ramnit | c65046f87d5ceebfe71df19347ce5e768354b4a160d9b9f5b4a753c5dab06ff2

Analysis

max time kernel
138s
max time network
138s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25-05-2024 19:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

protozoa.exe
Size

446KB
MD5

e2483e0fbce7217101ba1e0cb49026c1
SHA1

62788e0e7c29811c87bcd636ad12c3f8db1d81b3
SHA256

2e8a4183f3340095e2aa0988d9c4c99d4fc724d21b36ae947797a16116187131
SHA512

88b8bac88b89ac494ad88ffd88abfce11a738021a15a30600850c9c0b5ebed1c3c78806cf0f9d6204d6afc5c6990b24fa876fa1e7270bc20db040c7eeda05c70
SSDEEP

6144:gVHYucgQtyqGplPZCragI0eG2IQ8CN99tPRsTPePBZva6KIaV7FqFPK/QXPj7QRx:gVY3yxCrab0H68g7SqBa97mUG1NT

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 2 IoCs

Processes:

protozoaSrv.exeDesktopLayer.exe

pid process

2304 protozoaSrv.exe
2888 DesktopLayer.exe
Loads dropped DLL 2 IoCs

Processes:

protozoa.exeprotozoaSrv.exe

pid process

1524 protozoa.exe
2304 protozoaSrv.exe

pid	process
2304	protozoaSrv.exe
2888	DesktopLayer.exe

pid	process
1524	protozoa.exe
2304	protozoaSrv.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\protozoaSrv.exe	upx
behavioral31/memory/2304-11-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral31/memory/2304-15-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral31/memory/2888-23-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral31/memory/2888-24-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

Processes:

protozoaSrv.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\pxB74E.tmp	protozoaSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	protozoaSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	protozoaSrv.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422826077"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6635B331-1ACA-11EF-A6D5-5A791E92BC44} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

DesktopLayer.exe

pid process

2888 DesktopLayer.exe
2888 DesktopLayer.exe
2888 DesktopLayer.exe
2888 DesktopLayer.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

3004 iexplore.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

protozoa.exeiexplore.exeIEXPLORE.EXE

pid process

1524 protozoa.exe
3004 iexplore.exe
3004 iexplore.exe
3040 IEXPLORE.EXE
3040 IEXPLORE.EXE
3040 IEXPLORE.EXE
3040 IEXPLORE.EXE

pid	process
2888	DesktopLayer.exe
2888	DesktopLayer.exe
2888	DesktopLayer.exe
2888	DesktopLayer.exe

pid	process
3004	iexplore.exe

pid	process
1524	protozoa.exe
3004	iexplore.exe
3004	iexplore.exe
3040	IEXPLORE.EXE
3040	IEXPLORE.EXE
3040	IEXPLORE.EXE
3040	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

protozoa.exeprotozoaSrv.exeDesktopLayer.exeiexplore.exe

description	pid	process	target process
PID 1524 wrote to memory of 2304	1524	protozoa.exe	protozoaSrv.exe
PID 1524 wrote to memory of 2304	1524	protozoa.exe	protozoaSrv.exe
PID 1524 wrote to memory of 2304	1524	protozoa.exe	protozoaSrv.exe
PID 1524 wrote to memory of 2304	1524	protozoa.exe	protozoaSrv.exe
PID 2304 wrote to memory of 2888	2304	protozoaSrv.exe	DesktopLayer.exe
PID 2304 wrote to memory of 2888	2304	protozoaSrv.exe	DesktopLayer.exe
PID 2304 wrote to memory of 2888	2304	protozoaSrv.exe	DesktopLayer.exe
PID 2304 wrote to memory of 2888	2304	protozoaSrv.exe	DesktopLayer.exe
PID 2888 wrote to memory of 3004	2888	DesktopLayer.exe	iexplore.exe
PID 2888 wrote to memory of 3004	2888	DesktopLayer.exe	iexplore.exe
PID 2888 wrote to memory of 3004	2888	DesktopLayer.exe	iexplore.exe
PID 2888 wrote to memory of 3004	2888	DesktopLayer.exe	iexplore.exe
PID 3004 wrote to memory of 3040	3004	iexplore.exe	IEXPLORE.EXE
PID 3004 wrote to memory of 3040	3004	iexplore.exe	IEXPLORE.EXE
PID 3004 wrote to memory of 3040	3004	iexplore.exe	IEXPLORE.EXE
PID 3004 wrote to memory of 3040	3004	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\protozoa.exe
"C:\Users\Admin\AppData\Local\Temp\protozoa.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1524
- C:\Users\Admin\AppData\Local\Temp\protozoaSrv.exe
  C:\Users\Admin\AppData\Local\Temp\protozoaSrv.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2304
- - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2888
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3004
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3004 CREDAT:275457 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
09dc86e07638dfb8364fad63c8d755ed

SHA1
7302fbeea92819c7013bafed8b7993dd39dc3a4a

SHA256
9732bb411f35175b926587b42d8fd2b5e5c169779048deaa2839f7edbc5ccb7b

SHA512
ff2c4aeef33de61b7dc08dff970d713690aef6f5266ac8cb380e0012aaba75c6ecd22b75afcb37f697f7c72b1daaebb8afda4cde67107a725795be3899e33b7c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6d0b5a4419bd9a4f6685a08d9e645cc7

SHA1
37572075fe9a32dd85d4797b237252046f089fc5

SHA256
1906f8461ec8b74a6f3addef4d0f9d310636a976d904737bcbf8284a2ad078ce

SHA512
b4d4c44b95a18e988ecb029b9f07513c7b73d346c948e3bfc994ef070d7b42e74a8fd7bd0382e98e125b52ad83020e457a3db6cd80c60351ea9315239a0cb847

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b0cd8aa1756f25cd02034767beea7e03

SHA1
733b64ce6d2d09aa677b71ac1e94fa5d4ad6994c

SHA256
4443fdd24baa0092aca731caebc4799744a967091267168668cbaec22d07c534

SHA512
29fbbc0d4ae1f892910f43aa2726d7c3dacf86d83ea46c57ea4db7d9650efafdc1d6b7151b5f73cf8aa4de7061365fbfa505a94331b6dfa0b096cc501e08b810

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d8af3c666ea2397f98ec2680b5b41809

SHA1
d3c93d604091d128926a7a2979d8b55184427400

SHA256
1df29d5f380431c8dc19a9d50e91b2428190ac753c11df1e2304be215a168b58

SHA512
39caae380733fc00bbbe5e540795d3ceeb3b5c187cb7b2840d25d7c794e3bcc5bf4fdf960b4fbdaab35e161cf58ebca0d7c8d56ab6764449eea7b4ab457d41b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
17d5c8e6686118e2da72c49eaec1995a

SHA1
91ca94f8c61b45c5096ae667dba0fe6312ff3e80

SHA256
900ddec4ddd45976dd4501d54b2b4d5b81986eb49c5f698b46ab4b5b0bc5d036

SHA512
3e36a5505d030aa5ca313e81cdff991c281b2aa66e232aaf30993cc798e4923f6787c2310084e99bd88919ba84cc009cd3f7a96afed67ff2898d8707f7523f39

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7731079bdce527ebeda41a4dc0d0a2a0

SHA1
c896880b5e02c7d57cd7585d698bbf7a6b053fcf

SHA256
6c5a69fc030b377b47d882c2881492545a5a1bfb775fb1974349d9c785250b96

SHA512
c1a52be2655143d2409f41c3271032dc57feb1e3f6fe1b127062d579b68fb501ad36638b4d7566b18d09e3b9e9bb43d2b9ff9913d32a1a961d3390717f7b3ee1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0b119e775ea2f24a0d6b347f17f15b31

SHA1
a69d16d95b69743c17c76f9ae8218b99ec06cbcd

SHA256
9c4f3202fa7702cb79294cc9db03c02ed42102deb884693bf056027e063cf642

SHA512
286cafc44897891a2630d515ecc5882a07191c78128f00a2d07decd0a4047ee7d9569ab3b7daea632d0012bb0d4020127d0e83340340aafafd7dca975516ae0d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fde80a479ba1d136e7ac2973f51fbad7

SHA1
af05060186f49c2682ce3fa4e02f86dd908c5e54

SHA256
c0eb31141aa8c9c59b6422f493f43780ebc1ed4d7369fed4447dc5fde1f6301b

SHA512
5d85ea913f450664a71228309656d33df2291a3fc786291f838e261a9c9336a483977ff5c420b54591fbb1c91b015ad0278c9694206280bc024ad02335938127

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
41f84a5583fe0f0f1f4861d32ddc6966

SHA1
7b1cbbaba6ade1cd22db3783ea6ae877986fb2c9

SHA256
4042e0f78224d8748f8dff278c51259ecc77d16fcaaaaa248198967a2c856683

SHA512
04f89483779e2cd4ea94c64761652cf2e2511c8b72cd04ac6139aa2992008ea38cba0430dc48e103eb06c49fc2a4a06132db8b5e8d215dcbf5002cf4d9807ac2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1e75b3467d7adba63d49e515e59e067b

SHA1
b8ef653a144cb14a9d3b51bd6f88668e1cf628ff

SHA256
dbd541eb8eab76abe42940075a7fe7bdbf187639de5653a39b23e5dafd470a85

SHA512
62595d6de84637f9b2fdb13ef5e2c2a264f62a1b5ae5dfb8ae17e9dd96b3845b5deadd0e6380a54b859f40b87d6fb283a2af5e801bf8be3fd9dd3e5cb8b5b3ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
707635249916dc50224df5d228254385

SHA1
90503e8f39d1e9f6bc60c3db4ddd10a27d11b423

SHA256
8a317cfe4b794f6f5fece4f9eb73103fab9cffc728565c4f991eb5ad32faa299

SHA512
4ffabe7173bd9bea4542be3feab6f796fdfd7954e8bc7bac21ff13d05842e061768e9b31253874a23bc577b3b60c57b3192a9b66ae1e1b667fb2cb951003fd15

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9ca6fe30e38d128322204133a3061cf1

SHA1
6c5631b199302a633923c957b96d370964f16fda

SHA256
24f44ec33d3f73de01eddc6c310c1e60452aade71f6f2dddd734a3cccba246b1

SHA512
9ebc975bc79ba1bca0a541ac3bb85dc91b2a6d2ce56f7997ff686bbbd9c3bcef99e52f8653f6fd80154676a577826b3520f5c010dc240d2c60579765b9ff3c65

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
83f141f587224b5defed8f9cfdd71781

SHA1
84b53197ba3284879fb5eb866c60204f4618e142

SHA256
fde238f984a13d9de0a0eebf3641528ed3cfd777e263329f5c409035f3b2f306

SHA512
eac4e9ccb2cb3cf3c84cc1756177be655343f87de5bdd02895c32a1add2d075b77f3e44a1b410230a738641293f769afbf0112114f6c4c8bebd33adaef0976ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7444a41e4a370c2a809362fc4bb994bc

SHA1
e10b80adc503ea50211b1dc712fc84fa299f22ff

SHA256
89067dab3dd83071958f04857055748ee956152cbc62d3afd7c8b313a9eda6cf

SHA512
b3a87a4209775dc2a2654a817bc4d665080117aba3f3584be1453179c9e9f3f9b41fee5e8de91c26829b4d08600664f4e33f4e6811dc206762bcaf718473ec95

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
021881345970b69f3ddf5d45ac6a693d

SHA1
b991e7f0450aa16b06c3faa224c4d0497bbffd0d

SHA256
f5b2cdcf0087442bc47da20733750ef23cf22f84d46a4177f0fa2fceeb8a32fa

SHA512
0eb69302bfb865722def702a161aff149b10e67963914b3d3dd7c585d049cf1f6bfa644d94144244489655609bf3476557984a422bdfe07ecbbe0202058fa440

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cc99ac6216c3eb8aa5b22ad01484250f

SHA1
aa44d2f603bfc40991cf27b7057207922c519a65

SHA256
673076720d6c7bcbfead56aa13bab2a92e67dcf6d6da896aa4d6f0caa7265029

SHA512
0b89c09a8bc94ec24c5b6167e624503f11bbb003119f7191038a683787c85b5fd53028da02c1f5cba6ac6058f3e99507ff374a7f615625a6ad5ba443763f2da5

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDD86.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDEC5.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Users\Admin\AppData\Local\Temp\protozoaSrv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/1524-0-0x0000000010000000-0x000000001002C000-memory.dmp

Filesize
176KB

Download
memory/1524-31-0x0000000010000000-0x000000001002C000-memory.dmp

Filesize
176KB

Download
memory/1524-32-0x000000006A400000-0x000000006A45E000-memory.dmp

Filesize
376KB

Download
memory/1524-33-0x0000000000710000-0x0000000000BD2000-memory.dmp

Filesize
4.8MB

Download
memory/1524-30-0x000000006ED80000-0x000000006EDB5000-memory.dmp

Filesize
212KB

Download
memory/1524-28-0x0000000000400000-0x00000000005EBDE0-memory.dmp

Filesize
1.9MB

Download
memory/1524-1-0x000000006A400000-0x000000006A45E000-memory.dmp

Filesize
376KB

Download
memory/1524-4-0x0000000000710000-0x0000000000BD2000-memory.dmp

Filesize
4.8MB

Download
memory/1524-9-0x0000000000BE0000-0x0000000000C0E000-memory.dmp

Filesize
184KB

Download
memory/2304-11-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2304-15-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2304-13-0x00000000003B0000-0x00000000003BF000-memory.dmp

Filesize
60KB

Download
memory/2888-23-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2888-22-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2888-24-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download