ramnit | f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3f

Analysis

max time kernel
93s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-01-2025 22:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3f.exe
Size

224KB
MD5

f2aad06c8f940ac3858c35441f51aed8
SHA1

6446f26313dd390726c42859fd3b1392f6865204
SHA256

f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3f
SHA512

08a4b974963cbd33314b157ba68df8afff033ec51f80eba0e60080a42fa8753665e5fae4421d813f91bf94f11c9cdb0ff78997652d725ef74beafbccfa394bbf
SSDEEP

6144:HkdNwBEUdHxHeE1zT6wVmaF8k8D3ewNklI:HkvnUh1zT6umhkIai

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 7 IoCs

pid	Process
452	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrv.exe
2148	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrvSrv.exe
4072	DesktopLayer.exe
1068	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrvSrvSrv.exe
3512	DesktopLayerSrv.exe
3132	DesktopLayerSrvSrv.exe
904	DesktopLayerSrvSrvSrv.exe

UPX packed file 25 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1764-0-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/files/0x000c000000023b35-10.dat	upx
behavioral1/memory/452-11-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/4072-21-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/files/0x000b000000023b93-30.dat	upx
behavioral1/memory/2148-46-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/3132-52-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/3132-61-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/904-64-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/904-60-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/files/0x000c000000023b95-54.dat	upx
behavioral1/memory/3512-45-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/4072-44-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/1068-40-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/3512-38-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/452-36-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/4072-35-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/2148-34-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/1068-32-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/files/0x000b000000023b92-25.dat	upx
behavioral1/memory/452-20-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2148-16-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/452-15-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1764-9-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/452-4-0x0000000000400000-0x000000000044B000-memory.dmp	upx

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe	DesktopLayerSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px8405.tmp	DesktopLayerSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	DesktopLayerSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px8462.tmp	DesktopLayerSrvSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe	DesktopLayer.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrvSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrvSrvSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	DesktopLayerSrvSrvSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3f.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px83B7.tmp	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrvSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px83C6.tmp	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrvSrvSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrvSrv.exe	DesktopLayerSrvSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px8491.tmp	DesktopLayerSrvSrvSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px8388.tmp	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3f.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3f.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px8388.tmp	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	DesktopLayerSrvSrv.exe

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrvSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayerSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayerSrvSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayerSrvSrvSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrvSrvSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "443917174"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31156525"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{B8A29ECE-D520-11EF-AEE2-4A034D48373C} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31156525"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2373728333"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2373728333"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31156525"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31156525"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2373728333"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2373728333"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{B8A03C15-D520-11EF-AEE2-4A034D48373C} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31156525"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{B8A2C5DE-D520-11EF-AEE2-4A034D48373C} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2367634450"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31156525"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{B8945047-D520-11EF-AEE2-4A034D48373C} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31156525"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31156525"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

pid	Process
452	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrv.exe
452	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrv.exe
452	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrv.exe
452	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrv.exe
2148	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrvSrv.exe
2148	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrvSrv.exe
4072	DesktopLayer.exe
4072	DesktopLayer.exe
2148	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrvSrv.exe
2148	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrvSrv.exe
4072	DesktopLayer.exe
4072	DesktopLayer.exe
1068	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrvSrvSrv.exe
1068	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrvSrvSrv.exe
1068	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrvSrvSrv.exe
1068	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrvSrvSrv.exe
452	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrv.exe
452	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrv.exe
452	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrv.exe
452	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrv.exe
4072	DesktopLayer.exe
4072	DesktopLayer.exe
4072	DesktopLayer.exe
4072	DesktopLayer.exe
1068	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrvSrvSrv.exe
1068	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrvSrvSrv.exe
1068	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrvSrvSrv.exe
1068	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrvSrvSrv.exe
3512	DesktopLayerSrv.exe
3512	DesktopLayerSrv.exe
3512	DesktopLayerSrv.exe
3512	DesktopLayerSrv.exe
3512	DesktopLayerSrv.exe
3512	DesktopLayerSrv.exe
2148	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrvSrv.exe
2148	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrvSrv.exe
3512	DesktopLayerSrv.exe
3512	DesktopLayerSrv.exe
2148	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrvSrv.exe
2148	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrvSrv.exe
3132	DesktopLayerSrvSrv.exe
3132	DesktopLayerSrvSrv.exe
3132	DesktopLayerSrvSrv.exe
3132	DesktopLayerSrvSrv.exe
3132	DesktopLayerSrvSrv.exe
3132	DesktopLayerSrvSrv.exe
3132	DesktopLayerSrvSrv.exe
3132	DesktopLayerSrvSrv.exe
904	DesktopLayerSrvSrvSrv.exe
904	DesktopLayerSrvSrvSrv.exe
904	DesktopLayerSrvSrvSrv.exe
904	DesktopLayerSrvSrvSrv.exe
904	DesktopLayerSrvSrvSrv.exe
904	DesktopLayerSrvSrvSrv.exe
904	DesktopLayerSrvSrvSrv.exe
904	DesktopLayerSrvSrvSrv.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
1732	iexplore.exe
4100	iexplore.exe
1116	iexplore.exe
4880	iexplore.exe
2968	iexplore.exe
2028	iexplore.exe
620	iexplore.exe

Suspicious use of SetWindowsHookEx 30 IoCs

pid	Process
4100	iexplore.exe
4100	iexplore.exe
2968	iexplore.exe
2968	iexplore.exe
2028	iexplore.exe
2028	iexplore.exe
4880	iexplore.exe
4880	iexplore.exe
620	iexplore.exe
620	iexplore.exe
1732	iexplore.exe
1732	iexplore.exe
1116	iexplore.exe
1116	iexplore.exe
1808	IEXPLORE.EXE
1808	IEXPLORE.EXE
3092	IEXPLORE.EXE
3092	IEXPLORE.EXE
5000	IEXPLORE.EXE
5000	IEXPLORE.EXE
2936	IEXPLORE.EXE
2936	IEXPLORE.EXE
3744	IEXPLORE.EXE
3744	IEXPLORE.EXE
4916	IEXPLORE.EXE
4916	IEXPLORE.EXE
4760	IEXPLORE.EXE
4760	IEXPLORE.EXE
1808	IEXPLORE.EXE
1808	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 1764 wrote to memory of 452	1764	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3f.exe	83
PID 1764 wrote to memory of 452	1764	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3f.exe	83
PID 1764 wrote to memory of 452	1764	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3f.exe	83
PID 452 wrote to memory of 2148	452	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrv.exe	84
PID 452 wrote to memory of 2148	452	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrv.exe	84
PID 452 wrote to memory of 2148	452	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrv.exe	84
PID 1764 wrote to memory of 4072	1764	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3f.exe	85
PID 1764 wrote to memory of 4072	1764	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3f.exe	85
PID 1764 wrote to memory of 4072	1764	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3f.exe	85
PID 2148 wrote to memory of 1068	2148	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrvSrv.exe	86
PID 2148 wrote to memory of 1068	2148	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrvSrv.exe	86
PID 2148 wrote to memory of 1068	2148	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrvSrv.exe	86
PID 4072 wrote to memory of 3512	4072	DesktopLayer.exe	88
PID 4072 wrote to memory of 3512	4072	DesktopLayer.exe	88
PID 4072 wrote to memory of 3512	4072	DesktopLayer.exe	88
PID 452 wrote to memory of 2028	452	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrv.exe	87
PID 452 wrote to memory of 2028	452	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrv.exe	87
PID 4072 wrote to memory of 1732	4072	DesktopLayer.exe	89
PID 4072 wrote to memory of 1732	4072	DesktopLayer.exe	89
PID 1068 wrote to memory of 4880	1068	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrvSrvSrv.exe	91
PID 1068 wrote to memory of 4880	1068	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrvSrvSrv.exe	91
PID 3512 wrote to memory of 3132	3512	DesktopLayerSrv.exe	92
PID 3512 wrote to memory of 3132	3512	DesktopLayerSrv.exe	92
PID 3512 wrote to memory of 3132	3512	DesktopLayerSrv.exe	92
PID 3512 wrote to memory of 1116	3512	DesktopLayerSrv.exe	93
PID 3512 wrote to memory of 1116	3512	DesktopLayerSrv.exe	93
PID 2148 wrote to memory of 2968	2148	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrvSrv.exe	90
PID 2148 wrote to memory of 2968	2148	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrvSrv.exe	90
PID 3132 wrote to memory of 904	3132	DesktopLayerSrvSrv.exe	94
PID 3132 wrote to memory of 904	3132	DesktopLayerSrvSrv.exe	94
PID 3132 wrote to memory of 904	3132	DesktopLayerSrvSrv.exe	94
PID 3132 wrote to memory of 4100	3132	DesktopLayerSrvSrv.exe	95
PID 3132 wrote to memory of 4100	3132	DesktopLayerSrvSrv.exe	95
PID 904 wrote to memory of 620	904	DesktopLayerSrvSrvSrv.exe	96
PID 904 wrote to memory of 620	904	DesktopLayerSrvSrvSrv.exe	96
PID 4880 wrote to memory of 2936	4880	iexplore.exe	98
PID 4880 wrote to memory of 2936	4880	iexplore.exe	98
PID 4880 wrote to memory of 2936	4880	iexplore.exe	98
PID 4100 wrote to memory of 3092	4100	iexplore.exe	97
PID 4100 wrote to memory of 3092	4100	iexplore.exe	97
PID 4100 wrote to memory of 3092	4100	iexplore.exe	97
PID 2968 wrote to memory of 3744	2968	iexplore.exe	99
PID 2968 wrote to memory of 3744	2968	iexplore.exe	99
PID 2968 wrote to memory of 3744	2968	iexplore.exe	99
PID 2028 wrote to memory of 4916	2028	iexplore.exe	101
PID 2028 wrote to memory of 4916	2028	iexplore.exe	101
PID 2028 wrote to memory of 4916	2028	iexplore.exe	101
PID 620 wrote to memory of 4760	620	iexplore.exe	103
PID 620 wrote to memory of 4760	620	iexplore.exe	103
PID 620 wrote to memory of 4760	620	iexplore.exe	103
PID 1732 wrote to memory of 1808	1732	iexplore.exe	102
PID 1732 wrote to memory of 1808	1732	iexplore.exe	102
PID 1732 wrote to memory of 1808	1732	iexplore.exe	102
PID 1116 wrote to memory of 5000	1116	iexplore.exe	100
PID 1116 wrote to memory of 5000	1116	iexplore.exe	100
PID 1116 wrote to memory of 5000	1116	iexplore.exe	100

C:\Users\Admin\AppData\Local\Temp\f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3f.exe
"C:\Users\Admin\AppData\Local\Temp\f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3f.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Users\Admin\AppData\Local\Temp\f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrv.exe
  C:\Users\Admin\AppData\Local\Temp\f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrv.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:452
- - C:\Users\Admin\AppData\Local\Temp\f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrvSrv.exe
    C:\Users\Admin\AppData\Local\Temp\f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrvSrv.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2148
  - - C:\Users\Admin\AppData\Local\Temp\f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrvSrvSrv.exe
      C:\Users\Admin\AppData\Local\Temp\f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrvSrvSrv.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1068
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4880
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4880 CREDAT:17410 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2936
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2968
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2968 CREDAT:17410 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:3744
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2028
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2028 CREDAT:17410 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:4916
- C:\Program Files (x86)\Microsoft\DesktopLayer.exe
  "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4072
- - C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
    "C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3512
  - - C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3132
    - - C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrvSrv.exe
        
        "C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrvSrv.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:904
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:620
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:620 CREDAT:17410 /prefetch:2
        7⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:4760
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4100
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4100 CREDAT:17410 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:3092
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1116
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1116 CREDAT:17410 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:5000
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1732
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1732 CREDAT:17410 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

Filesize
224KB

MD5
f2aad06c8f940ac3858c35441f51aed8

SHA1
6446f26313dd390726c42859fd3b1392f6865204

SHA256
f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3f

SHA512
08a4b974963cbd33314b157ba68df8afff033ec51f80eba0e60080a42fa8753665e5fae4421d813f91bf94f11c9cdb0ff78997652d725ef74beafbccfa394bbf

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe

Filesize
111KB

MD5
24764dd8a78f70d9611c6871af282060

SHA1
df824f6f90fbd9cf0be48b33d5836f400da52fba

SHA256
234d7ec9bec67413058cc4738ac730aead97d53bb37db26265c5be9a54f3195c

SHA512
f79ffb953883e8e018b931f73f38098eed18ebc057807bcf8c9739bf65bf72a98b3f11681684b0afb6e9c69c5816753f5e00d98ad72a5eee3189e7db13f637df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
37827a5b375c40c1d7c482099e06c5bb

SHA1
48a43de39625e410113ec4d2d3e355535c7163a9

SHA256
ffbd974e64098b8a4b5abe5633fe019780fb5eb4fb52418810fbbdc50084ef51

SHA512
e14bdded02c844462222ce326d91cfc2403f2fb164911a7b1401cb5dcb29c804383cf554304a5ea8465d743ef2f0fa78e6cba3f064dad02cd00076c1ac5f843e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
2ab8fd1e55ebba7c07476bcb7cb3d77a

SHA1
a5570cc140fb64a24d69881a0ff1c4eb68dbdaab

SHA256
b640c928e67d7fa5270ddcc3ffd8ea181508238d0a260eaf3d06e200de233f91

SHA512
a2787073d9668367102b4ee48deca3004f425d938a3fb8865b774eb11d61407e9a2a88d5e0e8e5d3c22c3d5c57e9961fac400d41de7379a85fcb08061537f0fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
c2794ddff7ea6e1b4166e24fe1ba4fd3

SHA1
0947620402b21b6371fec9d140da4fa42258c847

SHA256
403553056f8a632f390e170b44eeeba55fbd0613fe5d83d93630771763595559

SHA512
9c10b401297856db4e68b0a0dfb2273cf9eecef9908a80696fb766808be84ac6b01dbe5bceca33a3bb316f959fe263668cbd7775912748aac5a3eeb4e023b9d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B8945047-D520-11EF-AEE2-4A034D48373C}.dat

Filesize
5KB

MD5
51ffc406d63efc5b0f3798a73742332b

SHA1
0cc6ef157b9e048331dd2b760b117d1e72090319

SHA256
70723952ca9fa7c8d46581db07affc56b8fdd75fd431994c48a6cdde7cc9a840

SHA512
82e3375507ebb32487bc5b394f03cdae163ad6b2750d15ab9755163433354dcd6ff8fec7350b1fc7dea024128f2450862e991f77a387cdc3c8df62fb1c535fe8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B89B7846-D520-11EF-AEE2-4A034D48373C}.dat

Filesize
5KB

MD5
e3d6797dd8cb8cfab35f1c393722d662

SHA1
a5a7fc63ab13044f7712d912cb43dc72a520435b

SHA256
6ae811f5943cee6ff6a861ec488eb49c9039a43b93bc4a2aa66a3fdc17e5ff5a

SHA512
20d0f710047012fc2cf327806ec23d96c894c34b5a9e0a57cea17ff99621ba893a45d0432b3b9334e71ef74d26e99b098e29a5ce85e660326c4a15ec10e6e07c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B8A03C15-D520-11EF-AEE2-4A034D48373C}.dat

Filesize
4KB

MD5
1d6c0f84326ea6886d9ce79eb2710584

SHA1
dd96b74faf6289695d3686a5f423e7d85982b1bb

SHA256
2b11db5ab127fecaf864caca626e85b72c71e320091df19cda5de7cffcf55955

SHA512
08c24de4928b577ccb14de478fbdde7f26ed80db288b2db005559bf30dd74ad54220cc852404a85146f046e74492cfe4249947ccceab743f6cc1b21285019063

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B8A2C5DE-D520-11EF-AEE2-4A034D48373C}.dat

Filesize
3KB

MD5
a222d77f65aeae9687af6245e185cd40

SHA1
eec30ffa3e7f72c86dd26bdc75e47b8672169706

SHA256
4e3f9fec390611dfff0c0ba56afd355b28ac0eb1272d6f3ed9b8df0e7cdc28b0

SHA512
445f77a01e38b7fda407385b79ff714b1cbb3c9598c928af448ecf80101408028e4a8e3cb799e3cf02b92651d70b69c21b57aaa2c2eb63016615ac4b73fa28c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B8A2C5DE-D520-11EF-AEE2-4A034D48373C}.dat

Filesize
5KB

MD5
b3d64b43660c67903826e010cf7b1999

SHA1
ff0149ee32ff0d3e3b838ba228df70d0de4e1771

SHA256
a1487ea538dc97551899a59624b190cb2010f0f23023f4b72df79cb1c890f84f

SHA512
9da851cd1afe7b151adc0e1a092dab71dc8ad91edfa86feee699acb40b4e8016359704e8c76791e3a72ff58c3b69e1326c11253424a920c2fd0df358df3a22d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B8B34EEF-D520-11EF-AEE2-4A034D48373C}.dat

Filesize
5KB

MD5
8923b51c249899b200e98320345efec5

SHA1
3bebd8c513f0d3315e117dc7b3fc3c62fbcf0c80

SHA256
e8ba99db05ee497863472e88c59b3a9e0f0f4c79bf57669e77e5916268d4cfe4

SHA512
32ed8230fa939e705c6b6aee064152d1ebdca875a91622cd5fd0b54f006b675c91e98490492ef07c730e727044bc23880372fa349724d8c53c4e481070424001

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B8B5B19F-D520-11EF-AEE2-4A034D48373C}.dat

Filesize
3KB

MD5
54c9c6bf3c37ce47f0c69173b4539f27

SHA1
2c8a669dd09803bf2180cda0c2fed6836be160e5

SHA256
a81c8dedf1a611628b0193cad36b7c0cd452c38643461443dded3b4643701994

SHA512
56477985f47b64d463663884ead924e5cb95aa0f1549a7def63b59c3e6892f00d318763f67e79cebf8dbafe23b4685d0344b3d2e800bec1cb124cf0bbbcf238a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\M6JHG9EK\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrv.exe

Filesize
168KB

MD5
727126f322c8684720e27b4b68e47c35

SHA1
fb4df7dbf149f2924e3ccfb39dce1a0fee9b9e66

SHA256
183ac41ef08d6a579c7e104e8c831980159244d3554e1bccca9bf41a35472c58

SHA512
a9394fae75dea1806e28a3889c9609dc17334f74f1a881a1ea6edae3f21ff5ae3940d56f116c9f4a0844aa8fcbac6526a312694d55cee2446d8b8b65add71ad2

Download Submit
C:\Users\Admin\AppData\Local\Temp\f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrvSrvSrv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/452-17-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/452-11-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/452-36-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/452-4-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/452-15-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/452-20-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/904-60-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/904-59-0x0000000000490000-0x0000000000491000-memory.dmp

Filesize
4KB

Download
memory/904-64-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1068-40-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1068-33-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/1068-32-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1764-9-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1764-6-0x00000000005D0000-0x00000000005DF000-memory.dmp

Filesize
60KB

Download
memory/1764-0-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2148-16-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2148-34-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2148-46-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3132-61-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3132-52-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3512-38-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3512-45-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3512-43-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/4072-44-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4072-27-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/4072-35-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4072-21-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download