ramnit | f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3f

Analysis

max time kernel
90s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-01-2025 08:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3f.exe
Size

224KB
MD5

f2aad06c8f940ac3858c35441f51aed8
SHA1

6446f26313dd390726c42859fd3b1392f6865204
SHA256

f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3f
SHA512

08a4b974963cbd33314b157ba68df8afff033ec51f80eba0e60080a42fa8753665e5fae4421d813f91bf94f11c9cdb0ff78997652d725ef74beafbccfa394bbf
SSDEEP

6144:HkdNwBEUdHxHeE1zT6wVmaF8k8D3ewNklI:HkvnUh1zT6umhkIai

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 8 IoCs

pid	Process
3856	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrv.exe
4044	DesktopLayer.exe
1048	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrvSrv.exe
2556	DesktopLayerSrv.exe
3392	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrvSrvSrv.exe
1216	DesktopLayerSrvSrv.exe
3996	DesktopLayerSrvSrvSrv.exe
2168	DesktopLayer.exe

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1940-0-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/3856-5-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/files/0x000c000000023b8f-3.dat	upx
behavioral1/memory/1940-7-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/3856-19-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/files/0x0007000000023c89-41.dat	upx
behavioral1/memory/4044-16-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/files/0x000b000000023c7e-14.dat	upx
behavioral1/memory/3856-22-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/4044-21-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/files/0x000b000000023c7e-9.dat	upx
behavioral1/memory/3996-58-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1216-43-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/3392-42-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/3392-40-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/files/0x0008000000023c88-38.dat	upx
behavioral1/memory/4044-37-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/2556-36-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1048-34-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/1216-53-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/2168-63-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\pxCC1A.tmp	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3f.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3f.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	DesktopLayerSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrvSrvSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxCD33.tmp	DesktopLayerSrvSrvSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	DesktopLayerSrvSrvSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxCC87.tmp	DesktopLayerSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxCCC6.tmp	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrvSrvSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrvSrv.exe	DesktopLayerSrvSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe	DesktopLayer.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxCC49.tmp	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxCC87.tmp	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrvSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrvSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxCD04.tmp	DesktopLayerSrvSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	DesktopLayerSrvSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3f.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe	DesktopLayerSrv.exe

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrvSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrvSrvSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayerSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayerSrvSrvSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayerSrvSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "549531396"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{4BE9F7A4-D51F-11EF-A7EA-FAA11E730504} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31156524"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "544062732"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31156524"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{4BE53388-D51F-11EF-A7EA-FAA11E730504} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31156524"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "549531396"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "549531396"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31156524"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{4BEC5AEA-D51F-11EF-A7EA-FAA11E730504} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "543750015"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{4BEA1EB4-D51F-11EF-A7EA-FAA11E730504} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "543750015"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31156524"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31156524"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31156524"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31156524"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

pid	Process
4044	DesktopLayer.exe
4044	DesktopLayer.exe
3856	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrv.exe
3856	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrv.exe
4044	DesktopLayer.exe
4044	DesktopLayer.exe
3856	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrv.exe
3856	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrv.exe
3856	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrv.exe
3856	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrv.exe
3856	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrv.exe
3856	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrv.exe
4044	DesktopLayer.exe
4044	DesktopLayer.exe
1048	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrvSrv.exe
4044	DesktopLayer.exe
1048	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrvSrv.exe
4044	DesktopLayer.exe
1048	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrvSrv.exe
1048	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrvSrv.exe
1048	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrvSrv.exe
1048	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrvSrv.exe
2556	DesktopLayerSrv.exe
2556	DesktopLayerSrv.exe
1048	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrvSrv.exe
1048	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrvSrv.exe
2556	DesktopLayerSrv.exe
2556	DesktopLayerSrv.exe
2556	DesktopLayerSrv.exe
2556	DesktopLayerSrv.exe
2556	DesktopLayerSrv.exe
2556	DesktopLayerSrv.exe
3392	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrvSrvSrv.exe
3392	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrvSrvSrv.exe
3392	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrvSrvSrv.exe
3392	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrvSrvSrv.exe
3392	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrvSrvSrv.exe
3392	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrvSrvSrv.exe
3392	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrvSrvSrv.exe
3392	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrvSrvSrv.exe
1216	DesktopLayerSrvSrv.exe
1216	DesktopLayerSrvSrv.exe
1216	DesktopLayerSrvSrv.exe
1216	DesktopLayerSrvSrv.exe
1216	DesktopLayerSrvSrv.exe
1216	DesktopLayerSrvSrv.exe
1216	DesktopLayerSrvSrv.exe
1216	DesktopLayerSrvSrv.exe
2168	DesktopLayer.exe
2168	DesktopLayer.exe
2168	DesktopLayer.exe
2168	DesktopLayer.exe
2168	DesktopLayer.exe
2168	DesktopLayer.exe
2168	DesktopLayer.exe
2168	DesktopLayer.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
4032	iexplore.exe
2240	iexplore.exe
208	iexplore.exe
4508	iexplore.exe
1004	iexplore.exe
4424	iexplore.exe
3472	iexplore.exe

Suspicious use of SetWindowsHookEx 30 IoCs

pid	Process
4032	iexplore.exe
4032	iexplore.exe
4424	iexplore.exe
4424	iexplore.exe
2240	iexplore.exe
2240	iexplore.exe
1004	iexplore.exe
1004	iexplore.exe
4508	iexplore.exe
4508	iexplore.exe
208	iexplore.exe
208	iexplore.exe
3472	iexplore.exe
3472	iexplore.exe
1624	IEXPLORE.EXE
1624	IEXPLORE.EXE
4308	IEXPLORE.EXE
4308	IEXPLORE.EXE
3352	IEXPLORE.EXE
3352	IEXPLORE.EXE
3000	IEXPLORE.EXE
3000	IEXPLORE.EXE
2452	IEXPLORE.EXE
2452	IEXPLORE.EXE
1764	IEXPLORE.EXE
1764	IEXPLORE.EXE
3500	IEXPLORE.EXE
3500	IEXPLORE.EXE
4308	IEXPLORE.EXE
4308	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 59 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 3856	1940	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3f.exe	83
PID 1940 wrote to memory of 3856	1940	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3f.exe	83
PID 1940 wrote to memory of 3856	1940	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3f.exe	83
PID 1940 wrote to memory of 4044	1940	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3f.exe	84
PID 1940 wrote to memory of 4044	1940	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3f.exe	84
PID 1940 wrote to memory of 4044	1940	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3f.exe	84
PID 4044 wrote to memory of 2556	4044	DesktopLayer.exe	86
PID 4044 wrote to memory of 2556	4044	DesktopLayer.exe	86
PID 4044 wrote to memory of 2556	4044	DesktopLayer.exe	86
PID 3856 wrote to memory of 1048	3856	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrv.exe	85
PID 3856 wrote to memory of 1048	3856	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrv.exe	85
PID 3856 wrote to memory of 1048	3856	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrv.exe	85
PID 3856 wrote to memory of 4424	3856	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrv.exe	87
PID 3856 wrote to memory of 4424	3856	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrv.exe	87
PID 1048 wrote to memory of 3392	1048	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrvSrv.exe	88
PID 4044 wrote to memory of 1004	4044	DesktopLayer.exe	89
PID 1048 wrote to memory of 3392	1048	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrvSrv.exe	88
PID 1048 wrote to memory of 3392	1048	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrvSrv.exe	88
PID 4044 wrote to memory of 1004	4044	DesktopLayer.exe	89
PID 2556 wrote to memory of 1216	2556	DesktopLayerSrv.exe	90
PID 2556 wrote to memory of 1216	2556	DesktopLayerSrv.exe	90
PID 2556 wrote to memory of 1216	2556	DesktopLayerSrv.exe	90
PID 1048 wrote to memory of 3472	1048	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrvSrv.exe	91
PID 1048 wrote to memory of 3472	1048	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrvSrv.exe	91
PID 2556 wrote to memory of 4508	2556	DesktopLayerSrv.exe	92
PID 2556 wrote to memory of 4508	2556	DesktopLayerSrv.exe	92
PID 3392 wrote to memory of 4032	3392	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrvSrvSrv.exe	93
PID 3392 wrote to memory of 4032	3392	f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrvSrvSrv.exe	93
PID 1216 wrote to memory of 3996	1216	DesktopLayerSrvSrv.exe	94
PID 1216 wrote to memory of 3996	1216	DesktopLayerSrvSrv.exe	94
PID 1216 wrote to memory of 3996	1216	DesktopLayerSrvSrv.exe	94
PID 1216 wrote to memory of 2240	1216	DesktopLayerSrvSrv.exe	95
PID 1216 wrote to memory of 2240	1216	DesktopLayerSrvSrv.exe	95
PID 3996 wrote to memory of 2168	3996	DesktopLayerSrvSrvSrv.exe	96
PID 3996 wrote to memory of 2168	3996	DesktopLayerSrvSrvSrv.exe	96
PID 3996 wrote to memory of 2168	3996	DesktopLayerSrvSrvSrv.exe	96
PID 2168 wrote to memory of 208	2168	DesktopLayer.exe	97
PID 2168 wrote to memory of 208	2168	DesktopLayer.exe	97
PID 3472 wrote to memory of 3500	3472	iexplore.exe	98
PID 3472 wrote to memory of 3500	3472	iexplore.exe	98
PID 3472 wrote to memory of 3500	3472	iexplore.exe	98
PID 2240 wrote to memory of 4308	2240	iexplore.exe	100
PID 2240 wrote to memory of 4308	2240	iexplore.exe	100
PID 2240 wrote to memory of 4308	2240	iexplore.exe	100
PID 4424 wrote to memory of 1764	4424	iexplore.exe	101
PID 4424 wrote to memory of 1764	4424	iexplore.exe	101
PID 4424 wrote to memory of 1764	4424	iexplore.exe	101
PID 4032 wrote to memory of 1624	4032	iexplore.exe	99
PID 4032 wrote to memory of 1624	4032	iexplore.exe	99
PID 4032 wrote to memory of 1624	4032	iexplore.exe	99
PID 1004 wrote to memory of 2452	1004	iexplore.exe	102
PID 1004 wrote to memory of 2452	1004	iexplore.exe	102
PID 1004 wrote to memory of 2452	1004	iexplore.exe	102
PID 4508 wrote to memory of 3000	4508	iexplore.exe	103
PID 4508 wrote to memory of 3000	4508	iexplore.exe	103
PID 4508 wrote to memory of 3000	4508	iexplore.exe	103
PID 208 wrote to memory of 3352	208	iexplore.exe	104
PID 208 wrote to memory of 3352	208	iexplore.exe	104
PID 208 wrote to memory of 3352	208	iexplore.exe	104

C:\Users\Admin\AppData\Local\Temp\f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3f.exe
"C:\Users\Admin\AppData\Local\Temp\f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3f.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Users\Admin\AppData\Local\Temp\f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrv.exe
  C:\Users\Admin\AppData\Local\Temp\f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrv.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3856
- - C:\Users\Admin\AppData\Local\Temp\f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrvSrv.exe
    C:\Users\Admin\AppData\Local\Temp\f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrvSrv.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1048
  - - C:\Users\Admin\AppData\Local\Temp\f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrvSrvSrv.exe
      C:\Users\Admin\AppData\Local\Temp\f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrvSrvSrv.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3392
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4032
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4032 CREDAT:17410 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1624
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3472
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3472 CREDAT:17410 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3500
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4424
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4424 CREDAT:17410 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1764
- C:\Program Files (x86)\Microsoft\DesktopLayer.exe
  "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4044
- - C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
    "C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1216
    - - C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrvSrv.exe
        
        "C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrvSrv.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3996
      - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
        
        "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:208
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:208 CREDAT:17410 /prefetch:2
        8⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:3352
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2240
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2240 CREDAT:17410 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:4308
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4508
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4508 CREDAT:17410 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:3000
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1004
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1004 CREDAT:17410 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

Filesize
128KB

MD5
58ee7946a42af5354e013c56fb5eef88

SHA1
5580158957b8bf117c94ab71425c8104146d287f

SHA256
daf2c5c93d48029192c8d480c33e454782811ca83c7f503620805631f88d51e0

SHA512
cedbc42b68499f73e1e8019ea50190ec8fed5c6a43a161ebae7c841f26c9ae320b7c8ab2e765855e9e78ae3d2c71e1dd60b98c50e5be7938266072b880790e34

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe

Filesize
192KB

MD5
337e8761893d879ec044064a0928fa2a

SHA1
885306dff5904f9d11472c4ad6b98576107f2b5d

SHA256
52fba2b16809927c4d68520de42ea008cd6ec2d42493c054c0b477f0f853bdc1

SHA512
4d7bb2d99717ec7fc1151f9959b5fb9b9da6f6f5daa9cb9e9f0309aeb2428a7bdff3f202e1288d48063ad0e5ed97406965a8bfe93ae1c2ebfc0e5afac0a4daea

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe

Filesize
111KB

MD5
24764dd8a78f70d9611c6871af282060

SHA1
df824f6f90fbd9cf0be48b33d5836f400da52fba

SHA256
234d7ec9bec67413058cc4738ac730aead97d53bb37db26265c5be9a54f3195c

SHA512
f79ffb953883e8e018b931f73f38098eed18ebc057807bcf8c9739bf65bf72a98b3f11681684b0afb6e9c69c5816753f5e00d98ad72a5eee3189e7db13f637df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
37827a5b375c40c1d7c482099e06c5bb

SHA1
48a43de39625e410113ec4d2d3e355535c7163a9

SHA256
ffbd974e64098b8a4b5abe5633fe019780fb5eb4fb52418810fbbdc50084ef51

SHA512
e14bdded02c844462222ce326d91cfc2403f2fb164911a7b1401cb5dcb29c804383cf554304a5ea8465d743ef2f0fa78e6cba3f064dad02cd00076c1ac5f843e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
459910ff0de98da1a7ed07c473dffa0c

SHA1
da827a7d5735304ae047a3f3a76d334c49b05310

SHA256
ca4e5c94ee3f395952948d8390994de94a4bb1f6c49471b1aaa0798b013a4666

SHA512
de841240c2b97c92ed84d57ffe69f9f62fb105c030d828fad9a66da800ccbb79ce1151c6e529dcccbbd5fd602a9af53f59c7f762b0b5d525aa79c84d2c1d37a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
ba5ae71676fc355a98ca537f79b19163

SHA1
4b449c6068bee1010c69541f1e3414c3e8892051

SHA256
a1df2c9665d6880f70b53af52d1c6ec049710d7e7827ab3f1aab83f012569a0a

SHA512
bad338e06536309ebc0b06eef492e85010965369a654b0cb5b5796a59d85e3ded2882745947c81f2b7045c285b3852011261d6c24dc19fb9bacec7e2373b0468

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
8f2c882b6763e905bbc6784715ac6f88

SHA1
38a04e408067a9c969da8cd67c7ab5b5dc862c1a

SHA256
ce9e577290c9a0861a6417b9e8ede267f26a1096b1eb70de7718dafd96617c95

SHA512
5791ee235535d6a332f6c5b8d77182da2924dab951b6c4f989fb04db343c36f0742d7cd9a05bb3e094b97a30b1938a53b54fa6c0b7f9dd20a137325f08fe415c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
1b7025ed623e8d2cd3aa57e7ec7c993c

SHA1
7619bb6180a150a80edf195519687271063b05da

SHA256
ba2ad4cfd5b2069ca8560105b971386bc09a050cae5fe3d965fd1a642b8da280

SHA512
91ccb93978a8d282c15ba3a4ef9548f706e4c184dac00ad935bdf756052f458d742131b70b4883e0e8b35b8253c8953864be37684c3c150efbc453d301b0e039

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
82542fc40dba035bf586f4951601b4f2

SHA1
349417f4f385cf58751a1b8a5f60fdf6416e79c9

SHA256
5ed3cb10a6f2808ffc770b0d1197e56cdb04533bdf843f3aa3ef58a2d56d7977

SHA512
8a9332d077ff60993fdc9db4c83e05c797bd9dc443a115af05aa1f76114fabde608fe7505f06b86d0e43369808248ecd72d6f2481429d49513f12448d41a64b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4BDE0BC4-D51F-11EF-A7EA-FAA11E730504}.dat

Filesize
5KB

MD5
053893b0a83cbea4b72b56ebe6452862

SHA1
50026bacee8088fa9a3e907f4c836c99d9c8563a

SHA256
e3cc528083864489794555a77cf14b36dee7d8e5d9001f8ccd9b55436c36532b

SHA512
3908705f6951cb219761ac2f9293d871a4f6188c1d8dca305f1a2ae4a62ff93bc2445bcc2133105f484cb88cb310c0fa60581bb3c23583f3cf6e4012c38e7760

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4BE53388-D51F-11EF-A7EA-FAA11E730504}.dat

Filesize
5KB

MD5
76d39b64ddde01924fbd9fdef09cdd7c

SHA1
2f0d4452e861f057c5d77790e19130361e99b149

SHA256
655b4cac274d7ecb4b9e1fe12f31d48c813c4d0f8596589cc0e98d145558047d

SHA512
30530a0bb1147c08122ff066e872df137027eff3c07426ad4e79f8eb52af1835046208e2de04ccccaeedcfe2f5cf1293a57d6c594f07c5343a901d2312f4d612

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4BE9F7A4-D51F-11EF-A7EA-FAA11E730504}.dat

Filesize
5KB

MD5
9e827dbef7788033c49526ccd177bf9b

SHA1
806599cec85a1eafb4b31a4f1a31f04491d5d5bc

SHA256
4088d54e5090d552485135e0ae2d22135733f38d1702a480b46b90c5019460ca

SHA512
1e0aa01ff4a7520eba16989a823ad9e5843dd58c9d175da66964a2d31771dc52faf3b650ce9880b71c145c459f59c243d199ee004bcfff831e8a840c94053680

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4BEC5AEA-D51F-11EF-A7EA-FAA11E730504}.dat

Filesize
3KB

MD5
ff66b4eb9f972a10cd74b591452b519d

SHA1
72e1a063af52e35c779d111ab170ae0556d9ecac

SHA256
f98cd596b699d84952932dc14258d68087e4422c8a57909f49c6113bd264da8e

SHA512
ecf90ed6d37ed7cace195951d2464a4c69d73a4345b46984a57c902319ad507347e536677d17f562071cdd24b0552e2924db860dd61dab1fa7a139a6d1520f33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4BF5E352-D51F-11EF-A7EA-FAA11E730504}.dat

Filesize
3KB

MD5
6a0cb86b70c85cb4eaf516bfd0c4e13c

SHA1
3f4b4c4d86681e00a9f575e8102d41b709706614

SHA256
b1b19998ce982890e67ac605f4cd54ed41ceabde45ef9241e17aca03a569ec7d

SHA512
7df627a1cfd5bd0f044cdc13a7a6b7c31719e83350578bec577f3f5fd5130d53b285b68e6804f268c146d3361072da7c6b516c45b64c9167ba66144d2ce9d1f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4BF5E352-D51F-11EF-A7EA-FAA11E730504}.dat

Filesize
5KB

MD5
c7e342481b924d6095dc6414ec7a4612

SHA1
4bacd46022fdaa521683f509c4c1e915b5ac9657

SHA256
ec855d4969c9767d485be5d566d1cc62c41a6500fe5c20801b8bb6d3e321ebab

SHA512
7ac1b14eb73b3e78c488bdd28c1a4e20680cbe793a1ed4811b87c3854d65717120cd99af6f726acf99d48d4bfe6e72ae9ee75a85fa10fdb0394d45ee3e7efa7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4BFD09DB-D51F-11EF-A7EA-FAA11E730504}.dat

Filesize
3KB

MD5
f10aca5688fa82b0a21b23153b5a70de

SHA1
f119e620c5105730b116b2c0f5afb35620f36590

SHA256
16163e345464875d3f8bf3edd74068ede47af8381a1b2f8b3bf5351683da14ee

SHA512
2155387878cda5285e1cf666d5ea93ed3dc0a0f390df99aee2952a484896821f4cd8926cc8cf71a1df1c8f3a4d106a44a201eb154df08ff740e11578a145443f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VKYZDMA5\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrv.exe

Filesize
168KB

MD5
727126f322c8684720e27b4b68e47c35

SHA1
fb4df7dbf149f2924e3ccfb39dce1a0fee9b9e66

SHA256
183ac41ef08d6a579c7e104e8c831980159244d3554e1bccca9bf41a35472c58

SHA512
a9394fae75dea1806e28a3889c9609dc17334f74f1a881a1ea6edae3f21ff5ae3940d56f116c9f4a0844aa8fcbac6526a312694d55cee2446d8b8b65add71ad2

Download Submit
C:\Users\Admin\AppData\Local\Temp\f689acc62f7d17b5121a35e6234889d27ddec8bb2990c834cd041a2f4bfb4a3fSrvSrvSrv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/1048-34-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1048-29-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/1216-43-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1216-50-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download
memory/1216-53-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1940-4-0x00000000006D0000-0x00000000006DF000-memory.dmp

Filesize
60KB

Download
memory/1940-7-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1940-0-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2168-63-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2556-36-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3392-42-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3392-39-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/3392-40-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3856-5-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3856-22-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3856-19-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3856-18-0x00000000004B0000-0x00000000004B1000-memory.dmp

Filesize
4KB

Download
memory/3996-58-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4044-17-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/4044-16-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4044-21-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4044-37-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download