5e2d964d5c9a22aa66266516e555a512b75da2721f1322af730b

SHA512
3af72bb210e932224af473fed4f0c94e72bf0ddce93ce68d7acd1d5fa50d8956ff8bfd59f1d0865c1c08e86335f8bebd0ffa31f7536d8d42d03d177c3a391b4a

Download Submit
\Program Files (x86)\Microsoft\DesktopLayer.exe

Filesize
111KB

MD5
1306a06f8db37adbfa5ed9afe0033c38

SHA1
d8163d41ff88f132593febed331e274a06c69a0a

SHA256
c5017d71a52c7101e3c7fe9b05bf25070bd0d799aee5d70e2108db9c46e5d9cf

SHA512
dbdd6523cf51f7127dcfe34b62b79b14f81c4c83884db0e5792e5d31788f5c3495988f63dad560beff79ff7b71686ef4bc43e6106fe7f1683bcab08296fdcf98

Download Submit
\Program Files (x86)\Microsoft\DesktopLayerSrv.exe

Filesize
111KB

MD5
1306a06f8db37adbfa5ed9afe0033c38

SHA1
d8163d41ff88f132593febed331e274a06c69a0a

SHA256
c5017d71a52c7101e3c7fe9b05bf25070bd0d799aee5d70e2108db9c46e5d9cf

SHA512
dbdd6523cf51f7127dcfe34b62b79b14f81c4c83884db0e5792e5d31788f5c3495988f63dad560beff79ff7b71686ef4bc43e6106fe7f1683bcab08296fdcf98

Download Submit
\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Users\Admin\AppData\Local\Temp\97cb27f5796a5e2d964d5c9a22aa66266516e555a512b75da2721f1322af730bSrv.exe

Filesize
111KB

MD5
1306a06f8db37adbfa5ed9afe0033c38

SHA1
d8163d41ff88f132593febed331e274a06c69a0a

SHA256
c5017d71a52c7101e3c7fe9b05bf25070bd0d799aee5d70e2108db9c46e5d9cf

SHA512
dbdd6523cf51f7127dcfe34b62b79b14f81c4c83884db0e5792e5d31788f5c3495988f63dad560beff79ff7b71686ef4bc43e6106fe7f1683bcab08296fdcf98

Download Submit
\Users\Admin\AppData\Local\Temp\97cb27f5796a5e2d964d5c9a22aa66266516e555a512b75da2721f1322af730bSrvSrv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/1160-70-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1284-54-0x00000000762E1000-0x00000000762E3000-memory.dmp

Filesize
8KB

Download
memory/1284-63-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1768-87-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1772-91-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2028-73-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2032-77-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2040-89-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download