Analysis
-
max time kernel
121s -
max time network
143s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
09-05-2021 00:40
Static task
static1
Behavioral task
behavioral1
Sample
a5058b9528ef9cd2997cd143a8ed3e18e44b354ee331378c651a53852fdda5d3.dll
Resource
win7v20210410
General
-
Target
a5058b9528ef9cd2997cd143a8ed3e18e44b354ee331378c651a53852fdda5d3.dll
-
Size
332KB
-
MD5
015e11b88afcd635d409dd37d63b34ee
-
SHA1
efdccbe4280d4f8f635bb2bd74c912bab6a0bf38
-
SHA256
a5058b9528ef9cd2997cd143a8ed3e18e44b354ee331378c651a53852fdda5d3
-
SHA512
ef7c3c6b9462e33437b83b93bdc3a193b9bdc951f14483c072362491747551aefca4238085bdf4410ebf429c74f6366cee8b081090c0a65a171969f18f524957
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
Processes:
rundll32Srv.exerundll32SrvSrv.exeDesktopLayer.exeDesktopLayerSrv.exepid process 376 rundll32Srv.exe 1380 rundll32SrvSrv.exe 1592 DesktopLayer.exe 2044 DesktopLayerSrv.exe -
Processes:
resource yara_rule C:\Windows\SysWOW64\rundll32Srv.exe upx C:\Program Files (x86)\Microsoft\DesktopLayer.exe upx behavioral2/memory/1380-142-0x0000000000400000-0x000000000042E000-memory.dmp upx C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe upx C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe upx C:\Program Files (x86)\Microsoft\DesktopLayer.exe upx behavioral2/memory/376-127-0x0000000000400000-0x000000000043D000-memory.dmp upx C:\Windows\SysWOW64\rundll32SrvSrv.exe upx C:\Windows\SysWOW64\rundll32SrvSrv.exe upx C:\Windows\SysWOW64\rundll32Srv.exe upx -
Drops file in System32 directory 2 IoCs
Processes:
rundll32.exerundll32Srv.exedescription ioc process File created C:\Windows\SysWOW64\rundll32Srv.exe rundll32.exe File created C:\Windows\SysWOW64\rundll32SrvSrv.exe rundll32Srv.exe -
Drops file in Program Files directory 8 IoCs
Processes:
rundll32SrvSrv.exeDesktopLayer.exeDesktopLayerSrv.exerundll32Srv.exedescription ioc process File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe rundll32SrvSrv.exe File created C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe DesktopLayer.exe File opened for modification C:\Program Files (x86)\Microsoft\px35CB.tmp DesktopLayerSrv.exe File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe DesktopLayerSrv.exe File opened for modification C:\Program Files (x86)\Microsoft\px3473.tmp rundll32Srv.exe File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe rundll32Srv.exe File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe rundll32Srv.exe File opened for modification C:\Program Files (x86)\Microsoft\px34A2.tmp rundll32SrvSrv.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3532 3216 WerFault.exe rundll32.exe -
Processes:
IEXPLORE.EXEiexplore.exeiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30885030" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2025020318" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30885030" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2025176440" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30885030" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30885030" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "327310925" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "327359511" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "327327519" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz! iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30885030" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30885030" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2025176440" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2038771021" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2025020318" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2025176440" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30885030" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30885030" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 38 IoCs
Processes:
rundll32SrvSrv.exeDesktopLayer.exeDesktopLayerSrv.exeWerFault.exepid process 1380 rundll32SrvSrv.exe 1380 rundll32SrvSrv.exe 1380 rundll32SrvSrv.exe 1380 rundll32SrvSrv.exe 1592 DesktopLayer.exe 1592 DesktopLayer.exe 1380 rundll32SrvSrv.exe 1380 rundll32SrvSrv.exe 1380 rundll32SrvSrv.exe 1380 rundll32SrvSrv.exe 2044 DesktopLayerSrv.exe 2044 DesktopLayerSrv.exe 1592 DesktopLayer.exe 1592 DesktopLayer.exe 2044 DesktopLayerSrv.exe 2044 DesktopLayerSrv.exe 1592 DesktopLayer.exe 1592 DesktopLayer.exe 1592 DesktopLayer.exe 1592 DesktopLayer.exe 2044 DesktopLayerSrv.exe 2044 DesktopLayerSrv.exe 2044 DesktopLayerSrv.exe 2044 DesktopLayerSrv.exe 3532 WerFault.exe 3532 WerFault.exe 3532 WerFault.exe 3532 WerFault.exe 3532 WerFault.exe 3532 WerFault.exe 3532 WerFault.exe 3532 WerFault.exe 3532 WerFault.exe 3532 WerFault.exe 3532 WerFault.exe 3532 WerFault.exe 3532 WerFault.exe 3532 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3532 WerFault.exe Token: SeBackupPrivilege 3532 WerFault.exe Token: SeDebugPrivilege 3532 WerFault.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
iexplore.exeiexplore.exeiexplore.exepid process 2656 iexplore.exe 2768 iexplore.exe 1704 iexplore.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
iexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEpid process 1704 iexplore.exe 1704 iexplore.exe 2768 iexplore.exe 2768 iexplore.exe 2656 iexplore.exe 2656 iexplore.exe 2704 IEXPLORE.EXE 2704 IEXPLORE.EXE 1004 IEXPLORE.EXE 1004 IEXPLORE.EXE 2968 IEXPLORE.EXE 2968 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
rundll32.exerundll32.exerundll32Srv.exeDesktopLayer.exerundll32SrvSrv.exeDesktopLayerSrv.exeiexplore.exeiexplore.exeiexplore.exedescription pid process target process PID 2116 wrote to memory of 3216 2116 rundll32.exe rundll32.exe PID 2116 wrote to memory of 3216 2116 rundll32.exe rundll32.exe PID 2116 wrote to memory of 3216 2116 rundll32.exe rundll32.exe PID 3216 wrote to memory of 376 3216 rundll32.exe rundll32Srv.exe PID 3216 wrote to memory of 376 3216 rundll32.exe rundll32Srv.exe PID 3216 wrote to memory of 376 3216 rundll32.exe rundll32Srv.exe PID 376 wrote to memory of 1380 376 rundll32Srv.exe rundll32SrvSrv.exe PID 376 wrote to memory of 1380 376 rundll32Srv.exe rundll32SrvSrv.exe PID 376 wrote to memory of 1380 376 rundll32Srv.exe rundll32SrvSrv.exe PID 376 wrote to memory of 1592 376 rundll32Srv.exe DesktopLayer.exe PID 376 wrote to memory of 1592 376 rundll32Srv.exe DesktopLayer.exe PID 376 wrote to memory of 1592 376 rundll32Srv.exe DesktopLayer.exe PID 1592 wrote to memory of 2044 1592 DesktopLayer.exe DesktopLayerSrv.exe PID 1592 wrote to memory of 2044 1592 DesktopLayer.exe DesktopLayerSrv.exe PID 1592 wrote to memory of 2044 1592 DesktopLayer.exe DesktopLayerSrv.exe PID 1380 wrote to memory of 1704 1380 rundll32SrvSrv.exe iexplore.exe PID 1380 wrote to memory of 1704 1380 rundll32SrvSrv.exe iexplore.exe PID 1592 wrote to memory of 2656 1592 DesktopLayer.exe iexplore.exe PID 1592 wrote to memory of 2656 1592 DesktopLayer.exe iexplore.exe PID 2044 wrote to memory of 2768 2044 DesktopLayerSrv.exe iexplore.exe PID 2044 wrote to memory of 2768 2044 DesktopLayerSrv.exe iexplore.exe PID 1704 wrote to memory of 2968 1704 iexplore.exe IEXPLORE.EXE PID 1704 wrote to memory of 2968 1704 iexplore.exe IEXPLORE.EXE PID 1704 wrote to memory of 2968 1704 iexplore.exe IEXPLORE.EXE PID 2768 wrote to memory of 1004 2768 iexplore.exe IEXPLORE.EXE PID 2768 wrote to memory of 1004 2768 iexplore.exe IEXPLORE.EXE PID 2768 wrote to memory of 1004 2768 iexplore.exe IEXPLORE.EXE PID 2656 wrote to memory of 2704 2656 iexplore.exe IEXPLORE.EXE PID 2656 wrote to memory of 2704 2656 iexplore.exe IEXPLORE.EXE PID 2656 wrote to memory of 2704 2656 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a5058b9528ef9cd2997cd143a8ed3e18e44b354ee331378c651a53852fdda5d3.dll,#11⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32Srv.exeC:\Windows\SysWOW64\rundll32Srv.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32SrvSrv.exeC:\Windows\SysWOW64\rundll32SrvSrv.exe3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1704 CREDAT:82945 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2656 CREDAT:82945 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe"C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 6442⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a5058b9528ef9cd2997cd143a8ed3e18e44b354ee331378c651a53852fdda5d3.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2768 CREDAT:82945 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exeMD5
f018e9eb66dc53d840ee98c5926f1e2e
SHA18e736010173688f982e5713fa8b70c978f17ba42
SHA2568e9e93a7ae39aa3c6e17a11d567cf52e6190b726d76e6f60b57e9db99ee58bb6
SHA51230b1fb67767eb5b15bd9d45091d9f184811d4934faeed47b672315d8c8d05b9dc031a6a02addb4b71de1c6b286cc62ef61db2f55dfe4df4bd3c584f256ca49a2
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exeMD5
f018e9eb66dc53d840ee98c5926f1e2e
SHA18e736010173688f982e5713fa8b70c978f17ba42
SHA2568e9e93a7ae39aa3c6e17a11d567cf52e6190b726d76e6f60b57e9db99ee58bb6
SHA51230b1fb67767eb5b15bd9d45091d9f184811d4934faeed47b672315d8c8d05b9dc031a6a02addb4b71de1c6b286cc62ef61db2f55dfe4df4bd3c584f256ca49a2
-
C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exeMD5
ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exeMD5
ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157MD5
f7dcb24540769805e5bb30d193944dce
SHA1e26c583c562293356794937d9e2e6155d15449ee
SHA2566b88c6ac55bbd6fea0ebe5a760d1ad2cfce251c59d0151a1400701cb927e36ea
SHA512cb5ad678b0ef642bf492f32079fe77e8be20c02de267f04b545df346b25f3e4eb98bb568c4c2c483bb88f7d1826863cb515b570d620766e52476c8ee2931ea94
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157MD5
f7dcb24540769805e5bb30d193944dce
SHA1e26c583c562293356794937d9e2e6155d15449ee
SHA2566b88c6ac55bbd6fea0ebe5a760d1ad2cfce251c59d0151a1400701cb927e36ea
SHA512cb5ad678b0ef642bf492f32079fe77e8be20c02de267f04b545df346b25f3e4eb98bb568c4c2c483bb88f7d1826863cb515b570d620766e52476c8ee2931ea94
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776MD5
f24c21cc3be7daee3b2334dfbf6cc685
SHA13f5fc1985d1e6396c501c2b1529ba2b3974433a5
SHA2569fcbd46ce88164cb062aa624c45fce51d969cf14cb5bded593220125e6250227
SHA512e15eb7e0c50ac2a6f7372392991faf27dab8503862b7fec043c308cfa1dd53c6c8356253212c4dff3b284d5062e1696c5655fa9fff8172d6a934729aee5c695c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776MD5
f24c21cc3be7daee3b2334dfbf6cc685
SHA13f5fc1985d1e6396c501c2b1529ba2b3974433a5
SHA2569fcbd46ce88164cb062aa624c45fce51d969cf14cb5bded593220125e6250227
SHA512e15eb7e0c50ac2a6f7372392991faf27dab8503862b7fec043c308cfa1dd53c6c8356253212c4dff3b284d5062e1696c5655fa9fff8172d6a934729aee5c695c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776MD5
f24c21cc3be7daee3b2334dfbf6cc685
SHA13f5fc1985d1e6396c501c2b1529ba2b3974433a5
SHA2569fcbd46ce88164cb062aa624c45fce51d969cf14cb5bded593220125e6250227
SHA512e15eb7e0c50ac2a6f7372392991faf27dab8503862b7fec043c308cfa1dd53c6c8356253212c4dff3b284d5062e1696c5655fa9fff8172d6a934729aee5c695c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157MD5
556f0dc1d0c07922d39923d1a6b97d6f
SHA1a72de011d0a389df129f815163c2d93c0c8b2b05
SHA2566e7de1b8bd0d541c112df6685f7d63aa0052a4b9bf477cbd27d64dfe9f5e45d4
SHA5125951ddeaec1deeb53efb69f97cefc9406957216da2a4de0c6de0e9969d1d4adb9749643d6827b5b7e72120a675dda754287158394a66e3a2a6decee6de31beb2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157MD5
af13ae4320cd826a0dfb9582785d4bc2
SHA194641ed05740c801509fee197ac7665acd2f7045
SHA2566a1d338571481a7136c298f03940408e91a2ab6d697788cbb4e242fe73daff66
SHA51217fc34505adf452a13f1709910673c1a7fd9026296b1786fee49119fb8cc86e6c3722c431b0d0c2fb0bd9be64abf88ef1a1f4e9b330bfdd652a9f9b32107c8b1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776MD5
8f65d0c8273865b7eb3ec82542b6c73b
SHA15e2fd17b4642ed717d03c63197d28456a7301900
SHA2561ce187680b7d3f4bfaa44312273021fdadb0955e4c3f6fe577a5e29f9c1de076
SHA512e476091563de6f866de1585e1ce3bcf54d0a236596b63d019edc31f9d4267c364129310594cad3ae5b937e999e17b3880c4e3cc83d073a1a7a846f16b7229a78
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776MD5
65630676729f09acc154a19c84c19d51
SHA1c296e5c7dbeeec6bad516dc24b839872c72f3bac
SHA256f83d45cc315b66b99d3ce443bf8205550456d450af774a3e0df227a996c52b2a
SHA5127817b23d7cf7ed39123ddd8417a5c7cd39e9c45c3622b60747985f21d9af853b101b17cbb2770a1eb8ff0f39bc56add9f11e4da2c2a6126f5d9287ae1439c106
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776MD5
b4fe99535f89ebd7554ee2c1ef8bedec
SHA10748142f2592bd67771fa3529237f3ca10ad9732
SHA25659bac376a05455025cad0c0514b4028391cc30d253083dd2710d665ae5805409
SHA51298bffbbb1de315c04e0000c0430980f8a2e60e60fce8c17a0275877c55adf7c488388400bfa4fdbbccf52665464cc7d1e2d983d2ee619cb580195d34a0412b53
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A3BB585F-B099-11EB-A11C-F682FE25733D}.datMD5
a8a8e556575519bb4bb140c6eb23434f
SHA139362353fd787a7f70284504af11d88274c114d6
SHA256a7f063c72ed04d925176117630c09a4b97e8de0295cb33b630540f77090fd382
SHA512003b850fdc7b430c09b1eacf22d46278d9f01ea35d56752e4ea2c241b97a6cf38b43662263938f1d12f62a717721884fb28450cda57560315b331ef807b9351f
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A3DA531F-B099-11EB-A11C-F682FE25733D}.datMD5
2bf1ac2aefa1b3b1b87dbbf0919f52ac
SHA1cc445c43501a49b03b75c7cd3ba9076da80853c5
SHA2564d79951e32d64db31a631f1d6d9cafa8f95bbe97b21b66092a5cd157935a6178
SHA5123e21d3a0a3ee0be923c5312c779cf2dfaba56c464d806beb279760271f29967773f1a6c98f8776b75952b9b2c9470778e1ac95ec4e38d4d9cbece23b4baf721d
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A3E2B593-B099-11EB-A11C-F682FE25733D}.datMD5
39b01129dfe4a3f81d3c06a3d31dc852
SHA1588e0247ae011c831f182b40085ffa9acd98c5db
SHA2568909837dd797f0f4ca1c3dd8242a7ec4c227d2e752baf80a45d293285a74b395
SHA51220edab41c4f5c089546c641820726f3c7621098f35ce46e5610b0660e5496e03152f06455f3edba649d3fac1f0473431e9952626708e6ea2ce122b1befa5a448
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\9F1419FX.cookieMD5
69feb1c9bd08cdbf9c7aeb3c13cc1de8
SHA1852fd092d3bc0ef0324a795484f2b70a633ab42e
SHA25650dbb77d72a0bd97f112b3b622b950e66e9939d7ec7b6ed7f84d40346afbccbf
SHA51290e0cc3606058ecd118d938bfa5f8778eedaa4e11849c2f49c4c6d545f3c5c3ed94756bbdf609e98340132cd00e187c8cb39be2b05124c60f3e601c11cc1371c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\Q06JJ1TI.cookieMD5
93f9d96d2bb49292e39efa4516558445
SHA1afbc9c224754821a6dc90e979ba45d1a4c996357
SHA256904b778063009e7a16e4eaef56695a9db29b0deb04e909b26689286e3a233664
SHA5123d5e8b2975c69edd0e1c625832201faf677baa3549afb93407643dd49503db5ac6c9da5d1d3e53b9051c8d6280a303960ac2b83c66f751657497045133d1ef74
-
C:\Windows\SysWOW64\rundll32Srv.exeMD5
f018e9eb66dc53d840ee98c5926f1e2e
SHA18e736010173688f982e5713fa8b70c978f17ba42
SHA2568e9e93a7ae39aa3c6e17a11d567cf52e6190b726d76e6f60b57e9db99ee58bb6
SHA51230b1fb67767eb5b15bd9d45091d9f184811d4934faeed47b672315d8c8d05b9dc031a6a02addb4b71de1c6b286cc62ef61db2f55dfe4df4bd3c584f256ca49a2
-
C:\Windows\SysWOW64\rundll32Srv.exeMD5
f018e9eb66dc53d840ee98c5926f1e2e
SHA18e736010173688f982e5713fa8b70c978f17ba42
SHA2568e9e93a7ae39aa3c6e17a11d567cf52e6190b726d76e6f60b57e9db99ee58bb6
SHA51230b1fb67767eb5b15bd9d45091d9f184811d4934faeed47b672315d8c8d05b9dc031a6a02addb4b71de1c6b286cc62ef61db2f55dfe4df4bd3c584f256ca49a2
-
C:\Windows\SysWOW64\rundll32SrvSrv.exeMD5
ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
C:\Windows\SysWOW64\rundll32SrvSrv.exeMD5
ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
memory/376-127-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/376-115-0x0000000000000000-mapping.dmp
-
memory/376-123-0x00000000001E0000-0x00000000001EF000-memory.dmpFilesize
60KB
-
memory/1004-145-0x0000000000000000-mapping.dmp
-
memory/1380-142-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1380-117-0x0000000000000000-mapping.dmp
-
memory/1380-122-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/1592-120-0x0000000000000000-mapping.dmp
-
memory/1704-126-0x0000000000000000-mapping.dmp
-
memory/1704-137-0x00007FF86B9C0000-0x00007FF86BA2B000-memory.dmpFilesize
428KB
-
memory/2044-125-0x0000000000000000-mapping.dmp
-
memory/2656-134-0x0000000000000000-mapping.dmp
-
memory/2656-139-0x00007FF86B9C0000-0x00007FF86BA2B000-memory.dmpFilesize
428KB
-
memory/2704-146-0x0000000000000000-mapping.dmp
-
memory/2768-136-0x0000000000000000-mapping.dmp
-
memory/2768-141-0x00007FF86B9C0000-0x00007FF86BA2B000-memory.dmpFilesize
428KB
-
memory/2968-144-0x0000000000000000-mapping.dmp
-
memory/3216-114-0x0000000000000000-mapping.dmp