ramnit | 9d68ca5d7762a8b486fb2abe86a5341734b46cc7df2666ea55bbb398d47bb3a6

Analysis

max time kernel
90s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
30/10/2022, 02:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9d68ca5d7762a8b486fb2abe86a5341734b46cc7df2666ea55bbb398d47bb3a6.exe
Size

232KB
MD5

9296dfc71b2fde6be07220b43646fb5f
SHA1

af0901da8d4b370e1193305af0b68b49acdaff12
SHA256

9d68ca5d7762a8b486fb2abe86a5341734b46cc7df2666ea55bbb398d47bb3a6
SHA512

94a076e496b6b8a5a9ac41b8346c5c1691f0afe42e1ad38a229bcc2a9c07242da9f27e52c7f4bd4805759c3b74d15334d0fc24713710edaa938888b3ef3d40f4
SSDEEP

3072:+AGrHHi9ltddz5c29VHbWVIV/FJxB1z+2Zt5yJmk+DnNF8cEH:RGr8z5/PNRB1aUtnDc

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 4 IoCs

pid	Process
4760	9d68ca5d7762a8b486fb2abe86a5341734b46cc7df2666ea55bbb398d47bb3a6Srv.exe
4880	9d68ca5d7762a8b486fb2abe86a5341734b46cc7df2666ea55bbb398d47bb3a6SrvSrv.exe
2256	DesktopLayer.exe
1780	DesktopLayerSrv.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4880-149-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/2256-152-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/4760-148-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/2256-155-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/1780-156-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/4880-157-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/1780-158-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/2256-159-0x0000000000400000-0x000000000043A000-memory.dmp	upx

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\pxBD2A.tmp	DesktopLayerSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	DesktopLayerSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxBB36.tmp	9d68ca5d7762a8b486fb2abe86a5341734b46cc7df2666ea55bbb398d47bb3a6Srv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	9d68ca5d7762a8b486fb2abe86a5341734b46cc7df2666ea55bbb398d47bb3a6Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	9d68ca5d7762a8b486fb2abe86a5341734b46cc7df2666ea55bbb398d47bb3a6Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxBB46.tmp	9d68ca5d7762a8b486fb2abe86a5341734b46cc7df2666ea55bbb398d47bb3a6SrvSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	9d68ca5d7762a8b486fb2abe86a5341734b46cc7df2666ea55bbb398d47bb3a6SrvSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe	DesktopLayer.exe

Program crash 11 IoCs

pid	pid_target	Process	procid_target
1580	4760	WerFault.exe	84
1412	3424	WerFault.exe	87
1280	2560	WerFault.exe	93
3912	4184	WerFault.exe	92
1504	4760	WerFault.exe	84
3088	4880	WerFault.exe	85
1928	1780	WerFault.exe	88
4604	2256	WerFault.exe	86
4492	4880	WerFault.exe	85
3684	2256	WerFault.exe	86
4352	1780	WerFault.exe	88

Modifies Internet Explorer settings 1 TTPs 30 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "136997812"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "147778777"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30993506"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30993506"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30993506"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "136997812"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{33AB70D0-5855-11ED-A0EE-E2272FE8D9C1} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "373900823"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
4880	9d68ca5d7762a8b486fb2abe86a5341734b46cc7df2666ea55bbb398d47bb3a6SrvSrv.exe
4880	9d68ca5d7762a8b486fb2abe86a5341734b46cc7df2666ea55bbb398d47bb3a6SrvSrv.exe
4880	9d68ca5d7762a8b486fb2abe86a5341734b46cc7df2666ea55bbb398d47bb3a6SrvSrv.exe
4880	9d68ca5d7762a8b486fb2abe86a5341734b46cc7df2666ea55bbb398d47bb3a6SrvSrv.exe
2256	DesktopLayer.exe
2256	DesktopLayer.exe
2256	DesktopLayer.exe
2256	DesktopLayer.exe
1780	DesktopLayerSrv.exe
1780	DesktopLayerSrv.exe
1780	DesktopLayerSrv.exe
1780	DesktopLayerSrv.exe
4880	9d68ca5d7762a8b486fb2abe86a5341734b46cc7df2666ea55bbb398d47bb3a6SrvSrv.exe
4880	9d68ca5d7762a8b486fb2abe86a5341734b46cc7df2666ea55bbb398d47bb3a6SrvSrv.exe
4880	9d68ca5d7762a8b486fb2abe86a5341734b46cc7df2666ea55bbb398d47bb3a6SrvSrv.exe
4880	9d68ca5d7762a8b486fb2abe86a5341734b46cc7df2666ea55bbb398d47bb3a6SrvSrv.exe
1780	DesktopLayerSrv.exe
1780	DesktopLayerSrv.exe
1780	DesktopLayerSrv.exe
1780	DesktopLayerSrv.exe
2256	DesktopLayer.exe
2256	DesktopLayer.exe
2256	DesktopLayer.exe
2256	DesktopLayer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1996	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1996	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1996	iexplore.exe
1996	iexplore.exe
2072	IEXPLORE.EXE
2072	IEXPLORE.EXE
2072	IEXPLORE.EXE
2072	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 4760	2500	9d68ca5d7762a8b486fb2abe86a5341734b46cc7df2666ea55bbb398d47bb3a6.exe	84
PID 2500 wrote to memory of 4760	2500	9d68ca5d7762a8b486fb2abe86a5341734b46cc7df2666ea55bbb398d47bb3a6.exe	84
PID 2500 wrote to memory of 4760	2500	9d68ca5d7762a8b486fb2abe86a5341734b46cc7df2666ea55bbb398d47bb3a6.exe	84
PID 4760 wrote to memory of 4880	4760	9d68ca5d7762a8b486fb2abe86a5341734b46cc7df2666ea55bbb398d47bb3a6Srv.exe	85
PID 4760 wrote to memory of 4880	4760	9d68ca5d7762a8b486fb2abe86a5341734b46cc7df2666ea55bbb398d47bb3a6Srv.exe	85
PID 4760 wrote to memory of 4880	4760	9d68ca5d7762a8b486fb2abe86a5341734b46cc7df2666ea55bbb398d47bb3a6Srv.exe	85
PID 4760 wrote to memory of 2256	4760	9d68ca5d7762a8b486fb2abe86a5341734b46cc7df2666ea55bbb398d47bb3a6Srv.exe	86
PID 4760 wrote to memory of 2256	4760	9d68ca5d7762a8b486fb2abe86a5341734b46cc7df2666ea55bbb398d47bb3a6Srv.exe	86
PID 4760 wrote to memory of 2256	4760	9d68ca5d7762a8b486fb2abe86a5341734b46cc7df2666ea55bbb398d47bb3a6Srv.exe	86
PID 4880 wrote to memory of 3424	4880	9d68ca5d7762a8b486fb2abe86a5341734b46cc7df2666ea55bbb398d47bb3a6SrvSrv.exe	87
PID 4880 wrote to memory of 3424	4880	9d68ca5d7762a8b486fb2abe86a5341734b46cc7df2666ea55bbb398d47bb3a6SrvSrv.exe	87
PID 4880 wrote to memory of 3424	4880	9d68ca5d7762a8b486fb2abe86a5341734b46cc7df2666ea55bbb398d47bb3a6SrvSrv.exe	87
PID 4880 wrote to memory of 3424	4880	9d68ca5d7762a8b486fb2abe86a5341734b46cc7df2666ea55bbb398d47bb3a6SrvSrv.exe	87
PID 4880 wrote to memory of 3424	4880	9d68ca5d7762a8b486fb2abe86a5341734b46cc7df2666ea55bbb398d47bb3a6SrvSrv.exe	87
PID 4880 wrote to memory of 3424	4880	9d68ca5d7762a8b486fb2abe86a5341734b46cc7df2666ea55bbb398d47bb3a6SrvSrv.exe	87
PID 4880 wrote to memory of 3424	4880	9d68ca5d7762a8b486fb2abe86a5341734b46cc7df2666ea55bbb398d47bb3a6SrvSrv.exe	87
PID 4880 wrote to memory of 3424	4880	9d68ca5d7762a8b486fb2abe86a5341734b46cc7df2666ea55bbb398d47bb3a6SrvSrv.exe	87
PID 4880 wrote to memory of 3424	4880	9d68ca5d7762a8b486fb2abe86a5341734b46cc7df2666ea55bbb398d47bb3a6SrvSrv.exe	87
PID 2256 wrote to memory of 1780	2256	DesktopLayer.exe	88
PID 2256 wrote to memory of 1780	2256	DesktopLayer.exe	88
PID 2256 wrote to memory of 1780	2256	DesktopLayer.exe	88
PID 2256 wrote to memory of 2560	2256	DesktopLayer.exe	93
PID 2256 wrote to memory of 2560	2256	DesktopLayer.exe	93
PID 2256 wrote to memory of 2560	2256	DesktopLayer.exe	93
PID 1780 wrote to memory of 4184	1780	DesktopLayerSrv.exe	92
PID 1780 wrote to memory of 4184	1780	DesktopLayerSrv.exe	92
PID 1780 wrote to memory of 4184	1780	DesktopLayerSrv.exe	92
PID 2256 wrote to memory of 2560	2256	DesktopLayer.exe	93
PID 2256 wrote to memory of 2560	2256	DesktopLayer.exe	93
PID 2256 wrote to memory of 2560	2256	DesktopLayer.exe	93
PID 2256 wrote to memory of 2560	2256	DesktopLayer.exe	93
PID 2256 wrote to memory of 2560	2256	DesktopLayer.exe	93
PID 2256 wrote to memory of 2560	2256	DesktopLayer.exe	93
PID 1780 wrote to memory of 4184	1780	DesktopLayerSrv.exe	92
PID 1780 wrote to memory of 4184	1780	DesktopLayerSrv.exe	92
PID 1780 wrote to memory of 4184	1780	DesktopLayerSrv.exe	92
PID 1780 wrote to memory of 4184	1780	DesktopLayerSrv.exe	92
PID 1780 wrote to memory of 4184	1780	DesktopLayerSrv.exe	92
PID 1780 wrote to memory of 4184	1780	DesktopLayerSrv.exe	92
PID 4880 wrote to memory of 1996	4880	9d68ca5d7762a8b486fb2abe86a5341734b46cc7df2666ea55bbb398d47bb3a6SrvSrv.exe	101
PID 4880 wrote to memory of 1996	4880	9d68ca5d7762a8b486fb2abe86a5341734b46cc7df2666ea55bbb398d47bb3a6SrvSrv.exe	101
PID 1996 wrote to memory of 2072	1996	iexplore.exe	104
PID 1996 wrote to memory of 2072	1996	iexplore.exe	104
PID 1996 wrote to memory of 2072	1996	iexplore.exe	104
PID 1780 wrote to memory of 892	1780	DesktopLayerSrv.exe	106
PID 1780 wrote to memory of 892	1780	DesktopLayerSrv.exe	106
PID 2256 wrote to memory of 668	2256	DesktopLayer.exe	105
PID 2256 wrote to memory of 668	2256	DesktopLayer.exe	105

C:\Users\Admin\AppData\Local\Temp\9d68ca5d7762a8b486fb2abe86a5341734b46cc7df2666ea55bbb398d47bb3a6.exe
"C:\Users\Admin\AppData\Local\Temp\9d68ca5d7762a8b486fb2abe86a5341734b46cc7df2666ea55bbb398d47bb3a6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Users\Admin\AppData\Local\Temp\9d68ca5d7762a8b486fb2abe86a5341734b46cc7df2666ea55bbb398d47bb3a6Srv.exe
  C:\Users\Admin\AppData\Local\Temp\9d68ca5d7762a8b486fb2abe86a5341734b46cc7df2666ea55bbb398d47bb3a6Srv.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:4760
- - C:\Users\Admin\AppData\Local\Temp\9d68ca5d7762a8b486fb2abe86a5341734b46cc7df2666ea55bbb398d47bb3a6SrvSrv.exe
    C:\Users\Admin\AppData\Local\Temp\9d68ca5d7762a8b486fb2abe86a5341734b46cc7df2666ea55bbb398d47bb3a6SrvSrv.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4880
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe
      4⤵
      PID:3424
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 204
        5⤵
        Program crash
        
        PID:1412
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1996
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1996 CREDAT:17410 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2072
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 296
      4⤵
      Program crash
      PID:3088
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 304
      4⤵
      Program crash
      PID:4492
- - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2256
  - - C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1780
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        5⤵
        
        PID:4184
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 204
        6⤵
        Program crash
        
        PID:3912
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        
        PID:892
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1780 -s 328
        5⤵
        Program crash
        
        PID:1928
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1780 -s 352
        5⤵
        Program crash
        
        PID:4352
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe
      4⤵
      PID:2560
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2560 -s 204
        5⤵
        Program crash
        
        PID:1280
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      PID:668
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 284
      4⤵
      Program crash
      PID:4604
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 332
      4⤵
      Program crash
      PID:3684
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 280
    3⤵
    - Program crash
    PID:1580
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 352
    3⤵
    - Program crash
    PID:1504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4760 -ip 4760
1⤵
PID:1752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3424 -ip 3424
1⤵
PID:4412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2560 -ip 2560
1⤵
PID:3104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4184 -ip 4184
1⤵
PID:3888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4760 -ip 4760
1⤵
PID:4316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4880 -ip 4880
1⤵
PID:4548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 2256 -ip 2256
1⤵
PID:4940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1780 -ip 1780
1⤵
PID:612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4880 -ip 4880
1⤵
PID:3808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2256 -ip 2256
1⤵
PID:3644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1780 -ip 1780
1⤵
PID:3600

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

Filesize
154KB

MD5
2e2d58fbaf314a2fe9f1f2aa37bfc604

SHA1
54d00f1d4c83043383ef711737e74f3fb3a554d4

SHA256
f8c71cf709a0e3906ac33a64dec49efc3b20c0d1b2562a6dd1ff5f7f24028f10

SHA512
d2e4f5cbe5df0ee54d841dff47008d24ddce93920bdb9818c4b67d881aa9e4eda5b0d566f05a0c7328b0aa89a57712d48fda2bb2fc1e8e897f24fd5475da6bfd

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe

Filesize
154KB

MD5
2e2d58fbaf314a2fe9f1f2aa37bfc604

SHA1
54d00f1d4c83043383ef711737e74f3fb3a554d4

SHA256
f8c71cf709a0e3906ac33a64dec49efc3b20c0d1b2562a6dd1ff5f7f24028f10

SHA512
d2e4f5cbe5df0ee54d841dff47008d24ddce93920bdb9818c4b67d881aa9e4eda5b0d566f05a0c7328b0aa89a57712d48fda2bb2fc1e8e897f24fd5475da6bfd

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe

Filesize
76KB

MD5
395eeaefab2ddeb8384cc1148372698a

SHA1
df1b8db968cde6b267504617bc67436a2feb4289

SHA256
843a48356f299924f97639a8079b954c88e1ec20cb2bb936386c2c471c098e36

SHA512
4b6848f3d481a84403cd3ff72f7b5b4a9323a85e8a423dc4e07e948387cf0ecc4902f25ccede5683d04a7f100a27f11d4edfdb658e344bd32e9c648fce32c083

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe

Filesize
76KB

MD5
395eeaefab2ddeb8384cc1148372698a

SHA1
df1b8db968cde6b267504617bc67436a2feb4289

SHA256
843a48356f299924f97639a8079b954c88e1ec20cb2bb936386c2c471c098e36

SHA512
4b6848f3d481a84403cd3ff72f7b5b4a9323a85e8a423dc4e07e948387cf0ecc4902f25ccede5683d04a7f100a27f11d4edfdb658e344bd32e9c648fce32c083

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
5ddb1febcd291eb59d3d67d24a05bfd0

SHA1
fe957affe27cb991f332e7f5c86d3a15359bd3b9

SHA256
ec45a385c906b3d925ebbe6532d10adec9a14c1733c756c64db5133bd9d88dcb

SHA512
62d00893402fae125ae3428da2495b0eb864b125f975cd887f894f7298a4a86f361cf50aaa7c9b69f3dcb734a950c43472778ea4062b3146c3de5623d08dcd21

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
0d21ac8915ae27156f91e476233310d9

SHA1
5f21b648237ee0cb6066722e9d39b418b931daf3

SHA256
7c0108d2e96efd078e824c01193658ee1124e18d70365f258dcdba59f771b407

SHA512
54c2a85454858726623d4c5e48c5bc75573176fb53c1a2494adbcc14cb6d1dda4b75ee7d74bff50a18a50d7d716231b375fcbf4cc811177e6bb4f95e09237f0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d68ca5d7762a8b486fb2abe86a5341734b46cc7df2666ea55bbb398d47bb3a6Srv.exe

Filesize
154KB

MD5
2e2d58fbaf314a2fe9f1f2aa37bfc604

SHA1
54d00f1d4c83043383ef711737e74f3fb3a554d4

SHA256
f8c71cf709a0e3906ac33a64dec49efc3b20c0d1b2562a6dd1ff5f7f24028f10

SHA512
d2e4f5cbe5df0ee54d841dff47008d24ddce93920bdb9818c4b67d881aa9e4eda5b0d566f05a0c7328b0aa89a57712d48fda2bb2fc1e8e897f24fd5475da6bfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d68ca5d7762a8b486fb2abe86a5341734b46cc7df2666ea55bbb398d47bb3a6Srv.exe

Filesize
154KB

MD5
2e2d58fbaf314a2fe9f1f2aa37bfc604

SHA1
54d00f1d4c83043383ef711737e74f3fb3a554d4

SHA256
f8c71cf709a0e3906ac33a64dec49efc3b20c0d1b2562a6dd1ff5f7f24028f10

SHA512
d2e4f5cbe5df0ee54d841dff47008d24ddce93920bdb9818c4b67d881aa9e4eda5b0d566f05a0c7328b0aa89a57712d48fda2bb2fc1e8e897f24fd5475da6bfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d68ca5d7762a8b486fb2abe86a5341734b46cc7df2666ea55bbb398d47bb3a6SrvSrv.exe

Filesize
76KB

MD5
395eeaefab2ddeb8384cc1148372698a

SHA1
df1b8db968cde6b267504617bc67436a2feb4289

SHA256
843a48356f299924f97639a8079b954c88e1ec20cb2bb936386c2c471c098e36

SHA512
4b6848f3d481a84403cd3ff72f7b5b4a9323a85e8a423dc4e07e948387cf0ecc4902f25ccede5683d04a7f100a27f11d4edfdb658e344bd32e9c648fce32c083

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d68ca5d7762a8b486fb2abe86a5341734b46cc7df2666ea55bbb398d47bb3a6SrvSrv.exe

Filesize
76KB

MD5
395eeaefab2ddeb8384cc1148372698a

SHA1
df1b8db968cde6b267504617bc67436a2feb4289

SHA256
843a48356f299924f97639a8079b954c88e1ec20cb2bb936386c2c471c098e36

SHA512
4b6848f3d481a84403cd3ff72f7b5b4a9323a85e8a423dc4e07e948387cf0ecc4902f25ccede5683d04a7f100a27f11d4edfdb658e344bd32e9c648fce32c083

Download Submit
memory/1780-158-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1780-156-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2256-155-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2256-159-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2256-152-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2500-132-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2500-136-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4760-148-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4880-157-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4880-149-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download