ramnit | 3d2d0b31a0eb5554036bfbe4babf809f51e289c24be9ca06ace4051ffcf6c1fc

Analysis

max time kernel
136s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2022 19:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d2d0b31a0eb5554036bfbe4babf809f51e289c24be9ca06ace4051ffcf6c1fc.exe
Size

111KB
MD5

db7063dd41623179399e9508beb287e8
SHA1

4c7af2ca9eb7ad2c3fadaaa1a988767efb274c27
SHA256

3d2d0b31a0eb5554036bfbe4babf809f51e289c24be9ca06ace4051ffcf6c1fc
SHA512

d41a086b1f521c0c57e23dd1bcf6e42b35d1c4e43132ad3f01783b1d5870b2eca22e9362c826dfb2b8f536a0307e01ca67aabf49e09c92ca7b8523616b457089
SSDEEP

1536:4+hzRsibKplyXTq8OGRnsPFG+RODTb7MXL5uXZnzEL9juPctT80YfIng1/Aum6ci:TROzoTq0+RO7IwnYthd80SoP3CCneB

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 3 IoCs

Processes:

3d2d0b31a0eb5554036bfbe4babf809f51e289c24be9ca06ace4051ffcf6c1fcSrv.exeDesktopLayer.exeDesktopLayerSrv.exe

pid process

4408 3d2d0b31a0eb5554036bfbe4babf809f51e289c24be9ca06ace4051ffcf6c1fcSrv.exe
732 DesktopLayer.exe
4292 DesktopLayerSrv.exe

pid	process
4408	3d2d0b31a0eb5554036bfbe4babf809f51e289c24be9ca06ace4051ffcf6c1fcSrv.exe
732	DesktopLayer.exe
4292	DesktopLayerSrv.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2764-132-0x0000000000400000-0x000000000043D000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\3d2d0b31a0eb5554036bfbe4babf809f51e289c24be9ca06ace4051ffcf6c1fcSrv.exe	upx
behavioral2/memory/4408-135-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/2764-138-0x0000000000400000-0x000000000043D000-memory.dmp	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe	upx
behavioral2/memory/4292-143-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/732-144-0x0000000000400000-0x000000000043D000-memory.dmp	upx

Drops file in Program Files directory 6 IoCs

Processes:

3d2d0b31a0eb5554036bfbe4babf809f51e289c24be9ca06ace4051ffcf6c1fc.exeDesktopLayer.exeDesktopLayerSrv.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\pxFC56.tmp	3d2d0b31a0eb5554036bfbe4babf809f51e289c24be9ca06ace4051ffcf6c1fc.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	3d2d0b31a0eb5554036bfbe4babf809f51e289c24be9ca06ace4051ffcf6c1fc.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	3d2d0b31a0eb5554036bfbe4babf809f51e289c24be9ca06ace4051ffcf6c1fc.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe	DesktopLayer.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxFD9E.tmp	DesktopLayerSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	DesktopLayerSrv.exe

Modifies Internet Explorer settings 1 TTPs 49 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30999401"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3981092982"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4132654442"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4028279689"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{17793DED-6F5D-11ED-AECB-FE977829BE37} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30999401"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30999401"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4132654442"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376433094"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4028279689"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30999401"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3981092982"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30999401"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30999401"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{177916DD-6F5D-11ED-AECB-FE977829BE37} = "0"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

DesktopLayer.exeDesktopLayerSrv.exe

pid	process
732	DesktopLayer.exe
732	DesktopLayer.exe
4292	DesktopLayerSrv.exe
4292	DesktopLayerSrv.exe
732	DesktopLayer.exe
732	DesktopLayer.exe
4292	DesktopLayerSrv.exe
4292	DesktopLayerSrv.exe
732	DesktopLayer.exe
732	DesktopLayer.exe
4292	DesktopLayerSrv.exe
4292	DesktopLayerSrv.exe
732	DesktopLayer.exe
732	DesktopLayer.exe
4292	DesktopLayerSrv.exe
4292	DesktopLayerSrv.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

3932 iexplore.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeiexplore.exe

pid process

3932 iexplore.exe
4212 iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
3932	iexplore.exe
3932	iexplore.exe
4212	iexplore.exe
4212	iexplore.exe
1896	IEXPLORE.EXE
1836	IEXPLORE.EXE
1896	IEXPLORE.EXE
1836	IEXPLORE.EXE
1896	IEXPLORE.EXE
1896	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

3d2d0b31a0eb5554036bfbe4babf809f51e289c24be9ca06ace4051ffcf6c1fc.exeDesktopLayer.exeDesktopLayerSrv.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 2764 wrote to memory of 4408	2764	3d2d0b31a0eb5554036bfbe4babf809f51e289c24be9ca06ace4051ffcf6c1fc.exe	3d2d0b31a0eb5554036bfbe4babf809f51e289c24be9ca06ace4051ffcf6c1fcSrv.exe
PID 2764 wrote to memory of 4408	2764	3d2d0b31a0eb5554036bfbe4babf809f51e289c24be9ca06ace4051ffcf6c1fc.exe	3d2d0b31a0eb5554036bfbe4babf809f51e289c24be9ca06ace4051ffcf6c1fcSrv.exe
PID 2764 wrote to memory of 4408	2764	3d2d0b31a0eb5554036bfbe4babf809f51e289c24be9ca06ace4051ffcf6c1fc.exe	3d2d0b31a0eb5554036bfbe4babf809f51e289c24be9ca06ace4051ffcf6c1fcSrv.exe
PID 2764 wrote to memory of 732	2764	3d2d0b31a0eb5554036bfbe4babf809f51e289c24be9ca06ace4051ffcf6c1fc.exe	DesktopLayer.exe
PID 2764 wrote to memory of 732	2764	3d2d0b31a0eb5554036bfbe4babf809f51e289c24be9ca06ace4051ffcf6c1fc.exe	DesktopLayer.exe
PID 2764 wrote to memory of 732	2764	3d2d0b31a0eb5554036bfbe4babf809f51e289c24be9ca06ace4051ffcf6c1fc.exe	DesktopLayer.exe
PID 732 wrote to memory of 4292	732	DesktopLayer.exe	DesktopLayerSrv.exe
PID 732 wrote to memory of 4292	732	DesktopLayer.exe	DesktopLayerSrv.exe
PID 732 wrote to memory of 4292	732	DesktopLayer.exe	DesktopLayerSrv.exe
PID 732 wrote to memory of 3932	732	DesktopLayer.exe	iexplore.exe
PID 732 wrote to memory of 3932	732	DesktopLayer.exe	iexplore.exe
PID 4292 wrote to memory of 4212	4292	DesktopLayerSrv.exe	iexplore.exe
PID 4292 wrote to memory of 4212	4292	DesktopLayerSrv.exe	iexplore.exe
PID 3932 wrote to memory of 1896	3932	iexplore.exe	IEXPLORE.EXE
PID 3932 wrote to memory of 1896	3932	iexplore.exe	IEXPLORE.EXE
PID 3932 wrote to memory of 1896	3932	iexplore.exe	IEXPLORE.EXE
PID 4212 wrote to memory of 1836	4212	iexplore.exe	IEXPLORE.EXE
PID 4212 wrote to memory of 1836	4212	iexplore.exe	IEXPLORE.EXE
PID 4212 wrote to memory of 1836	4212	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\3d2d0b31a0eb5554036bfbe4babf809f51e289c24be9ca06ace4051ffcf6c1fc.exe
"C:\Users\Admin\AppData\Local\Temp\3d2d0b31a0eb5554036bfbe4babf809f51e289c24be9ca06ace4051ffcf6c1fc.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2764

C:\Users\Admin\AppData\Local\Temp\3d2d0b31a0eb5554036bfbe4babf809f51e289c24be9ca06ace4051ffcf6c1fcSrv.exe
C:\Users\Admin\AppData\Local\Temp\3d2d0b31a0eb5554036bfbe4babf809f51e289c24be9ca06ace4051ffcf6c1fcSrv.exe
2⤵
- Executes dropped EXE
PID:4408

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:732

C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
"C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4292

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4212

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4212 CREDAT:17410 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1836

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3932

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3932 CREDAT:17410 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1896

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
Filesize
111KB

MD5
db7063dd41623179399e9508beb287e8

SHA1
4c7af2ca9eb7ad2c3fadaaa1a988767efb274c27

SHA256
3d2d0b31a0eb5554036bfbe4babf809f51e289c24be9ca06ace4051ffcf6c1fc

SHA512
d41a086b1f521c0c57e23dd1bcf6e42b35d1c4e43132ad3f01783b1d5870b2eca22e9362c826dfb2b8f536a0307e01ca67aabf49e09c92ca7b8523616b457089

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
Filesize
111KB

MD5
db7063dd41623179399e9508beb287e8

SHA1
4c7af2ca9eb7ad2c3fadaaa1a988767efb274c27

SHA256
3d2d0b31a0eb5554036bfbe4babf809f51e289c24be9ca06ace4051ffcf6c1fc

SHA512
d41a086b1f521c0c57e23dd1bcf6e42b35d1c4e43132ad3f01783b1d5870b2eca22e9362c826dfb2b8f536a0307e01ca67aabf49e09c92ca7b8523616b457089

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
471B

MD5
dedb504b3469b24ec0df79c68f5772e2

SHA1
177a8b1045b456316ca32d90aba942bf34774c64

SHA256
e18111fd56db31f02eb16990f0bbc7991a0c80571703281ee66010e229c9f8b0

SHA512
101312fa01991caeaef010d0d21e740244cb3768490a1b82ae12e7524e50b6e7f2e23c08978ac4c373e9013baa0a8f50de8e1994341556b78ecd88ce13df5680

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
434B

MD5
921e22ee5ffad756f2b5a7c6b29192e6

SHA1
5d3f058b73f6ebe8a1013371f835a77d4bc24d0d

SHA256
2f26f295402c151d83f1d22cc7e82c3ebf23baab279d957d769ea3e4cdd70393

SHA512
877516b841e4b713829eb12edb18bbe916fa5b6fa4fbdd5b4d80dcf2c73bcf669a7f61a84054aafb1898d210377b8e29141d61f0744a0f94dfa6040c174187f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{177916DD-6F5D-11ED-AECB-FE977829BE37}.dat
Filesize
3KB

MD5
4e98bbf0d88c6b21f53a9c8e35802f9a

SHA1
04e0f2c5ccfc79ffdb222d8d507a667ddb54dc42

SHA256
24bc1a044b114791739c0665238cd6c575ad8376869072cb3b1824cbf5b882f8

SHA512
6a25969e473c5ca064edc29d18452c40bd3d06fcae833dd3627aafd2350ad949773df0e747a12577807d57d2ece5fdc1d23919aa4df7ffb97d846ca19cacbf4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{17793DED-6F5D-11ED-AECB-FE977829BE37}.dat
Filesize
5KB

MD5
b85c9a7540796e1d3b6c00cc334a275a

SHA1
51cebc7a98c20cfcc69fa0c9ef30ea9bcdfcb7ca

SHA256
a1888f0762915c28176e41cf646657112e4a0e30e5a901895df0044341edca2a

SHA512
03fd33b290f744f1ed761c0831bfc1a5b5d39c1e29adf7668280afdb34473e04c39340e1b4b4becb49a52f8225f9f93b8d6a886958b8171c93fb9c8ffa181e9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3d2d0b31a0eb5554036bfbe4babf809f51e289c24be9ca06ace4051ffcf6c1fcSrv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/732-136-0x0000000000000000-mapping.dmp

Download
memory/732-144-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2764-138-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2764-132-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4292-139-0x0000000000000000-mapping.dmp

Download
memory/4292-143-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4408-135-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4408-133-0x0000000000000000-mapping.dmp

Download