ramnit | f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13e

Analysis

max time kernel
119s
max time network
69s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-11-2024 09:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eN.exe
Size

974KB
MD5

2ee7fa1c362504c853e709367d464320
SHA1

069a3027783111bbff8047b345ba3ec0d1765932
SHA256

f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13e
SHA512

6f951eb5bebb5b9d2ef02480fae63790e37e5247d28bc814cade0a523cd968242a6fc25e03980c43e58ed6ce2e7e516c37061527aa8c2c8932bc9aa4026fc289
SSDEEP

24576:mNoYMx2ZB8Xk61KmjBpVGE7EjwSM8AXjYRyfhfel3gQ:K1MKB8UyjsE7DlNMRywm

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 2 IoCs

Processes:

f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eNSrv.exeDesktopLayer.exe

pid	Process
2988	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eNSrv.exe
2708	DesktopLayer.exe

Loads dropped DLL 2 IoCs

Processes:

f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eN.exef9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eNSrv.exe

pid	Process
2856	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eN.exe
2988	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eNSrv.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/files/0x000b000000012266-5.dat	upx
behavioral1/memory/2708-20-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2708-16-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2988-12-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

Processes:

f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eNSrv.exe

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\px6D92.tmp	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eNSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eNSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eNSrv.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eN.exef9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eNSrv.exeDesktopLayer.exeIEXPLORE.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eNSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438082605"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{46FAE151-A58C-11EF-8BDE-523A95B0E536} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe

Modifies registry class 64 IoCs

Processes:

f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eN.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\print\ddeexec\ = "[print(\"%1\")]"	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\MiscStatus\ = "32"	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\LocalServer32	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\printto\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\F9940B~1.EXE /dde"	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eN.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\print	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\Insertable	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\Verb	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\DocObject\ = "0"	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\CLSID\ = "{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}"	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\protocol\StdFileEditing\server\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\F9940B~1.EXE"	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\InprocHandler32\ = "ole32.dll"	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\printto	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\print\command	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eN.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\print\command	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\protocol\StdFileEditing	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\Verb\1\ = "&Open,0,2"	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\AuxUserType\3\ = "Foxit Reader"	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\open	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\print	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\printto\ddeexec\ = "[printto(\"%1\",\"%2\",\"%3\",\"%4\")]"	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\ProgID\ = "FoxitReader.Document"	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eN.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\printto\ddeexec	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\ = "PDF Document"	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\CLSID	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\open\command	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\protocol\StdFileEditing\verb\0\ = "&Edit"	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\DocObject	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\DocObject\ = "0"	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\F9940B~1.EXE /dde"	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\F9940B~1.EXE\" \"%1\""	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\open\ddeexec	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\InprocHandler32	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\DefaultIcon	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\AuxUserType\2\ = "PDF"	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\F9940B~1.EXE,1"	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eN.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\open\ddeexec	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eN.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\printto\command	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\Verb\0\ = "&Edit,0,2"	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\Printable	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\protocol\StdFileEditing\server	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\F9940B~1.EXE"	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\DefaultExtension	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\print\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\F9940B~1.EXE /dde"	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\Insertable\	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\AuxUserType\2	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\DefaultIcon	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\Printable\	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\AuxUserType	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\DocObject	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\printto\command	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\protocol	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\Insertable\	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\AuxUserType\3	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\MiscStatus	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\F9940B~1.EXE,1"	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eN.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\print\ddeexec	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\protocol\StdFileEditing\verb	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\DefaultExtension\ = ".pdf, PDF ??(*.pdf) "	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\printto\ddeexec	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eN.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

DesktopLayer.exe

pid	Process
2708	DesktopLayer.exe
2708	DesktopLayer.exe
2708	DesktopLayer.exe
2708	DesktopLayer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid	Process
2920	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eN.exeiexplore.exeIEXPLORE.EXE

pid	Process
2856	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eN.exe
2856	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eN.exe
2920	iexplore.exe
2920	iexplore.exe
2640	IEXPLORE.EXE
2640	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eN.exef9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eNSrv.exeDesktopLayer.exeiexplore.exe

description	pid	Process	procid_target
PID 2856 wrote to memory of 2988	2856	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eN.exe	30
PID 2856 wrote to memory of 2988	2856	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eN.exe	30
PID 2856 wrote to memory of 2988	2856	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eN.exe	30
PID 2856 wrote to memory of 2988	2856	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eN.exe	30
PID 2988 wrote to memory of 2708	2988	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eNSrv.exe	31
PID 2988 wrote to memory of 2708	2988	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eNSrv.exe	31
PID 2988 wrote to memory of 2708	2988	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eNSrv.exe	31
PID 2988 wrote to memory of 2708	2988	f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eNSrv.exe	31
PID 2708 wrote to memory of 2920	2708	DesktopLayer.exe	32
PID 2708 wrote to memory of 2920	2708	DesktopLayer.exe	32
PID 2708 wrote to memory of 2920	2708	DesktopLayer.exe	32
PID 2708 wrote to memory of 2920	2708	DesktopLayer.exe	32
PID 2920 wrote to memory of 2640	2920	iexplore.exe	33
PID 2920 wrote to memory of 2640	2920	iexplore.exe	33
PID 2920 wrote to memory of 2640	2920	iexplore.exe	33
PID 2920 wrote to memory of 2640	2920	iexplore.exe	33

C:\Users\Admin\AppData\Local\Temp\f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eN.exe
"C:\Users\Admin\AppData\Local\Temp\f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Users\Admin\AppData\Local\Temp\f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eNSrv.exe
  C:\Users\Admin\AppData\Local\Temp\f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eNSrv.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2920
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2920 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fb26d330c9cb594b22089de6e173148a

SHA1
8a942b7045462762eaa5b71f642a7f659f98c452

SHA256
1fac33cbd75cbd35c738cf8223dc16a54cb6349224c97d7be0c9ce9ee133714d

SHA512
5542aab1fe448fde320ee576a22988b4c2cb5a7ded858d0cef13581330c8654bf8b0a1630f353256c1aab23f578b4005b08ce03188f2faa8aa8d60f623d1f60f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
356da80eb5a839506b28e3019e334846

SHA1
4fbfe1b815ea556e74a3a8eab2646b094dac0133

SHA256
0863fb2c9ccd5bb204c045da87389ed0ae29e5659fc253036ed8d152ee549e8b

SHA512
93901fa8a3a6ed94da33a728221aa42b8a44e3ce6bc99308b0740502c488b54c8a8d8ac28b4112b91da9679222987bba6e376a494fef2a9e461f5f4c84fb7a55

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5d94ecf775b7b49b10a7d63df3a57c9a

SHA1
80e558254c2430e37332df53750b7d200d7b7a6e

SHA256
bfb396d52170a0e274daea7b78ad221650f5a879fa5c46f4dc8c9db7ad12ccd4

SHA512
083aed659e93a47082cb99973a3c9a7185452be023c74abf307ee6ad801a67ab594b31ec2096e5b3e1f534e36feeb685825d9d6ce90bf9b2ce3b5960bd68e9d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
56a5172eb2e802e2688b8447ff78f878

SHA1
042282d0261de6394b6d1cdab4722dae83b6f9f0

SHA256
508f3101765d7fa699bbaad3a55af1af9b40584f5daacc6db0c9ea427b14db62

SHA512
7455cc1377d51a53604a9d4169e1e9bba2c44a7a303a110d0c67f39654c2412f70a712f70ca53b71eb72083d7edf831897ccb9cfc387dd2389ad1ad799e143d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c75a874c43bbe9bdcb874708c7d55274

SHA1
62d136bc214e637a0551442f8766c16d44491780

SHA256
485c776d80f5cf17a047b86910eb03f595d7284ffe2367e08a0fa9f1d63bd0e3

SHA512
ec281e422d13672a9fe86f396f8dd9e4d0b4132acf1e657079a02024b103cb187f54a414fc12cfb67383b3ad9f887a98887eb2872887a0bd943d129a4d82628e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
72c308940af0d1ce6000b969d7ba2d9d

SHA1
c70bf941c565b252ed44548b6be80aeda4ddb647

SHA256
7437580c4f9ad3f83d4eaa720f36010fefa0166945f0cee5acd0d91dfe4a9240

SHA512
accf4b014b00273367327a2687b204f3cd216b09a5b209e59531c177c3613d4b7e447d1ad43f47c1c77b5b036c5e1820e1b848c717cda320ac73952325ced686

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
37ff390c09ae5ac81b11c5665346f1e3

SHA1
3a36849b9dbfb9bdf4c9cab47f8f0fe312b19564

SHA256
15d4ad1fa259c990dfa09a23bd580fd9428f30ec9b0f7df2589732ab3467ecbc

SHA512
3108348ba662b92cf197d17c1b12ae44c16e9d88b434cf9687579984c69619fbb05f10fdffd1f153a76f4374a79c3ef9496ee9e13fbb3e66858bd633183558e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8221de97a1c793d1d74551950e199344

SHA1
6281ad9e138a0e2451f752553af19c1b8f3ed37f

SHA256
1b76c3ca2ccd0d70b48ccf4b68aa1715d86ab555a7b3c4ae740dd01f2f065855

SHA512
ae4f0be36127402a721c0320f0905f373dd36f6843e9b45e90224863cc8c990e2100710ecd030d71d4e78d2de157bcb3661d5217fc93bc171e1669b23c303beb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
03e1a121372b0d70e7e5a9b0e17a9e89

SHA1
05dcbedfb05bcd61d5fb6fdd4e3a9da3427855cd

SHA256
7411a4dccf6fb9f8f42348c2d16e608b63c5d25d6e1b991e97791478df2e1fcd

SHA512
93ca0ad8bb569ed887ff3b6faecf281d2c002a43f07a0e6acc1711f468ac52513eb6754f81a86c72be64c339f0dd5d540e96ba5c942a84cb7169242f767ac081

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7bc24e19cc3b124d80d76e07e10be80e

SHA1
dce78671c00e66d3124e4ff42cbe743c12eceb91

SHA256
81ce07554b7a7468340fc3fc1df652ac8ef0608d7f56fa0fb6b43bcfcd87cb85

SHA512
c498ff378a69c6f3800cee99240271c340733758ab7a6476bf815f40110b25770a8d552e88102e2b2aa32bdae666b9b146f1ce1b22adc117b6ae4969c312e174

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c3a3f0d742ff433af197e41958597502

SHA1
00b759c9c80043d899b31d71d79c3423a938064a

SHA256
8b954c4bc8a5e5ec4ecfa58764b9b344a1bd7ecad2f25b54ae15d854e4b122f5

SHA512
31f65351c7c6c3b0d9714630f8f72634ccdc96c1c530c2962cf304a2dd88fbe5a0901db849facdf8ac3e0534ec63bf74f706507339730dc18b67b862d4f49278

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d507461a2f014bf2484f596e7c5d4f9c

SHA1
1f80773341b78dd96ae83700bf250a963a798703

SHA256
e1b5444c7d4e67fcc948e163248587129245853c3962a577e5034e92ea1d42f9

SHA512
6683ddad174a83f91e4ace65bdbecd1d70093b917d4774dbaa535f68936362e5a8e1a51ab496b0815089137ec5d292eb0ddb9f8d3cb337b0a5d0c67d2b9e0a53

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a6314f09e41599fdc74bf4b2133251bb

SHA1
e049bdd992585ebbe8c1892c9f5d10275d3602d5

SHA256
cd7c006d4c38c0796062c06baf48b2593a43ddf7ab59a20f7929acac240405bf

SHA512
ea9d6d6ce30245ccc31fdedf9c0af46bd3871411ad046311ea440de84bf57d5eac43bc66d6ababd97d4272847a9d566907f00d330cf528f493480c4a0c4b207b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
206dcba3deb99e6290cb482675555d52

SHA1
0a2f302b75a31ef8d386434c58a1df342d553c34

SHA256
42524f7090a279fa29622cb03105947558639cced6fd0a76c4961b163287a816

SHA512
4981dec97a2eb05adae7d5c52254e13c24f6a7cf5d34d792d91a13cf4955376809d23b89c7ff2bec73c6ebf753049ded487d71fcbb97a206c4a5d285372d6f1f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cd53cdf7a555516787616e49bbd6ac14

SHA1
df7f17e42e611b2ffcc26200a9786653bb8dda51

SHA256
1d08a2d3d6079be35d50455b7e2ab0cde1b0538f17e89876d7b55379496a7dea

SHA512
933ebdaa9323272477f6d2c84ee7081c278781150352c81cceeb3e74eabb46e23e3e42754898bfda3b02b2b9357e3b1fbd270e190b5e6f3ceef58204d9ba3a35

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6df6cdc4d52cd6a59ada83e795941d83

SHA1
7f41e993fc946f23a77a26633f1d2c6371832fd5

SHA256
e6f46a2d713d48307553b67500eb88840873d4b7153e66daf482f01ab57c47d8

SHA512
843482c8d52a277818d9f2281c29c9b068093ac2dcf288f4626314078db66a935faa4790c02ea96b5671ef53ed8b2053998e2f972a077dc77fe404ba4c7f873b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5f05f4dd1dfa31fe52b784325e4449e6

SHA1
ff5b412ea39ac0b5240530157018c546a6bb2593

SHA256
b2612ba6adb313ba51aab3a1f7991d1cc15a1a361f1e723fd830a91005ccf203

SHA512
0853e3668738b1c193920d4333123cf120211299728501e65eb1231faec7696b3c7aa60989d963cf755aa7248a4e9c6d0ff26a8befaf5f6a72361f2ff5176977

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7ae17cae75c6c7e0dc7ff1793bf291c9

SHA1
9a0489ae52592cd73129959b29506cb36da71cb6

SHA256
4114d7e7509aec835209a3b1d2dc9ffb1fbd04064343e6be7b10315b70962fcb

SHA512
3545fd0b421685900ec8a01bd951d3a66195b8261bd5bdb9e2af9e0cfc9b296510ced0a72b8f8f5132256e97f7a48eecba7b2a97c11df41fd1e633980c64b932

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
44962e61a02730136a166a905374a51e

SHA1
8d546861d30666390d071a6ff3fffe68d03cc062

SHA256
901787cb4e0b99fdd9586dc3678028d489d5cb53da91ee460a154b5cea07bdc9

SHA512
8ebaebe6092e83f633f6ccbda7900c410c9ef88f477dbb3e2834b8ac49e61664d1f36d1f923dde1f59aeaaf62c718a44497a3cfcec27321c634f3fdb72d746bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8c183deba170697e84a6f760781bbd1b

SHA1
4d1e8e6107c2f85df05772d88ea99719c5dd7d8e

SHA256
2b7cabe8da3b13eb2f6e419342eee9c1e74c9325e7152e94e49b0738ae667982

SHA512
ee143e1e2bcedfceb2da0dab72cfc02115ac4a4e552195d6439486b48fddf4d0f61a043f7b6570df3f0b2290c691fe8b679500f09e961412d776e637ac8983d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8588.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8607.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\f9940bd4f3b2c47272cdc01134375bb29910aeecde9a088ac1381d7e4494b13eNSrv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/2708-20-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2708-18-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2708-16-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2856-0-0x0000000000400000-0x00000000006A2000-memory.dmp

Filesize
2.6MB

Download
memory/2856-452-0x0000000000400000-0x00000000006A2000-memory.dmp

Filesize
2.6MB

Download
memory/2856-22-0x0000000000220000-0x000000000024E000-memory.dmp

Filesize
184KB

Download
memory/2856-14-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/2856-13-0x0000000000220000-0x000000000024E000-memory.dmp

Filesize
184KB

Download
memory/2856-21-0x0000000003690000-0x0000000003932000-memory.dmp

Filesize
2.6MB

Download
memory/2856-23-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/2856-891-0x0000000003690000-0x0000000003932000-memory.dmp

Filesize
2.6MB

Download
memory/2988-12-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download