ramnit | 622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf

Analysis

max time kernel
149s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/09/2024, 07:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe
Size

947KB
MD5

afe636c6a9ae65fba2720333c1dd0aac
SHA1

97531487a89cfdc34f41312c99a709f1c9bba160
SHA256

622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf
SHA512

3daa84ddb3fef0deb65c52980776eb5cee09c5238ab4e3eafdfee077817d479c241d216798abb01a1e717fda48f49edd68785190694f12cef58116b0004a2229
SSDEEP

12288:p7+Bf3AaCECS3gRbQZrz7iVHoPPmF8nS04IKCWcZbfq/JRPxVrO1RRDHYi4Zw+b0:p7gHKRUPUHonmWSjCxfCRyeZldc

Score

10^/10

ramnit banker discovery evasion spyware stealer trojan upx worm

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 4 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	cmd.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	cmd.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\SysWOW64\cmd.exe = "C:\\Windows\\SysWOW64\\cmd.exe:*:enabled:@shell32.dll,-1"	cmd.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Blocklisted process makes network request 1 IoCs

flow	pid	Process
7	716	cmd.exe

Executes dropped EXE 4 IoCs

pid	Process
2828	Logo1_.exe
1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe
2876	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abfSrv.exe
2108	DesktopLayer.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00080000000234de-22.dat	upx
behavioral2/memory/2876-23-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral2/memory/2876-25-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral2/memory/2108-30-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral2/memory/2108-31-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral2/memory/2876-35-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral2/memory/2108-33-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral2/memory/2108-36-0x0000000000400000-0x0000000000435000-memory.dmp	upx

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\id-ID\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files-select\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\pl-pl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\he\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\zh-cn\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_output\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\fr-CA\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\nb-no\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ca-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\notification_helper.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\wa\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\pt-br\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Internet Explorer\uk-UA\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\messaging\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nl-nl\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Controls\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\dev\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\am\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\sl-si\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ast\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\he-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\pt-br\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\root\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ar\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\da-dk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe
File created	C:\Windows\Logo1_.exe	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2992	1936	WerFault.exe	89
2660	1936	WerFault.exe	89

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abfSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31130652"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31130652"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "432804820"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31130652"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2564514935"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2535608958"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31130652"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{C1CCBE56-700F-11EF-BB4F-DE20CD0D11AA} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2535608958"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2564514935"	IEXPLORE.EXE

Runs net.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
2828	Logo1_.exe
2828	Logo1_.exe
2828	Logo1_.exe
2828	Logo1_.exe
2828	Logo1_.exe
2828	Logo1_.exe
2828	Logo1_.exe
2828	Logo1_.exe
2828	Logo1_.exe
2828	Logo1_.exe
2828	Logo1_.exe
2828	Logo1_.exe
1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe
1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe
2108	DesktopLayer.exe
2108	DesktopLayer.exe
2108	DesktopLayer.exe
2108	DesktopLayer.exe
2108	DesktopLayer.exe
2108	DesktopLayer.exe
2108	DesktopLayer.exe
2108	DesktopLayer.exe
2828	Logo1_.exe
2828	Logo1_.exe
2828	Logo1_.exe
2828	Logo1_.exe
2828	Logo1_.exe
2828	Logo1_.exe

Suspicious behavior: MapViewOfSection 64 IoCs

pid	Process
1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe
1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe
1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe
1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe
1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe
1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe
1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe
1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe
1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe
1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe
1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe
1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe
1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe
1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe
1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe
1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe
1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe
1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe
1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe
1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe
1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe
1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe
1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe
1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe
1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe
1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe
1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe
1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe
1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe
1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe
1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe
1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe
1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe
1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe
1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe
1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe
1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe
1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe
1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe
1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe
1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe
1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe
1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe
1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe
1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe
1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe
1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe
1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe
1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe
1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe
1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe
1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe
1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe
1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe
1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe
1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe
1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe
1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe
1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe
1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe
1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe
1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe
1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe
1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe
Token: SeTakeOwnershipPrivilege	2828	Logo1_.exe
Token: SeRestorePrivilege	2828	Logo1_.exe
Token: SeBackupPrivilege	2828	Logo1_.exe
Token: SeChangeNotifyPrivilege	2828	Logo1_.exe
Token: SeTakeOwnershipPrivilege	2828	Logo1_.exe
Token: SeRestorePrivilege	2828	Logo1_.exe
Token: SeBackupPrivilege	2828	Logo1_.exe
Token: SeChangeNotifyPrivilege	2828	Logo1_.exe
Token: SeTakeOwnershipPrivilege	2828	Logo1_.exe
Token: SeRestorePrivilege	2828	Logo1_.exe
Token: SeBackupPrivilege	2828	Logo1_.exe
Token: SeChangeNotifyPrivilege	2828	Logo1_.exe
Token: SeTakeOwnershipPrivilege	2828	Logo1_.exe
Token: SeRestorePrivilege	2828	Logo1_.exe
Token: SeBackupPrivilege	2828	Logo1_.exe
Token: SeChangeNotifyPrivilege	2828	Logo1_.exe
Token: SeTakeOwnershipPrivilege	2828	Logo1_.exe
Token: SeRestorePrivilege	2828	Logo1_.exe
Token: SeBackupPrivilege	2828	Logo1_.exe
Token: SeChangeNotifyPrivilege	2828	Logo1_.exe
Token: SeTakeOwnershipPrivilege	2828	Logo1_.exe
Token: SeRestorePrivilege	2828	Logo1_.exe
Token: SeBackupPrivilege	2828	Logo1_.exe
Token: SeChangeNotifyPrivilege	2828	Logo1_.exe
Token: SeTakeOwnershipPrivilege	2828	Logo1_.exe
Token: SeRestorePrivilege	2828	Logo1_.exe
Token: SeBackupPrivilege	2828	Logo1_.exe
Token: SeChangeNotifyPrivilege	2828	Logo1_.exe
Token: SeTakeOwnershipPrivilege	2828	Logo1_.exe
Token: SeRestorePrivilege	2828	Logo1_.exe
Token: SeBackupPrivilege	2828	Logo1_.exe
Token: SeChangeNotifyPrivilege	2828	Logo1_.exe
Token: SeTakeOwnershipPrivilege	2828	Logo1_.exe
Token: SeRestorePrivilege	2828	Logo1_.exe
Token: SeBackupPrivilege	2828	Logo1_.exe
Token: SeChangeNotifyPrivilege	2828	Logo1_.exe
Token: SeTakeOwnershipPrivilege	2828	Logo1_.exe
Token: SeRestorePrivilege	2828	Logo1_.exe
Token: SeBackupPrivilege	2828	Logo1_.exe
Token: SeChangeNotifyPrivilege	2828	Logo1_.exe
Token: SeTakeOwnershipPrivilege	2828	Logo1_.exe
Token: SeRestorePrivilege	2828	Logo1_.exe
Token: SeBackupPrivilege	2828	Logo1_.exe
Token: SeChangeNotifyPrivilege	2828	Logo1_.exe
Token: SeTakeOwnershipPrivilege	2828	Logo1_.exe
Token: SeRestorePrivilege	2828	Logo1_.exe
Token: SeBackupPrivilege	2828	Logo1_.exe
Token: SeChangeNotifyPrivilege	2828	Logo1_.exe
Token: SeTakeOwnershipPrivilege	2828	Logo1_.exe
Token: SeRestorePrivilege	2828	Logo1_.exe
Token: SeBackupPrivilege	2828	Logo1_.exe
Token: SeChangeNotifyPrivilege	2828	Logo1_.exe
Token: SeTakeOwnershipPrivilege	2828	Logo1_.exe
Token: SeRestorePrivilege	2828	Logo1_.exe
Token: SeBackupPrivilege	2828	Logo1_.exe
Token: SeChangeNotifyPrivilege	2828	Logo1_.exe
Token: SeTakeOwnershipPrivilege	2828	Logo1_.exe
Token: SeRestorePrivilege	2828	Logo1_.exe
Token: SeBackupPrivilege	2828	Logo1_.exe
Token: SeChangeNotifyPrivilege	2828	Logo1_.exe
Token: SeTakeOwnershipPrivilege	2828	Logo1_.exe
Token: SeRestorePrivilege	2828	Logo1_.exe
Token: SeBackupPrivilege	2828	Logo1_.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3328	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3328	iexplore.exe
3328	iexplore.exe
3576	IEXPLORE.EXE
3576	IEXPLORE.EXE
3576	IEXPLORE.EXE
3576	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 716	2296	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe	83
PID 2296 wrote to memory of 716	2296	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe	83
PID 2296 wrote to memory of 716	2296	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe	83
PID 2296 wrote to memory of 2828	2296	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe	84
PID 2296 wrote to memory of 2828	2296	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe	84
PID 2296 wrote to memory of 2828	2296	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe	84
PID 2828 wrote to memory of 4524	2828	Logo1_.exe	85
PID 2828 wrote to memory of 4524	2828	Logo1_.exe	85
PID 2828 wrote to memory of 4524	2828	Logo1_.exe	85
PID 4524 wrote to memory of 4036	4524	net.exe	88
PID 4524 wrote to memory of 4036	4524	net.exe	88
PID 4524 wrote to memory of 4036	4524	net.exe	88
PID 716 wrote to memory of 1936	716	cmd.exe	89
PID 716 wrote to memory of 1936	716	cmd.exe	89
PID 716 wrote to memory of 1936	716	cmd.exe	89
PID 1936 wrote to memory of 2876	1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe	90
PID 1936 wrote to memory of 2876	1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe	90
PID 1936 wrote to memory of 2876	1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe	90
PID 2876 wrote to memory of 2108	2876	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abfSrv.exe	91
PID 2876 wrote to memory of 2108	2876	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abfSrv.exe	91
PID 2876 wrote to memory of 2108	2876	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abfSrv.exe	91
PID 1936 wrote to memory of 616	1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe	5
PID 1936 wrote to memory of 616	1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe	5
PID 1936 wrote to memory of 616	1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe	5
PID 1936 wrote to memory of 616	1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe	5
PID 1936 wrote to memory of 616	1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe	5
PID 1936 wrote to memory of 616	1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe	5
PID 1936 wrote to memory of 680	1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe	7
PID 1936 wrote to memory of 680	1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe	7
PID 1936 wrote to memory of 680	1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe	7
PID 1936 wrote to memory of 680	1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe	7
PID 1936 wrote to memory of 680	1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe	7
PID 1936 wrote to memory of 680	1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe	7
PID 1936 wrote to memory of 788	1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe	8
PID 1936 wrote to memory of 788	1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe	8
PID 1936 wrote to memory of 788	1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe	8
PID 1936 wrote to memory of 788	1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe	8
PID 1936 wrote to memory of 788	1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe	8
PID 1936 wrote to memory of 788	1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe	8
PID 1936 wrote to memory of 796	1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe	9
PID 1936 wrote to memory of 796	1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe	9
PID 1936 wrote to memory of 796	1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe	9
PID 1936 wrote to memory of 796	1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe	9
PID 1936 wrote to memory of 796	1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe	9
PID 1936 wrote to memory of 796	1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe	9
PID 1936 wrote to memory of 804	1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe	10
PID 1936 wrote to memory of 804	1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe	10
PID 1936 wrote to memory of 804	1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe	10
PID 1936 wrote to memory of 804	1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe	10
PID 1936 wrote to memory of 804	1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe	10
PID 1936 wrote to memory of 804	1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe	10
PID 1936 wrote to memory of 908	1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe	11
PID 1936 wrote to memory of 908	1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe	11
PID 1936 wrote to memory of 908	1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe	11
PID 1936 wrote to memory of 908	1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe	11
PID 1936 wrote to memory of 908	1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe	11
PID 1936 wrote to memory of 908	1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe	11
PID 1936 wrote to memory of 964	1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe	12
PID 1936 wrote to memory of 964	1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe	12
PID 1936 wrote to memory of 964	1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe	12
PID 1936 wrote to memory of 964	1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe	12
PID 1936 wrote to memory of 964	1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe	12
PID 1936 wrote to memory of 964	1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe	12
PID 1936 wrote to memory of 380	1936	622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe	13

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616
- C:\Windows\system32\fontdrvhost.exe
  "fontdrvhost.exe"
  2⤵
  PID:788
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:380

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:680

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:796

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:804
- C:\Windows\system32\wbem\unsecapp.exe
  C:\Windows\system32\wbem\unsecapp.exe -Embedding
  2⤵
  PID:2984
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:3832
- C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
  2⤵
  PID:3928
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3988
- C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
  2⤵
  PID:4084
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:4192
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:4352
- C:\Windows\system32\SppExtComObj.exe
  C:\Windows\system32\SppExtComObj.exe -Embedding
  2⤵
  PID:1428
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:1600
- C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
  "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
  2⤵
  PID:1104
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:3708

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:396

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:764

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:1140

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1148
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2720

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1160

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1168

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1276

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1504
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:3012

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1588

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1604

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1732

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1764

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1792

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1876

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1992

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:2004

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1124

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:1820

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1980

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2164

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2188

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2256

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2672

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2696

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2724

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2736

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2248

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3188

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3400

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3500
- C:\Users\Admin\AppData\Local\Temp\622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe
  "C:\Users\Admin\AppData\Local\Temp\622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA076.bat
    3⤵
    - Modifies firewall policy service
    - Blocklisted process makes network request
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:716
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4804
  - - C:\Users\Admin\AppData\Local\Temp\622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe
      "C:\Users\Admin\AppData\Local\Temp\622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1936
    - - C:\Users\Admin\AppData\Local\Temp\622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abfSrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abfSrv.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2876
      - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
        
        "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2108
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:3328
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3328 CREDAT:17410 /prefetch:2
        8⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:3576
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 520
        5⤵
        Program crash
        
        PID:2992
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 360
        5⤵
        Program crash
        
        PID:2660
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2828
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4524
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3640

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4880

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4656

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:5084

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:4476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:4008

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:844

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:3384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1936 -ip 1936
1⤵
PID:4900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1936 -ip 1936
1⤵
PID:4204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe

Filesize
244KB

MD5
214f04655f39975b9b7f66c07cf0e2c2

SHA1
4458056cec98a4715067ab16622682bd86562a97

SHA256
9569f6d4e996e5426d9af81b4490ec6c9583b0a20f173d47018f7c1b7f826235

SHA512
86a7f8c5014ca36fe487778338ce59f0bd81955a9fefd0fa728ef5b77f8e91d533199cff062995629281b3c5e12f62046d39dd93f585ba602cd89f29aea6ce2d

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
597KB

MD5
4e76d2210ce0d1679028225f056b44a5

SHA1
e11fb6630ddcea7c5d9f0a5d54aa883451fb493d

SHA256
a92209d3397f61982cd79b3d72be855a12ffca768255c44390abf8cf3911dc13

SHA512
54493f2d464ec26ca0800f24e893b0c4bf5ed71618a3fae02e99ac39c102ecaccdc226116148deaa0f26a67d810b289be1e3b0fbf3791e1a04c1bc7298cb163d

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
636KB

MD5
2500f702e2b9632127c14e4eaae5d424

SHA1
8726fef12958265214eeb58001c995629834b13a

SHA256
82e5b0001f025ca3b8409c98e4fb06c119c68de1e4ef60a156360cb4ef61d19c

SHA512
f420c62fa1f6897f51dd7a0f0e910fb54ad14d51973a2d4840eeea0448c860bf83493fb1c07be65f731efc39e19f8a99886c8cfd058cee482fe52d255a33a55c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
9b8d7423bbba21ab6b79a94ac7b8f67c

SHA1
f472a0aa8acc6a81157033b2eb43b29ec2722b1e

SHA256
0a613829c745cc1fa427c9f0f2b136cee486b3ca963b676397c9106553924631

SHA512
2efae232139c4487bf82ef061bbe0406f4f6972ca1d949634e5282651b6cc4b4ae6d78a48c65ac6fed9d8957763d3512fd503b2a2f5059da4bf5841be022250e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
c2ae79e312cfacf76eee7b880540818e

SHA1
0f1855d5ff4fbe764e36f1f89f1e6e8343328fb7

SHA256
361cb24220109e7519e10e78e655d510ca0ba5aa4ba67d152aedd1203310a9c9

SHA512
1025dc6cfa214cefe4783be7cb60c199a6f22169915e0565818d47c0ac3373062b4e6f3750d3b37334b275e0bbe64b0fffa7dfd3dbc7951f4c9613aacb7739b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver2AB5.tmp

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O8WYVOD7\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aA076.bat

Filesize
722B

MD5
4d56876807b56eed4667ce871b4032a3

SHA1
ffcef3e2db0b638de9d6d191f0a669645ea48af5

SHA256
4a62bbe5852812bf566ffe8ad494c8c89bd437542e3eddb0dad6c912c64153e7

SHA512
00e2ea0351482e32367ef6d084710e37caa8b2dbfc7740b985fa48c8f208961d9edc091ef412fcba9ce0c8830c8e5738c0da956adfefa4cfa597b1b1d4e51620

Download Submit
C:\Users\Admin\AppData\Local\Temp\622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abf.exe.exe

Filesize
921KB

MD5
ce4151b5815ff125d65c023eaa61f20b

SHA1
69a576c2908f4af1bd91b617801d3b708c7b31b6

SHA256
9b7a5d8c936c89268c2261a3ede46e970e44f23ad0d2b0c78c6a1ab2d757123d

SHA512
fec28ecd696f903b0ee7589d4fae730bd9cca3a4669ca11dce27ff7db8486b80a463d60023b42f2196448ad50c68111eae21d5ab7ebab56a6e1e155333a76466

Download Submit
C:\Users\Admin\AppData\Local\Temp\622bb9537fd07a30a76a0432df9cd6a18287c8a21f0c461270f7d552f1243abfSrv.exe

Filesize
83KB

MD5
6cb54cfe353a4227029cbef9fd4f84b7

SHA1
cb6c810be8d06bbc7ce8d18aadeb499c8f8f585f

SHA256
3224971b7d8ea8cbb80e3d106a1abf05668e5e369b0e5f4667c1061f881f72cd

SHA512
5a54961e8ed230534caa8b8d6a91147989cf4c784012c92f10fb39ea98cd891ac2486e9da742da87cdd8a388e93da6cec54a5d28d7de866df6585698f108e133

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
837119086fad2f4ffd88c92b93687b80

SHA1
ab394b0d31bd5677cc123a72098422e574b90024

SHA256
469657a5241ef368d255e666fd5b987b14ce343f93bea63140b958807bc84fa3

SHA512
e12b56f1cdee1e87e8e0498bc19fefdfe32817f108b143d63fb3201527aab022612084357dafe13c90e385c9958de8a2bfbae5a8437a4ad1041dffc9d409ec36

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1302416131-1437503476-2806442725-1000\_desktop.ini

Filesize
9B

MD5
f74f4ac317419affe59fa4d389dd7e7c

SHA1
010f494382d5a64298702fe3732c9b96f438c653

SHA256
74fafb0f14fb17a8a4963d5f46fc50b3517e7aa13414ac5f42edfdf212a9bb01

SHA512
f82fea1632b97d2b6771f43a6941c84d7fbb86f4c4f69e9b4335aa0e166e2670f09d451da61b13cb16994b9294e99b1cfa27f2447579645b3886b7bd014cc00f

Download Submit
memory/716-41-0x000000007F590000-0x000000007F59C000-memory.dmp

Filesize
48KB

Download
memory/716-53-0x000000007F590000-0x000000007F59C000-memory.dmp

Filesize
48KB

Download
memory/716-43-0x000000007F590000-0x000000007F59C000-memory.dmp

Filesize
48KB

Download
memory/716-38-0x000000007F590000-0x000000007F59C000-memory.dmp

Filesize
48KB

Download
memory/716-40-0x0000000077592000-0x0000000077593000-memory.dmp

Filesize
4KB

Download
memory/716-42-0x0000000077593000-0x0000000077594000-memory.dmp

Filesize
4KB

Download
memory/1936-47-0x0000000077592000-0x0000000077593000-memory.dmp

Filesize
4KB

Download
memory/1936-46-0x0000000077592000-0x0000000077593000-memory.dmp

Filesize
4KB

Download
memory/1936-19-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/1936-52-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/1936-44-0x0000000077592000-0x0000000077593000-memory.dmp

Filesize
4KB

Download
memory/1936-48-0x0000000077593000-0x0000000077594000-memory.dmp

Filesize
4KB

Download
memory/1936-45-0x0000000077592000-0x0000000077593000-memory.dmp

Filesize
4KB

Download
memory/2108-31-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2108-36-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2108-30-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2108-33-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2108-34-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download
memory/2296-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2296-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2828-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2828-463-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2828-62-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2828-51-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/2828-5347-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2828-4867-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2828-81-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2828-85-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2828-11-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2828-49-0x0000000077592000-0x0000000077593000-memory.dmp

Filesize
4KB

Download
memory/2828-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2828-1294-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2876-23-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2876-24-0x00000000005B0000-0x00000000005BF000-memory.dmp

Filesize
60KB

Download
memory/2876-35-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2876-25-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download