ramnit | e54df5f3b47a500a5d23d4585d8703db220a32da378a623db7a03bbfbca6d80b

Analysis

max time kernel
25s
max time network
139s
platform
windows7_x64
resource
win7v20210408
submitted
11-05-2021 09:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e54df5f3b47a500a5d23d4585d8703db220a32da378a623db7a03bbfbca6d80b.exe
Size

224KB
MD5

01847661bed25ae4cffb7bec7a004943
SHA1

30620170803fb8c97a9253f658ab6fa9f146a876
SHA256

e54df5f3b47a500a5d23d4585d8703db220a32da378a623db7a03bbfbca6d80b
SHA512

bcc32e70c3457175cb64cae36ae07cff545ba586f72cae1b99164b3c7fe89e87883754b212d545bf5bba58fe37c5e5be1fb5531378455db45a09bdbdc3d72ed3

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 6 IoCs

Processes:

e54df5f3b47a500a5d23d4585d8703db220a32da378a623db7a03bbfbca6d80bSrv.exee54df5f3b47a500a5d23d4585d8703db220a32da378a623db7a03bbfbca6d80bSrvSrv.exeDesktopLayer.exeDesktopLayerSrv.exeDesktopLayerSrvSrv.exeDesktopLayerSrvSrvSrv.exe

pid	process
1852	e54df5f3b47a500a5d23d4585d8703db220a32da378a623db7a03bbfbca6d80bSrv.exe
2036	e54df5f3b47a500a5d23d4585d8703db220a32da378a623db7a03bbfbca6d80bSrvSrv.exe
2020	DesktopLayer.exe
520	DesktopLayerSrv.exe
1868	DesktopLayerSrvSrv.exe
1440	DesktopLayerSrvSrvSrv.exe

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\e54df5f3b47a500a5d23d4585d8703db220a32da378a623db7a03bbfbca6d80bSrvSrv.exe	upx
C:\Users\Admin\AppData\Local\Temp\e54df5f3b47a500a5d23d4585d8703db220a32da378a623db7a03bbfbca6d80bSrvSrv.exe	upx
C:\Users\Admin\AppData\Local\Temp\e54df5f3b47a500a5d23d4585d8703db220a32da378a623db7a03bbfbca6d80bSrv.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe	upx
\Program Files (x86)\Microsoft\DesktopLayerSrv.exe	upx
\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Users\Admin\AppData\Local\Temp\e54df5f3b47a500a5d23d4585d8703db220a32da378a623db7a03bbfbca6d80bSrv.exe	upx
\Users\Admin\AppData\Local\Temp\e54df5f3b47a500a5d23d4585d8703db220a32da378a623db7a03bbfbca6d80bSrv.exe	upx
\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe	upx
behavioral1/memory/1668-95-0x0000000000400000-0x0000000000459000-memory.dmp	upx
\Program Files (x86)\Microsoft\DesktopLayerSrvSrvSrv.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrvSrv.exe	upx
behavioral1/memory/1868-101-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/1440-107-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1852-109-0x0000000000400000-0x000000000044B000-memory.dmp	upx
C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrvSrv.exe	upx

Loads dropped DLL 6 IoCs

Processes:

e54df5f3b47a500a5d23d4585d8703db220a32da378a623db7a03bbfbca6d80b.exee54df5f3b47a500a5d23d4585d8703db220a32da378a623db7a03bbfbca6d80bSrv.exeDesktopLayer.exeDesktopLayerSrv.exeDesktopLayerSrvSrv.exe

pid	process
1668	e54df5f3b47a500a5d23d4585d8703db220a32da378a623db7a03bbfbca6d80b.exe
1668	e54df5f3b47a500a5d23d4585d8703db220a32da378a623db7a03bbfbca6d80b.exe
1852	e54df5f3b47a500a5d23d4585d8703db220a32da378a623db7a03bbfbca6d80bSrv.exe
2020	DesktopLayer.exe
520	DesktopLayerSrv.exe
1868	DesktopLayerSrvSrv.exe

Drops file in Program Files directory 14 IoCs

Processes:

e54df5f3b47a500a5d23d4585d8703db220a32da378a623db7a03bbfbca6d80b.exeDesktopLayerSrv.exeDesktopLayerSrvSrv.exeDesktopLayerSrvSrvSrv.exee54df5f3b47a500a5d23d4585d8703db220a32da378a623db7a03bbfbca6d80bSrv.exeDesktopLayer.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	e54df5f3b47a500a5d23d4585d8703db220a32da378a623db7a03bbfbca6d80b.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe	DesktopLayerSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	DesktopLayerSrvSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px8611.tmp	DesktopLayerSrvSrvSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	DesktopLayerSrvSrvSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	e54df5f3b47a500a5d23d4585d8703db220a32da378a623db7a03bbfbca6d80bSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe	DesktopLayer.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px83D0.tmp	DesktopLayerSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	DesktopLayerSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrvSrv.exe	DesktopLayerSrvSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px8508.tmp	DesktopLayerSrvSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px8112.tmp	e54df5f3b47a500a5d23d4585d8703db220a32da378a623db7a03bbfbca6d80b.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	e54df5f3b47a500a5d23d4585d8703db220a32da378a623db7a03bbfbca6d80b.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px819E.tmp	e54df5f3b47a500a5d23d4585d8703db220a32da378a623db7a03bbfbca6d80bSrv.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9171F401-B25A-11EB-83FC-FEBA24881352} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{91B83461-B25A-11EB-83FC-FEBA24881352} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

e54df5f3b47a500a5d23d4585d8703db220a32da378a623db7a03bbfbca6d80bSrv.exeDesktopLayer.exeDesktopLayerSrv.exeDesktopLayerSrvSrv.exeDesktopLayerSrvSrvSrv.exe

pid	process
1852	e54df5f3b47a500a5d23d4585d8703db220a32da378a623db7a03bbfbca6d80bSrv.exe
1852	e54df5f3b47a500a5d23d4585d8703db220a32da378a623db7a03bbfbca6d80bSrv.exe
1852	e54df5f3b47a500a5d23d4585d8703db220a32da378a623db7a03bbfbca6d80bSrv.exe
1852	e54df5f3b47a500a5d23d4585d8703db220a32da378a623db7a03bbfbca6d80bSrv.exe
2020	DesktopLayer.exe
2020	DesktopLayer.exe
2020	DesktopLayer.exe
2020	DesktopLayer.exe
520	DesktopLayerSrv.exe
520	DesktopLayerSrv.exe
520	DesktopLayerSrv.exe
520	DesktopLayerSrv.exe
1868	DesktopLayerSrvSrv.exe
1440	DesktopLayerSrvSrvSrv.exe
1868	DesktopLayerSrvSrv.exe
1868	DesktopLayerSrvSrv.exe
1868	DesktopLayerSrvSrv.exe
1440	DesktopLayerSrvSrvSrv.exe
1440	DesktopLayerSrvSrvSrv.exe
1440	DesktopLayerSrvSrvSrv.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exe

pid process

1980 iexplore.exe
1748 iexplore.exe
1236 iexplore.exe
1740 iexplore.exe

Suspicious use of SetWindowsHookEx 18 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
1980	iexplore.exe
1980	iexplore.exe
1740	iexplore.exe
1740	iexplore.exe
1236	iexplore.exe
1236	iexplore.exe
1748	iexplore.exe
1748	iexplore.exe
852	iexplore.exe
852	iexplore.exe
824	IEXPLORE.EXE
2000	IEXPLORE.EXE
824	IEXPLORE.EXE
2000	IEXPLORE.EXE
1640	IEXPLORE.EXE
1640	IEXPLORE.EXE
1148	IEXPLORE.EXE
1148	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e54df5f3b47a500a5d23d4585d8703db220a32da378a623db7a03bbfbca6d80b.exee54df5f3b47a500a5d23d4585d8703db220a32da378a623db7a03bbfbca6d80bSrv.exeDesktopLayer.exeDesktopLayerSrv.exeDesktopLayerSrvSrv.exeDesktopLayerSrvSrvSrv.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 1668 wrote to memory of 1852	1668	e54df5f3b47a500a5d23d4585d8703db220a32da378a623db7a03bbfbca6d80b.exe	e54df5f3b47a500a5d23d4585d8703db220a32da378a623db7a03bbfbca6d80bSrv.exe
PID 1668 wrote to memory of 1852	1668	e54df5f3b47a500a5d23d4585d8703db220a32da378a623db7a03bbfbca6d80b.exe	e54df5f3b47a500a5d23d4585d8703db220a32da378a623db7a03bbfbca6d80bSrv.exe
PID 1668 wrote to memory of 1852	1668	e54df5f3b47a500a5d23d4585d8703db220a32da378a623db7a03bbfbca6d80b.exe	e54df5f3b47a500a5d23d4585d8703db220a32da378a623db7a03bbfbca6d80bSrv.exe
PID 1668 wrote to memory of 1852	1668	e54df5f3b47a500a5d23d4585d8703db220a32da378a623db7a03bbfbca6d80b.exe	e54df5f3b47a500a5d23d4585d8703db220a32da378a623db7a03bbfbca6d80bSrv.exe
PID 1852 wrote to memory of 2036	1852	e54df5f3b47a500a5d23d4585d8703db220a32da378a623db7a03bbfbca6d80bSrv.exe	e54df5f3b47a500a5d23d4585d8703db220a32da378a623db7a03bbfbca6d80bSrvSrv.exe
PID 1852 wrote to memory of 2036	1852	e54df5f3b47a500a5d23d4585d8703db220a32da378a623db7a03bbfbca6d80bSrv.exe	e54df5f3b47a500a5d23d4585d8703db220a32da378a623db7a03bbfbca6d80bSrvSrv.exe
PID 1852 wrote to memory of 2036	1852	e54df5f3b47a500a5d23d4585d8703db220a32da378a623db7a03bbfbca6d80bSrv.exe	e54df5f3b47a500a5d23d4585d8703db220a32da378a623db7a03bbfbca6d80bSrvSrv.exe
PID 1852 wrote to memory of 2036	1852	e54df5f3b47a500a5d23d4585d8703db220a32da378a623db7a03bbfbca6d80bSrv.exe	e54df5f3b47a500a5d23d4585d8703db220a32da378a623db7a03bbfbca6d80bSrvSrv.exe
PID 1668 wrote to memory of 2020	1668	e54df5f3b47a500a5d23d4585d8703db220a32da378a623db7a03bbfbca6d80b.exe	DesktopLayer.exe
PID 1668 wrote to memory of 2020	1668	e54df5f3b47a500a5d23d4585d8703db220a32da378a623db7a03bbfbca6d80b.exe	DesktopLayer.exe
PID 1668 wrote to memory of 2020	1668	e54df5f3b47a500a5d23d4585d8703db220a32da378a623db7a03bbfbca6d80b.exe	DesktopLayer.exe
PID 1668 wrote to memory of 2020	1668	e54df5f3b47a500a5d23d4585d8703db220a32da378a623db7a03bbfbca6d80b.exe	DesktopLayer.exe
PID 1852 wrote to memory of 1980	1852	e54df5f3b47a500a5d23d4585d8703db220a32da378a623db7a03bbfbca6d80bSrv.exe	iexplore.exe
PID 1852 wrote to memory of 1980	1852	e54df5f3b47a500a5d23d4585d8703db220a32da378a623db7a03bbfbca6d80bSrv.exe	iexplore.exe
PID 1852 wrote to memory of 1980	1852	e54df5f3b47a500a5d23d4585d8703db220a32da378a623db7a03bbfbca6d80bSrv.exe	iexplore.exe
PID 1852 wrote to memory of 1980	1852	e54df5f3b47a500a5d23d4585d8703db220a32da378a623db7a03bbfbca6d80bSrv.exe	iexplore.exe
PID 2020 wrote to memory of 520	2020	DesktopLayer.exe	DesktopLayerSrv.exe
PID 2020 wrote to memory of 520	2020	DesktopLayer.exe	DesktopLayerSrv.exe
PID 2020 wrote to memory of 520	2020	DesktopLayer.exe	DesktopLayerSrv.exe
PID 2020 wrote to memory of 520	2020	DesktopLayer.exe	DesktopLayerSrv.exe
PID 2020 wrote to memory of 1748	2020	DesktopLayer.exe	iexplore.exe
PID 2020 wrote to memory of 1748	2020	DesktopLayer.exe	iexplore.exe
PID 2020 wrote to memory of 1748	2020	DesktopLayer.exe	iexplore.exe
PID 2020 wrote to memory of 1748	2020	DesktopLayer.exe	iexplore.exe
PID 520 wrote to memory of 1868	520	DesktopLayerSrv.exe	DesktopLayerSrvSrv.exe
PID 520 wrote to memory of 1868	520	DesktopLayerSrv.exe	DesktopLayerSrvSrv.exe
PID 520 wrote to memory of 1868	520	DesktopLayerSrv.exe	DesktopLayerSrvSrv.exe
PID 520 wrote to memory of 1868	520	DesktopLayerSrv.exe	DesktopLayerSrvSrv.exe
PID 520 wrote to memory of 1740	520	DesktopLayerSrv.exe	iexplore.exe
PID 520 wrote to memory of 1740	520	DesktopLayerSrv.exe	iexplore.exe
PID 520 wrote to memory of 1740	520	DesktopLayerSrv.exe	iexplore.exe
PID 520 wrote to memory of 1740	520	DesktopLayerSrv.exe	iexplore.exe
PID 1868 wrote to memory of 1440	1868	DesktopLayerSrvSrv.exe	DesktopLayerSrvSrvSrv.exe
PID 1868 wrote to memory of 1440	1868	DesktopLayerSrvSrv.exe	DesktopLayerSrvSrvSrv.exe
PID 1868 wrote to memory of 1440	1868	DesktopLayerSrvSrv.exe	DesktopLayerSrvSrvSrv.exe
PID 1868 wrote to memory of 1440	1868	DesktopLayerSrvSrv.exe	DesktopLayerSrvSrvSrv.exe
PID 1868 wrote to memory of 1236	1868	DesktopLayerSrvSrv.exe	iexplore.exe
PID 1868 wrote to memory of 1236	1868	DesktopLayerSrvSrv.exe	iexplore.exe
PID 1868 wrote to memory of 1236	1868	DesktopLayerSrvSrv.exe	iexplore.exe
PID 1868 wrote to memory of 1236	1868	DesktopLayerSrvSrv.exe	iexplore.exe
PID 1440 wrote to memory of 852	1440	DesktopLayerSrvSrvSrv.exe	iexplore.exe
PID 1440 wrote to memory of 852	1440	DesktopLayerSrvSrvSrv.exe	iexplore.exe
PID 1440 wrote to memory of 852	1440	DesktopLayerSrvSrvSrv.exe	iexplore.exe
PID 1440 wrote to memory of 852	1440	DesktopLayerSrvSrvSrv.exe	iexplore.exe
PID 1740 wrote to memory of 1148	1740	iexplore.exe	IEXPLORE.EXE
PID 1740 wrote to memory of 1148	1740	iexplore.exe	IEXPLORE.EXE
PID 1740 wrote to memory of 1148	1740	iexplore.exe	IEXPLORE.EXE
PID 1740 wrote to memory of 1148	1740	iexplore.exe	IEXPLORE.EXE
PID 852 wrote to memory of 1492	852	iexplore.exe	IEXPLORE.EXE
PID 852 wrote to memory of 1492	852	iexplore.exe	IEXPLORE.EXE
PID 852 wrote to memory of 1492	852	iexplore.exe	IEXPLORE.EXE
PID 852 wrote to memory of 1492	852	iexplore.exe	IEXPLORE.EXE
PID 1236 wrote to memory of 1640	1236	iexplore.exe	IEXPLORE.EXE
PID 1236 wrote to memory of 1640	1236	iexplore.exe	IEXPLORE.EXE
PID 1236 wrote to memory of 1640	1236	iexplore.exe	IEXPLORE.EXE
PID 1236 wrote to memory of 1640	1236	iexplore.exe	IEXPLORE.EXE
PID 1980 wrote to memory of 824	1980	iexplore.exe	IEXPLORE.EXE
PID 1980 wrote to memory of 824	1980	iexplore.exe	IEXPLORE.EXE
PID 1980 wrote to memory of 824	1980	iexplore.exe	IEXPLORE.EXE
PID 1980 wrote to memory of 824	1980	iexplore.exe	IEXPLORE.EXE
PID 1748 wrote to memory of 2000	1748	iexplore.exe	IEXPLORE.EXE
PID 1748 wrote to memory of 2000	1748	iexplore.exe	IEXPLORE.EXE
PID 1748 wrote to memory of 2000	1748	iexplore.exe	IEXPLORE.EXE
PID 1748 wrote to memory of 2000	1748	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\e54df5f3b47a500a5d23d4585d8703db220a32da378a623db7a03bbfbca6d80b.exe
"C:\Users\Admin\AppData\Local\Temp\e54df5f3b47a500a5d23d4585d8703db220a32da378a623db7a03bbfbca6d80b.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1668

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2020

C:\Users\Admin\AppData\Local\Temp\e54df5f3b47a500a5d23d4585d8703db220a32da378a623db7a03bbfbca6d80bSrv.exe
C:\Users\Admin\AppData\Local\Temp\e54df5f3b47a500a5d23d4585d8703db220a32da378a623db7a03bbfbca6d80bSrv.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1852

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1980

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1980 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:824

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1748

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1748 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2000

C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
"C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:520

C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe
"C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1868

C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrvSrv.exe
"C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrvSrv.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1440

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:852

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:852 CREDAT:275457 /prefetch:2
5⤵
PID:1492

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1236

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1236 CREDAT:275457 /prefetch:2
4⤵
- Suspicious use of SetWindowsHookEx
PID:1640

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1740

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1740 CREDAT:275457 /prefetch:2
3⤵
- Suspicious use of SetWindowsHookEx
PID:1148

C:\Users\Admin\AppData\Local\Temp\e54df5f3b47a500a5d23d4585d8703db220a32da378a623db7a03bbfbca6d80bSrvSrv.exe
C:\Users\Admin\AppData\Local\Temp\e54df5f3b47a500a5d23d4585d8703db220a32da378a623db7a03bbfbca6d80bSrvSrv.exe
1⤵
- Executes dropped EXE
PID:2036

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
MD5
01847661bed25ae4cffb7bec7a004943

SHA1
30620170803fb8c97a9253f658ab6fa9f146a876

SHA256
e54df5f3b47a500a5d23d4585d8703db220a32da378a623db7a03bbfbca6d80b

SHA512
bcc32e70c3457175cb64cae36ae07cff545ba586f72cae1b99164b3c7fe89e87883754b212d545bf5bba58fe37c5e5be1fb5531378455db45a09bdbdc3d72ed3

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
MD5
01847661bed25ae4cffb7bec7a004943

SHA1
30620170803fb8c97a9253f658ab6fa9f146a876

SHA256
e54df5f3b47a500a5d23d4585d8703db220a32da378a623db7a03bbfbca6d80b

SHA512
bcc32e70c3457175cb64cae36ae07cff545ba586f72cae1b99164b3c7fe89e87883754b212d545bf5bba58fe37c5e5be1fb5531378455db45a09bdbdc3d72ed3

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
MD5
395a1a546b4424e3f11cd3ea26066ff9

SHA1
2f18bf153ed75cd9f33f356d1b9b02219c3a1279

SHA256
5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6a

SHA512
2a5a398a56f895bffb245b830fd9b3003d887c2a71c6f1e022fd25bcec303cacd691dc744c0121f1d93f1f6e9887da386b3fab096ec0090a607d2d1aa72710a7

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
MD5
395a1a546b4424e3f11cd3ea26066ff9

SHA1
2f18bf153ed75cd9f33f356d1b9b02219c3a1279

SHA256
5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6a

SHA512
2a5a398a56f895bffb245b830fd9b3003d887c2a71c6f1e022fd25bcec303cacd691dc744c0121f1d93f1f6e9887da386b3fab096ec0090a607d2d1aa72710a7

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe
MD5
f018e9eb66dc53d840ee98c5926f1e2e

SHA1
8e736010173688f982e5713fa8b70c978f17ba42

SHA256
8e9e93a7ae39aa3c6e17a11d567cf52e6190b726d76e6f60b57e9db99ee58bb6

SHA512
30b1fb67767eb5b15bd9d45091d9f184811d4934faeed47b672315d8c8d05b9dc031a6a02addb4b71de1c6b286cc62ef61db2f55dfe4df4bd3c584f256ca49a2

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe
MD5
f018e9eb66dc53d840ee98c5926f1e2e

SHA1
8e736010173688f982e5713fa8b70c978f17ba42

SHA256
8e9e93a7ae39aa3c6e17a11d567cf52e6190b726d76e6f60b57e9db99ee58bb6

SHA512
30b1fb67767eb5b15bd9d45091d9f184811d4934faeed47b672315d8c8d05b9dc031a6a02addb4b71de1c6b286cc62ef61db2f55dfe4df4bd3c584f256ca49a2

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrvSrv.exe
MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrvSrv.exe
MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{918F7E81-B25A-11EB-83FC-FEBA24881352}.dat
MD5
ad87525f2123114ffa90f5344dc33616

SHA1
88e7a7e31e3473c04e74e70605407328790e9099

SHA256
efb30fc16d31154824cef91e8262ad6e11108de518dbdc3b40728125a579d8a2

SHA512
0165c6b6d02a17a6e31b620948772d51803b106d59aaad88e5687132e42609c1cc673b7533de3c50c62a59ebf15da50d14b218b14ce3b927f8f56290cc6937cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{920B8481-B25A-11EB-83FC-FEBA24881352}.dat
MD5
5095057a926c82299d5e87924678804d

SHA1
45bbca7e8e0a7d56d81d077fbedc623160d910f3

SHA256
61ad6015b66be369c519c8de569a684d4e7c3169d926ca4817da5651b478d0fa

SHA512
41b52abc1da6f40f9a1a125f7468dcf6818650e7d7c72c0af20ecc6b5e2e31102a0dfd38d3a3bc20e4ea440ac199569765637548e3c2862854b9b0671ce1dae2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{920B8481-B25A-11EB-83FC-FEBA24881352}.dat
MD5
dff543aa1f4c6fcd9b92fd431965d60e

SHA1
cb1772db5e76b1829ab7c1c555ab6897955c61fb

SHA256
e15ddc27d4b32db8235b999b59a4d2bc0ad48305ed9ff4a57a258bf027f3b4e0

SHA512
e79113a16b7ce8f2374985020ae8daae93577b6116a0e51ecafd2bab2b125ee6844d3da870fe62ba250a2f586ddf08d6d724a50471e358e7324f7e29afd519dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{922F3921-B25A-11EB-83FC-FEBA24881352}.dat
MD5
743247d4dd5c2fe9abe4856e6913e89c

SHA1
232708c6fcad1e89957f5856ae5e0f17f9e5f690

SHA256
b728b7edabccac34de52e960d63f6e2140dac4338dc26ae2fd0ebfd24911a829

SHA512
ed15ec5064eb272f11bdded5bf3d9d0bf4b83b5de5f85fbf2df6be64af6e268c3448c45d3262e2c91cf32c5a6cdca6294d0a4686c5ab9cab6a08f1d754a191c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{922F3921-B25A-11EB-83FC-FEBA24881352}.dat
MD5
339f2f34bf3aee5ed6496bd7f25fde9d

SHA1
c2c2ac509a13f007164bae8ac08c31fe40bcd48e

SHA256
d2d55cda77af3e092a530342427acce20aef50b1bf49369add94d28f797a550f

SHA512
6e2db5dcfe3aa0efa497902e2f39cea87d9b4f8cbd119a3a3a46f11512ff4a0cb4da3aa12b8cf4b50c6de4b3fdbd0d27d016cd402261acd369c067053a04560b

Download Submit
C:\Users\Admin\AppData\Local\Temp\e54df5f3b47a500a5d23d4585d8703db220a32da378a623db7a03bbfbca6d80bSrv.exe
MD5
395a1a546b4424e3f11cd3ea26066ff9

SHA1
2f18bf153ed75cd9f33f356d1b9b02219c3a1279

SHA256
5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6a

SHA512
2a5a398a56f895bffb245b830fd9b3003d887c2a71c6f1e022fd25bcec303cacd691dc744c0121f1d93f1f6e9887da386b3fab096ec0090a607d2d1aa72710a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\e54df5f3b47a500a5d23d4585d8703db220a32da378a623db7a03bbfbca6d80bSrv.exe
MD5
395a1a546b4424e3f11cd3ea26066ff9

SHA1
2f18bf153ed75cd9f33f356d1b9b02219c3a1279

SHA256
5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6a

SHA512
2a5a398a56f895bffb245b830fd9b3003d887c2a71c6f1e022fd25bcec303cacd691dc744c0121f1d93f1f6e9887da386b3fab096ec0090a607d2d1aa72710a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\e54df5f3b47a500a5d23d4585d8703db220a32da378a623db7a03bbfbca6d80bSrvSrv.exe
MD5
f018e9eb66dc53d840ee98c5926f1e2e

SHA1
8e736010173688f982e5713fa8b70c978f17ba42

SHA256
8e9e93a7ae39aa3c6e17a11d567cf52e6190b726d76e6f60b57e9db99ee58bb6

SHA512
30b1fb67767eb5b15bd9d45091d9f184811d4934faeed47b672315d8c8d05b9dc031a6a02addb4b71de1c6b286cc62ef61db2f55dfe4df4bd3c584f256ca49a2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\TYX1QC9P.txt
MD5
743a5373fb846c2bcee39a40768f62b9

SHA1
0b33b663dc73dfbd621e828c3dc4d265a29c8317

SHA256
bcd61cbdb4ebbf747316a9957b6c3c8741161f6bb25b99954fcc5434e8ebb747

SHA512
8ebdd41a85709b1096b931d809ddfecec7518fca28f3d1e63548cc833569a9885df87c318a6566108c41ef20622989f69c3f88818d3d2ad4b9add9d507395675

Download Submit
\Program Files (x86)\Microsoft\DesktopLayer.exe
MD5
01847661bed25ae4cffb7bec7a004943

SHA1
30620170803fb8c97a9253f658ab6fa9f146a876

SHA256
e54df5f3b47a500a5d23d4585d8703db220a32da378a623db7a03bbfbca6d80b

SHA512
bcc32e70c3457175cb64cae36ae07cff545ba586f72cae1b99164b3c7fe89e87883754b212d545bf5bba58fe37c5e5be1fb5531378455db45a09bdbdc3d72ed3

Download Submit
\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
MD5
395a1a546b4424e3f11cd3ea26066ff9

SHA1
2f18bf153ed75cd9f33f356d1b9b02219c3a1279

SHA256
5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6a

SHA512
2a5a398a56f895bffb245b830fd9b3003d887c2a71c6f1e022fd25bcec303cacd691dc744c0121f1d93f1f6e9887da386b3fab096ec0090a607d2d1aa72710a7

Download Submit
\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe
MD5
f018e9eb66dc53d840ee98c5926f1e2e

SHA1
8e736010173688f982e5713fa8b70c978f17ba42

SHA256
8e9e93a7ae39aa3c6e17a11d567cf52e6190b726d76e6f60b57e9db99ee58bb6

SHA512
30b1fb67767eb5b15bd9d45091d9f184811d4934faeed47b672315d8c8d05b9dc031a6a02addb4b71de1c6b286cc62ef61db2f55dfe4df4bd3c584f256ca49a2

Download Submit
\Program Files (x86)\Microsoft\DesktopLayerSrvSrvSrv.exe
MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Users\Admin\AppData\Local\Temp\e54df5f3b47a500a5d23d4585d8703db220a32da378a623db7a03bbfbca6d80bSrv.exe
MD5
395a1a546b4424e3f11cd3ea26066ff9

SHA1
2f18bf153ed75cd9f33f356d1b9b02219c3a1279

SHA256
5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6a

SHA512
2a5a398a56f895bffb245b830fd9b3003d887c2a71c6f1e022fd25bcec303cacd691dc744c0121f1d93f1f6e9887da386b3fab096ec0090a607d2d1aa72710a7

Download Submit
\Users\Admin\AppData\Local\Temp\e54df5f3b47a500a5d23d4585d8703db220a32da378a623db7a03bbfbca6d80bSrvSrv.exe
MD5
f018e9eb66dc53d840ee98c5926f1e2e

SHA1
8e736010173688f982e5713fa8b70c978f17ba42

SHA256
8e9e93a7ae39aa3c6e17a11d567cf52e6190b726d76e6f60b57e9db99ee58bb6

SHA512
30b1fb67767eb5b15bd9d45091d9f184811d4934faeed47b672315d8c8d05b9dc031a6a02addb4b71de1c6b286cc62ef61db2f55dfe4df4bd3c584f256ca49a2

Download Submit
memory/520-77-0x0000000000000000-mapping.dmp

Download
memory/824-118-0x0000000000000000-mapping.dmp

Download
memory/852-106-0x0000000000000000-mapping.dmp

Download
memory/1148-115-0x0000000000000000-mapping.dmp

Download
memory/1236-104-0x0000000000000000-mapping.dmp

Download
memory/1440-94-0x0000000000000000-mapping.dmp

Download
memory/1440-105-0x00000000001C0000-0x00000000001CF000-memory.dmp

Filesize
60KB

Download
memory/1440-107-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1492-116-0x0000000000000000-mapping.dmp

Download
memory/1640-117-0x0000000000000000-mapping.dmp

Download
memory/1668-92-0x0000000000230000-0x000000000027B000-memory.dmp

Filesize
300KB

Download
memory/1668-95-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1668-60-0x0000000075B31000-0x0000000075B33000-memory.dmp

Filesize
8KB

Download
memory/1740-90-0x0000000000000000-mapping.dmp

Download
memory/1740-114-0x0000000000580000-0x0000000000590000-memory.dmp

Filesize
64KB

Download
memory/1748-82-0x0000000000000000-mapping.dmp

Download
memory/1748-83-0x000007FEFC2E1000-0x000007FEFC2E3000-memory.dmp

Filesize
8KB

Download
memory/1852-62-0x0000000000000000-mapping.dmp

Download
memory/1852-108-0x0000000000230000-0x000000000026D000-memory.dmp

Filesize
244KB

Download
memory/1852-72-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1852-109-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1868-85-0x0000000000000000-mapping.dmp

Download
memory/1868-101-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1868-97-0x0000000000230000-0x000000000025E000-memory.dmp

Filesize
184KB

Download
memory/1980-75-0x0000000000000000-mapping.dmp

Download
memory/2000-119-0x0000000000000000-mapping.dmp

Download
memory/2020-79-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2020-68-0x0000000000000000-mapping.dmp

Download
memory/2036-67-0x0000000000000000-mapping.dmp

Download