ramnit | affc6a6cae71b3ec73d81757d4c520574c34c34ec6f0a0c7d49c8c97015273f5

Analysis

max time kernel
95s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-01-2025 16:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

affc6a6cae71b3ec73d81757d4c520574c34c34ec6f0a0c7d49c8c97015273f5N.exe
Size

224KB
MD5

12065ac9a01ba6540ae6545143a8ade0
SHA1

d463ae79e448eb911274418808f0baee0f419671
SHA256

affc6a6cae71b3ec73d81757d4c520574c34c34ec6f0a0c7d49c8c97015273f5
SHA512

6bf78ada4bde6b96223461d70de9853a32ca3463f6b1a37c811eee26b794d959559fef0f22d55dc026ae8228ecd0aad5ea8bbc8f7cf84a9af6d27df0f336f198
SSDEEP

6144:HkdNwBEUdHxHeE1zT6wVmaF8k8D3ewNkl:HkvnUh1zT6umhkIa

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 8 IoCs

pid	Process
4176	affc6a6cae71b3ec73d81757d4c520574c34c34ec6f0a0c7d49c8c97015273f5NSrv.exe
4844	DesktopLayer.exe
884	affc6a6cae71b3ec73d81757d4c520574c34c34ec6f0a0c7d49c8c97015273f5NSrvSrv.exe
3800	affc6a6cae71b3ec73d81757d4c520574c34c34ec6f0a0c7d49c8c97015273f5NSrvSrvSrv.exe
1216	DesktopLayerSrv.exe
2104	DesktopLayerSrvSrv.exe
3092	DesktopLayerSrvSrvSrv.exe
1840	DesktopLayer.exe

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1868-0-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/files/0x000c000000023b33-3.dat	upx
behavioral1/memory/4176-4-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1868-7-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/4176-17-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/884-16-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/files/0x000a000000023b92-29.dat	upx
behavioral1/memory/4176-28-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/4844-26-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/files/0x000a000000023b90-24.dat	upx
behavioral1/memory/1840-64-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2104-58-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/3092-57-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1216-49-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2104-48-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/1216-44-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/3800-43-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/4844-31-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/3800-33-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/884-32-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/files/0x000c000000023b8c-20.dat	upx
behavioral1/files/0x000c000000023b8c-10.dat	upx

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\px952B.tmp	affc6a6cae71b3ec73d81757d4c520574c34c34ec6f0a0c7d49c8c97015273f5N.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px9589.tmp	affc6a6cae71b3ec73d81757d4c520574c34c34ec6f0a0c7d49c8c97015273f5NSrvSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	affc6a6cae71b3ec73d81757d4c520574c34c34ec6f0a0c7d49c8c97015273f5NSrvSrvSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe	DesktopLayerSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	DesktopLayerSrvSrvSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px95C8.tmp	affc6a6cae71b3ec73d81757d4c520574c34c34ec6f0a0c7d49c8c97015273f5NSrvSrvSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px95E7.tmp	DesktopLayerSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	affc6a6cae71b3ec73d81757d4c520574c34c34ec6f0a0c7d49c8c97015273f5NSrvSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	DesktopLayerSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrvSrv.exe	DesktopLayerSrvSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	affc6a6cae71b3ec73d81757d4c520574c34c34ec6f0a0c7d49c8c97015273f5N.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	affc6a6cae71b3ec73d81757d4c520574c34c34ec6f0a0c7d49c8c97015273f5N.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px954B.tmp	affc6a6cae71b3ec73d81757d4c520574c34c34ec6f0a0c7d49c8c97015273f5NSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	affc6a6cae71b3ec73d81757d4c520574c34c34ec6f0a0c7d49c8c97015273f5NSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe	DesktopLayer.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px9635.tmp	DesktopLayerSrvSrvSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px9635.tmp	DesktopLayerSrvSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	DesktopLayerSrvSrv.exe

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	affc6a6cae71b3ec73d81757d4c520574c34c34ec6f0a0c7d49c8c97015273f5N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	affc6a6cae71b3ec73d81757d4c520574c34c34ec6f0a0c7d49c8c97015273f5NSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayerSrvSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayerSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	affc6a6cae71b3ec73d81757d4c520574c34c34ec6f0a0c7d49c8c97015273f5NSrvSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	affc6a6cae71b3ec73d81757d4c520574c34c34ec6f0a0c7d49c8c97015273f5NSrvSrvSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayerSrvSrvSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31156531"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{66FBB69E-D526-11EF-9361-F6235BFAC6D3} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1002272877"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1002272877"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{6707A266-D526-11EF-9361-F6235BFAC6D3} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{66EFCA53-D526-11EF-9361-F6235BFAC6D3} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31156531"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31156531"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31156531"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31156531"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "998523060"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "998523060"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "998523060"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{6702DD63-D526-11EF-9361-F6235BFAC6D3} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{66FE18B0-D526-11EF-9361-F6235BFAC6D3} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 56 IoCs

pid	Process
4176	affc6a6cae71b3ec73d81757d4c520574c34c34ec6f0a0c7d49c8c97015273f5NSrv.exe
4176	affc6a6cae71b3ec73d81757d4c520574c34c34ec6f0a0c7d49c8c97015273f5NSrv.exe
4176	affc6a6cae71b3ec73d81757d4c520574c34c34ec6f0a0c7d49c8c97015273f5NSrv.exe
4176	affc6a6cae71b3ec73d81757d4c520574c34c34ec6f0a0c7d49c8c97015273f5NSrv.exe
4176	affc6a6cae71b3ec73d81757d4c520574c34c34ec6f0a0c7d49c8c97015273f5NSrv.exe
4176	affc6a6cae71b3ec73d81757d4c520574c34c34ec6f0a0c7d49c8c97015273f5NSrv.exe
4844	DesktopLayer.exe
4844	DesktopLayer.exe
4176	affc6a6cae71b3ec73d81757d4c520574c34c34ec6f0a0c7d49c8c97015273f5NSrv.exe
4176	affc6a6cae71b3ec73d81757d4c520574c34c34ec6f0a0c7d49c8c97015273f5NSrv.exe
4844	DesktopLayer.exe
4844	DesktopLayer.exe
884	affc6a6cae71b3ec73d81757d4c520574c34c34ec6f0a0c7d49c8c97015273f5NSrvSrv.exe
884	affc6a6cae71b3ec73d81757d4c520574c34c34ec6f0a0c7d49c8c97015273f5NSrvSrv.exe
884	affc6a6cae71b3ec73d81757d4c520574c34c34ec6f0a0c7d49c8c97015273f5NSrvSrv.exe
884	affc6a6cae71b3ec73d81757d4c520574c34c34ec6f0a0c7d49c8c97015273f5NSrvSrv.exe
884	affc6a6cae71b3ec73d81757d4c520574c34c34ec6f0a0c7d49c8c97015273f5NSrvSrv.exe
884	affc6a6cae71b3ec73d81757d4c520574c34c34ec6f0a0c7d49c8c97015273f5NSrvSrv.exe
884	affc6a6cae71b3ec73d81757d4c520574c34c34ec6f0a0c7d49c8c97015273f5NSrvSrv.exe
884	affc6a6cae71b3ec73d81757d4c520574c34c34ec6f0a0c7d49c8c97015273f5NSrvSrv.exe
4844	DesktopLayer.exe
4844	DesktopLayer.exe
4844	DesktopLayer.exe
4844	DesktopLayer.exe
3800	affc6a6cae71b3ec73d81757d4c520574c34c34ec6f0a0c7d49c8c97015273f5NSrvSrvSrv.exe
3800	affc6a6cae71b3ec73d81757d4c520574c34c34ec6f0a0c7d49c8c97015273f5NSrvSrvSrv.exe
3800	affc6a6cae71b3ec73d81757d4c520574c34c34ec6f0a0c7d49c8c97015273f5NSrvSrvSrv.exe
3800	affc6a6cae71b3ec73d81757d4c520574c34c34ec6f0a0c7d49c8c97015273f5NSrvSrvSrv.exe
3800	affc6a6cae71b3ec73d81757d4c520574c34c34ec6f0a0c7d49c8c97015273f5NSrvSrvSrv.exe
3800	affc6a6cae71b3ec73d81757d4c520574c34c34ec6f0a0c7d49c8c97015273f5NSrvSrvSrv.exe
3800	affc6a6cae71b3ec73d81757d4c520574c34c34ec6f0a0c7d49c8c97015273f5NSrvSrvSrv.exe
3800	affc6a6cae71b3ec73d81757d4c520574c34c34ec6f0a0c7d49c8c97015273f5NSrvSrvSrv.exe
1216	DesktopLayerSrv.exe
1216	DesktopLayerSrv.exe
1216	DesktopLayerSrv.exe
1216	DesktopLayerSrv.exe
1216	DesktopLayerSrv.exe
1216	DesktopLayerSrv.exe
1216	DesktopLayerSrv.exe
1216	DesktopLayerSrv.exe
2104	DesktopLayerSrvSrv.exe
2104	DesktopLayerSrvSrv.exe
2104	DesktopLayerSrvSrv.exe
2104	DesktopLayerSrvSrv.exe
2104	DesktopLayerSrvSrv.exe
2104	DesktopLayerSrvSrv.exe
2104	DesktopLayerSrvSrv.exe
2104	DesktopLayerSrvSrv.exe
1840	DesktopLayer.exe
1840	DesktopLayer.exe
1840	DesktopLayer.exe
1840	DesktopLayer.exe
1840	DesktopLayer.exe
1840	DesktopLayer.exe
1840	DesktopLayer.exe
1840	DesktopLayer.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
4640	iexplore.exe
2720	iexplore.exe
3460	iexplore.exe
4668	iexplore.exe
1472	iexplore.exe

Suspicious use of SetWindowsHookEx 22 IoCs

pid	Process
2720	iexplore.exe
2720	iexplore.exe
4640	iexplore.exe
4640	iexplore.exe
4668	iexplore.exe
4668	iexplore.exe
3460	iexplore.exe
3460	iexplore.exe
1472	iexplore.exe
1472	iexplore.exe
5024	IEXPLORE.EXE
5024	IEXPLORE.EXE
1800	IEXPLORE.EXE
1800	IEXPLORE.EXE
5048	IEXPLORE.EXE
5048	IEXPLORE.EXE
2160	IEXPLORE.EXE
2160	IEXPLORE.EXE
5008	IEXPLORE.EXE
5008	IEXPLORE.EXE
5024	IEXPLORE.EXE
5024	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 53 IoCs

description	pid	Process	procid_target
PID 1868 wrote to memory of 4176	1868	affc6a6cae71b3ec73d81757d4c520574c34c34ec6f0a0c7d49c8c97015273f5N.exe	82
PID 1868 wrote to memory of 4176	1868	affc6a6cae71b3ec73d81757d4c520574c34c34ec6f0a0c7d49c8c97015273f5N.exe	82
PID 1868 wrote to memory of 4176	1868	affc6a6cae71b3ec73d81757d4c520574c34c34ec6f0a0c7d49c8c97015273f5N.exe	82
PID 1868 wrote to memory of 4844	1868	affc6a6cae71b3ec73d81757d4c520574c34c34ec6f0a0c7d49c8c97015273f5N.exe	83
PID 1868 wrote to memory of 4844	1868	affc6a6cae71b3ec73d81757d4c520574c34c34ec6f0a0c7d49c8c97015273f5N.exe	83
PID 1868 wrote to memory of 4844	1868	affc6a6cae71b3ec73d81757d4c520574c34c34ec6f0a0c7d49c8c97015273f5N.exe	83
PID 4176 wrote to memory of 884	4176	affc6a6cae71b3ec73d81757d4c520574c34c34ec6f0a0c7d49c8c97015273f5NSrv.exe	84
PID 4176 wrote to memory of 884	4176	affc6a6cae71b3ec73d81757d4c520574c34c34ec6f0a0c7d49c8c97015273f5NSrv.exe	84
PID 4176 wrote to memory of 884	4176	affc6a6cae71b3ec73d81757d4c520574c34c34ec6f0a0c7d49c8c97015273f5NSrv.exe	84
PID 4844 wrote to memory of 1216	4844	DesktopLayer.exe	86
PID 4844 wrote to memory of 1216	4844	DesktopLayer.exe	86
PID 4844 wrote to memory of 1216	4844	DesktopLayer.exe	86
PID 4176 wrote to memory of 2720	4176	affc6a6cae71b3ec73d81757d4c520574c34c34ec6f0a0c7d49c8c97015273f5NSrv.exe	85
PID 4176 wrote to memory of 2720	4176	affc6a6cae71b3ec73d81757d4c520574c34c34ec6f0a0c7d49c8c97015273f5NSrv.exe	85
PID 884 wrote to memory of 3800	884	affc6a6cae71b3ec73d81757d4c520574c34c34ec6f0a0c7d49c8c97015273f5NSrvSrv.exe	87
PID 884 wrote to memory of 3800	884	affc6a6cae71b3ec73d81757d4c520574c34c34ec6f0a0c7d49c8c97015273f5NSrvSrv.exe	87
PID 884 wrote to memory of 3800	884	affc6a6cae71b3ec73d81757d4c520574c34c34ec6f0a0c7d49c8c97015273f5NSrvSrv.exe	87
PID 884 wrote to memory of 4640	884	affc6a6cae71b3ec73d81757d4c520574c34c34ec6f0a0c7d49c8c97015273f5NSrvSrv.exe	88
PID 884 wrote to memory of 4640	884	affc6a6cae71b3ec73d81757d4c520574c34c34ec6f0a0c7d49c8c97015273f5NSrvSrv.exe	88
PID 4844 wrote to memory of 4668	4844	DesktopLayer.exe	89
PID 4844 wrote to memory of 4668	4844	DesktopLayer.exe	89
PID 3800 wrote to memory of 3460	3800	affc6a6cae71b3ec73d81757d4c520574c34c34ec6f0a0c7d49c8c97015273f5NSrvSrvSrv.exe	90
PID 3800 wrote to memory of 3460	3800	affc6a6cae71b3ec73d81757d4c520574c34c34ec6f0a0c7d49c8c97015273f5NSrvSrvSrv.exe	90
PID 1216 wrote to memory of 2104	1216	DesktopLayerSrv.exe	91
PID 1216 wrote to memory of 2104	1216	DesktopLayerSrv.exe	91
PID 1216 wrote to memory of 2104	1216	DesktopLayerSrv.exe	91
PID 1216 wrote to memory of 1472	1216	DesktopLayerSrv.exe	92
PID 1216 wrote to memory of 1472	1216	DesktopLayerSrv.exe	92
PID 2104 wrote to memory of 3092	2104	DesktopLayerSrvSrv.exe	93
PID 2104 wrote to memory of 3092	2104	DesktopLayerSrvSrv.exe	93
PID 2104 wrote to memory of 3092	2104	DesktopLayerSrvSrv.exe	93
PID 3092 wrote to memory of 1840	3092	DesktopLayerSrvSrvSrv.exe	94
PID 3092 wrote to memory of 1840	3092	DesktopLayerSrvSrvSrv.exe	94
PID 3092 wrote to memory of 1840	3092	DesktopLayerSrvSrvSrv.exe	94
PID 2104 wrote to memory of 1984	2104	DesktopLayerSrvSrv.exe	95
PID 2104 wrote to memory of 1984	2104	DesktopLayerSrvSrv.exe	95
PID 1840 wrote to memory of 1928	1840	DesktopLayer.exe	96
PID 1840 wrote to memory of 1928	1840	DesktopLayer.exe	96
PID 2720 wrote to memory of 1800	2720	iexplore.exe	97
PID 2720 wrote to memory of 1800	2720	iexplore.exe	97
PID 2720 wrote to memory of 1800	2720	iexplore.exe	97
PID 4640 wrote to memory of 5024	4640	iexplore.exe	98
PID 4640 wrote to memory of 5024	4640	iexplore.exe	98
PID 4640 wrote to memory of 5024	4640	iexplore.exe	98
PID 4668 wrote to memory of 5008	4668	iexplore.exe	99
PID 4668 wrote to memory of 5008	4668	iexplore.exe	99
PID 4668 wrote to memory of 5008	4668	iexplore.exe	99
PID 3460 wrote to memory of 5048	3460	iexplore.exe	100
PID 3460 wrote to memory of 5048	3460	iexplore.exe	100
PID 3460 wrote to memory of 5048	3460	iexplore.exe	100
PID 1472 wrote to memory of 2160	1472	iexplore.exe	101
PID 1472 wrote to memory of 2160	1472	iexplore.exe	101
PID 1472 wrote to memory of 2160	1472	iexplore.exe	101

C:\Users\Admin\AppData\Local\Temp\affc6a6cae71b3ec73d81757d4c520574c34c34ec6f0a0c7d49c8c97015273f5N.exe
"C:\Users\Admin\AppData\Local\Temp\affc6a6cae71b3ec73d81757d4c520574c34c34ec6f0a0c7d49c8c97015273f5N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1868
- C:\Users\Admin\AppData\Local\Temp\affc6a6cae71b3ec73d81757d4c520574c34c34ec6f0a0c7d49c8c97015273f5NSrv.exe
  C:\Users\Admin\AppData\Local\Temp\affc6a6cae71b3ec73d81757d4c520574c34c34ec6f0a0c7d49c8c97015273f5NSrv.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4176
- - C:\Users\Admin\AppData\Local\Temp\affc6a6cae71b3ec73d81757d4c520574c34c34ec6f0a0c7d49c8c97015273f5NSrvSrv.exe
    C:\Users\Admin\AppData\Local\Temp\affc6a6cae71b3ec73d81757d4c520574c34c34ec6f0a0c7d49c8c97015273f5NSrvSrv.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:884
  - - C:\Users\Admin\AppData\Local\Temp\affc6a6cae71b3ec73d81757d4c520574c34c34ec6f0a0c7d49c8c97015273f5NSrvSrvSrv.exe
      C:\Users\Admin\AppData\Local\Temp\affc6a6cae71b3ec73d81757d4c520574c34c34ec6f0a0c7d49c8c97015273f5NSrvSrvSrv.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3800
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3460
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3460 CREDAT:17410 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:5048
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4640
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4640 CREDAT:17410 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:5024
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2720 CREDAT:17410 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1800
- C:\Program Files (x86)\Microsoft\DesktopLayer.exe
  "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4844
- - C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
    "C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1216
  - - C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2104
    - - C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrvSrv.exe
        
        "C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrvSrv.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3092
      - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
        
        "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1840
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        Modifies Internet Explorer settings
        
        PID:1928
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        
        PID:1984
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1472
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1472 CREDAT:17410 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2160
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4668
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4668 CREDAT:17410 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:5008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

Filesize
224KB

MD5
12065ac9a01ba6540ae6545143a8ade0

SHA1
d463ae79e448eb911274418808f0baee0f419671

SHA256
affc6a6cae71b3ec73d81757d4c520574c34c34ec6f0a0c7d49c8c97015273f5

SHA512
6bf78ada4bde6b96223461d70de9853a32ca3463f6b1a37c811eee26b794d959559fef0f22d55dc026ae8228ecd0aad5ea8bbc8f7cf84a9af6d27df0f336f198

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe

Filesize
192KB

MD5
337e8761893d879ec044064a0928fa2a

SHA1
885306dff5904f9d11472c4ad6b98576107f2b5d

SHA256
52fba2b16809927c4d68520de42ea008cd6ec2d42493c054c0b477f0f853bdc1

SHA512
4d7bb2d99717ec7fc1151f9959b5fb9b9da6f6f5daa9cb9e9f0309aeb2428a7bdff3f202e1288d48063ad0e5ed97406965a8bfe93ae1c2ebfc0e5afac0a4daea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
37827a5b375c40c1d7c482099e06c5bb

SHA1
48a43de39625e410113ec4d2d3e355535c7163a9

SHA256
ffbd974e64098b8a4b5abe5633fe019780fb5eb4fb52418810fbbdc50084ef51

SHA512
e14bdded02c844462222ce326d91cfc2403f2fb164911a7b1401cb5dcb29c804383cf554304a5ea8465d743ef2f0fa78e6cba3f064dad02cd00076c1ac5f843e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
1e0ce47e3a3cc5d942c6f0bad06fbccc

SHA1
afdca9374e39bffb3507dd756f7df940e8c6e633

SHA256
0980b9cf479f2fc7a99036e90d84a588a46ce91fa42cb5acd2fa69e16cd54277

SHA512
d5af8f518861d0e91ebc7611bf490338ca1e675e5b9e714497158d2e44ceb4687a63fc9368b793692af52e2de7de3729b7d0b357855c8c2567e4dabea359f40a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{66EFCA53-D526-11EF-9361-F6235BFAC6D3}.dat

Filesize
5KB

MD5
d7848db4bd7260f008126fe6575a736c

SHA1
e3f09da86c3063afb9e2b35cfc13488536e49301

SHA256
3e0cb3d9e94bb699463c3ac72aa9d11eb535a082acbfa546ec8dd6e867df79df

SHA512
185f401fe4d0d258a57d55fc6462cc8452f0a7bf761fe12b2add311716c962ecba4873961ec916cf3af0f456175e5f86febcb9414712e9ef8fe4853953f70c32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{66FBB69E-D526-11EF-9361-F6235BFAC6D3}.dat

Filesize
5KB

MD5
451a94e8cd909d7ff0b37922f4708e61

SHA1
7ad46f3cc242b5fef2a3129a55f6be85b54d74c4

SHA256
dfe2df89dfde0477c60a2c6b503f35c0df1dfafd3956be9e3b436f437d16975a

SHA512
ccb0d4fbc6a60b5301ff25836d16ca28f699074ec2e9eb9cbbb4729266c5359de7d4e84b283f34cab40fed1b392675600411a2913252a264c061e93c08eea621

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{66FE18B0-D526-11EF-9361-F6235BFAC6D3}.dat

Filesize
5KB

MD5
7353b4469b4b32bcacc1c45d1a444328

SHA1
ee2c24d110e76fd5c95d03954151c63728f2bfd7

SHA256
ad25617aa07ca52a635eab9cafc7605ebbed4bc5fa1b123bdf9c5e035411cb36

SHA512
1bee934b065a3c1c2170a1ae8c01916527e1d96b1d5f775db19adba7205a9cf1108eabb38bd316e150923a76764e83174556d92bbd58b829101b5609967c6d45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6702DD63-D526-11EF-9361-F6235BFAC6D3}.dat

Filesize
5KB

MD5
796312b722d93f5c7ebf42772acef7ed

SHA1
657fae5a2569d437e3bc73b2de1193353a293b68

SHA256
e61b1b6d1fea5eaf5593ccc5be1e70426d91c38fceb0dbaf09ed8051f3dca236

SHA512
c515f8c4db9bcbb293dc3ea3aa27487149627efa4f99935f37a36a53e8cf71d03bf9f9a7b8252a2f372e6f1e0c3bf9d744182bc67ceb9ee904ff80480358d364

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6707A266-D526-11EF-9361-F6235BFAC6D3}.dat

Filesize
3KB

MD5
9919ffc6e4334db8eba34853e03e4180

SHA1
f2cfbfa9e3f8e9e62885a615ac641d48de7b7872

SHA256
1004bd8a31baff6a1cb2390a41835aa2f72b5d758e619b86848160b3966eac77

SHA512
cc790ee5b2f849283fe2e32fdd8bc3198140be70fd4ee05a2e6279f53a1785b7aeda18f42f9f87a997da7b44e295d5f4770a559a284e163f6a16226fc8844616

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0BHOTC3C\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\affc6a6cae71b3ec73d81757d4c520574c34c34ec6f0a0c7d49c8c97015273f5NSrv.exe

Filesize
168KB

MD5
727126f322c8684720e27b4b68e47c35

SHA1
fb4df7dbf149f2924e3ccfb39dce1a0fee9b9e66

SHA256
183ac41ef08d6a579c7e104e8c831980159244d3554e1bccca9bf41a35472c58

SHA512
a9394fae75dea1806e28a3889c9609dc17334f74f1a881a1ea6edae3f21ff5ae3940d56f116c9f4a0844aa8fcbac6526a312694d55cee2446d8b8b65add71ad2

Download Submit
C:\Users\Admin\AppData\Local\Temp\affc6a6cae71b3ec73d81757d4c520574c34c34ec6f0a0c7d49c8c97015273f5NSrvSrv.exe

Filesize
111KB

MD5
24764dd8a78f70d9611c6871af282060

SHA1
df824f6f90fbd9cf0be48b33d5836f400da52fba

SHA256
234d7ec9bec67413058cc4738ac730aead97d53bb37db26265c5be9a54f3195c

SHA512
f79ffb953883e8e018b931f73f38098eed18ebc057807bcf8c9739bf65bf72a98b3f11681684b0afb6e9c69c5816753f5e00d98ad72a5eee3189e7db13f637df

Download Submit
C:\Users\Admin\AppData\Local\Temp\affc6a6cae71b3ec73d81757d4c520574c34c34ec6f0a0c7d49c8c97015273f5NSrvSrvSrv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/884-32-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/884-25-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download
memory/884-16-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1216-49-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1216-44-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1216-41-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/1840-64-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1840-63-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/1868-0-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1868-5-0x0000000000710000-0x000000000071F000-memory.dmp

Filesize
60KB

Download
memory/1868-7-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2104-58-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2104-56-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/2104-48-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3092-57-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3800-43-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3800-33-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3800-37-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/4176-4-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4176-28-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4176-17-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4176-14-0x00000000004F0000-0x00000000004F1000-memory.dmp

Filesize
4KB

Download
memory/4844-21-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download
memory/4844-26-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4844-31-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download