ramnit | b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a

General

Target

b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe
Size

154KB
MD5

6ad3672feb58595cf0ffaf450eb5a259
SHA1

f129eef49fa76a4098ef947d75a1a2bfb29d6697
SHA256

b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a
SHA512

9747e64ace1679dcf65cd154a7f8df19b2327d5ab3d343a5f1285d0fe145bb0243a8a1f21e09dfcb347802592ecff5cc36243b0251a0ca52189ce7def347a251

Score

10^/10

ramnit banker evasion spyware stealer trojan upx worm

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe:*:enabled:@shell32.dll,-1"	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 2 IoCs

Processes:

b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002aSrv.exeDesktopLayer.exe

pid process

396 b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002aSrv.exe
1056 DesktopLayer.exe

pid	process
396	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002aSrv.exe
1056	DesktopLayer.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002aSrv.exe	upx
C:\Users\Admin\AppData\Local\Temp\b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002aSrv.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
behavioral2/memory/396-123-0x0000000000400000-0x0000000000435000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

Processes:

b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002aSrv.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\px163D.tmp	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002aSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002aSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002aSrv.exe

Modifies Internet Explorer settings 1 TTPs 40 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1705918966"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{90FD2FAA-B49A-11EB-A11C-7280A1B46CD1} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "327799712"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "327767720"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1705918966"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1712325415"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30886055"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "327751127"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30886055"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30886055"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exeDesktopLayer.exe

pid	process
3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe
3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe
1056	DesktopLayer.exe
1056	DesktopLayer.exe
1056	DesktopLayer.exe
1056	DesktopLayer.exe
1056	DesktopLayer.exe
1056	DesktopLayer.exe
1056	DesktopLayer.exe
1056	DesktopLayer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

1364 iexplore.exe

pid	process
1364	iexplore.exe

Suspicious behavior: MapViewOfSection 60 IoCs

Processes:

b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe

pid	process
3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe
3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe
3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe
3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe
3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe
3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe
3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe
3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe
3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe
3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe
3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe
3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe
3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe
3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe
3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe
3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe
3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe
3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe
3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe
3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe
3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe
3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe
3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe
3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe
3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe
3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe
3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe
3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe
3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe
3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe
3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe
3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe
3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe
3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe
3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe
3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe
3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe
3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe
3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe
3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe
3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe
3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe
3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe
3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe
3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe
3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe
3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe
3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe
3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe
3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe
3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe
3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe
3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe
3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe
3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe
3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe
3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe
3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe
3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe
3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe

description pid process

Token: SeDebugPrivilege 3904 b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1364 iexplore.exe

description	pid	process
Token: SeDebugPrivilege	3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe

pid	process
1364	iexplore.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exeiexplore.exeIEXPLORE.EXE

pid	process
3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe
1364	iexplore.exe
1364	iexplore.exe
2780	IEXPLORE.EXE
2780	IEXPLORE.EXE
2780	IEXPLORE.EXE
2780	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe

description	pid	process	target process
PID 3904 wrote to memory of 396	3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002aSrv.exe
PID 3904 wrote to memory of 396	3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002aSrv.exe
PID 3904 wrote to memory of 396	3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002aSrv.exe
PID 3904 wrote to memory of 576	3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe	winlogon.exe
PID 3904 wrote to memory of 576	3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe	winlogon.exe
PID 3904 wrote to memory of 576	3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe	winlogon.exe
PID 3904 wrote to memory of 576	3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe	winlogon.exe
PID 3904 wrote to memory of 576	3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe	winlogon.exe
PID 3904 wrote to memory of 576	3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe	winlogon.exe
PID 3904 wrote to memory of 628	3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe	lsass.exe
PID 3904 wrote to memory of 628	3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe	lsass.exe
PID 3904 wrote to memory of 628	3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe	lsass.exe
PID 3904 wrote to memory of 628	3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe	lsass.exe
PID 3904 wrote to memory of 628	3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe	lsass.exe
PID 3904 wrote to memory of 628	3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe	lsass.exe
PID 3904 wrote to memory of 708	3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe	svchost.exe
PID 3904 wrote to memory of 708	3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe	svchost.exe
PID 3904 wrote to memory of 708	3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe	svchost.exe
PID 3904 wrote to memory of 708	3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe	svchost.exe
PID 3904 wrote to memory of 708	3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe	svchost.exe
PID 3904 wrote to memory of 708	3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe	svchost.exe
PID 3904 wrote to memory of 716	3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe	fontdrvhost.exe
PID 3904 wrote to memory of 716	3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe	fontdrvhost.exe
PID 3904 wrote to memory of 716	3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe	fontdrvhost.exe
PID 3904 wrote to memory of 716	3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe	fontdrvhost.exe
PID 3904 wrote to memory of 716	3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe	fontdrvhost.exe
PID 3904 wrote to memory of 716	3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe	fontdrvhost.exe
PID 3904 wrote to memory of 724	3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe	fontdrvhost.exe
PID 3904 wrote to memory of 724	3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe	fontdrvhost.exe
PID 3904 wrote to memory of 724	3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe	fontdrvhost.exe
PID 3904 wrote to memory of 724	3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe	fontdrvhost.exe
PID 3904 wrote to memory of 724	3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe	fontdrvhost.exe
PID 3904 wrote to memory of 724	3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe	fontdrvhost.exe
PID 3904 wrote to memory of 792	3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe	svchost.exe
PID 3904 wrote to memory of 792	3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe	svchost.exe
PID 3904 wrote to memory of 792	3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe	svchost.exe
PID 3904 wrote to memory of 792	3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe	svchost.exe
PID 3904 wrote to memory of 792	3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe	svchost.exe
PID 3904 wrote to memory of 792	3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe	svchost.exe
PID 3904 wrote to memory of 840	3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe	svchost.exe
PID 3904 wrote to memory of 840	3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe	svchost.exe
PID 3904 wrote to memory of 840	3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe	svchost.exe
PID 3904 wrote to memory of 840	3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe	svchost.exe
PID 3904 wrote to memory of 840	3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe	svchost.exe
PID 3904 wrote to memory of 840	3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe	svchost.exe
PID 3904 wrote to memory of 884	3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe	svchost.exe
PID 3904 wrote to memory of 884	3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe	svchost.exe
PID 3904 wrote to memory of 884	3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe	svchost.exe
PID 3904 wrote to memory of 884	3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe	svchost.exe
PID 3904 wrote to memory of 884	3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe	svchost.exe
PID 3904 wrote to memory of 884	3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe	svchost.exe
PID 3904 wrote to memory of 980	3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe	dwm.exe
PID 3904 wrote to memory of 980	3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe	dwm.exe
PID 3904 wrote to memory of 980	3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe	dwm.exe
PID 3904 wrote to memory of 980	3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe	dwm.exe
PID 3904 wrote to memory of 980	3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe	dwm.exe
PID 3904 wrote to memory of 980	3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe	dwm.exe
PID 3904 wrote to memory of 336	3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe	svchost.exe
PID 3904 wrote to memory of 336	3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe	svchost.exe
PID 3904 wrote to memory of 336	3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe	svchost.exe
PID 3904 wrote to memory of 336	3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe	svchost.exe
PID 3904 wrote to memory of 336	3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe	svchost.exe
PID 3904 wrote to memory of 336	3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe	svchost.exe
PID 3904 wrote to memory of 428	3904	b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe	svchost.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:628

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:576

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
2⤵
PID:716

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
PID:980

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
1⤵
PID:1136

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1416

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1656

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3a8
2⤵
PID:2268

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2432

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
PID:3252

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3668

C:\Users\Admin\AppData\Local\Temp\b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe
"C:\Users\Admin\AppData\Local\Temp\b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002a.exe"
1⤵
- Modifies firewall policy service
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3904

C:\Users\Admin\AppData\Local\Temp\b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002aSrv.exe
C:\Users\Admin\AppData\Local\Temp\b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002aSrv.exe
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:396

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1056

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1364

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1364 CREDAT:82945 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2780

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
1⤵
PID:8

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1784

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
1⤵
PID:2256

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3464

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
PID:3280

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2996

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2768

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2724

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2672

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2664

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
2⤵
PID:3164

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
1⤵
PID:2656

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
1⤵
PID:2632

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2616

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
1⤵
PID:2440

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2400

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2384

c:\windows\system32\sihost.exe
sihost.exe
1⤵
PID:2336

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
PID:2144

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
1⤵
PID:1908

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2044

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1944

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
1⤵
PID:1888

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1816

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1808

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
1⤵
PID:1760

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s FontCache
1⤵
PID:1548

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
1⤵
PID:1540

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
PID:2980

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
1⤵
PID:1512

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
1⤵
PID:1488

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
1⤵
PID:1352

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1340

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
1⤵
PID:1264

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1256

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
1⤵
PID:1208

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1152

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
PID:1036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
1⤵
PID:856

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
1⤵
PID:380

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
1⤵
PID:428

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
PID:3712

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
1⤵
PID:884

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k rpcss
1⤵
PID:840

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
PID:792

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
2⤵
PID:640

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:724

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
1⤵
PID:708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
MD5
d8ce8e59dc1b438493939ab9753807d0

SHA1
fa3ec7549a6f496749762cbed1038a2cb1951dca

SHA256
61c6b349fe8f639b7d9d56a81b005a2f86b05c5cad20225ff6ba3aa24e592c24

SHA512
7ff83c93e3b9f17a2fae2a14a5a0ddfc498cc3d7cec5dffda45936383b3c2c2ee2aa62719b2165d74b1bf676a71b55191e45702b576cc059fa6af24ba74ae954

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
MD5
d8ce8e59dc1b438493939ab9753807d0

SHA1
fa3ec7549a6f496749762cbed1038a2cb1951dca

SHA256
61c6b349fe8f639b7d9d56a81b005a2f86b05c5cad20225ff6ba3aa24e592c24

SHA512
7ff83c93e3b9f17a2fae2a14a5a0ddfc498cc3d7cec5dffda45936383b3c2c2ee2aa62719b2165d74b1bf676a71b55191e45702b576cc059fa6af24ba74ae954

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
57010df1ded674ce061f8af29a2e6fbb

SHA1
83e50ef272059dc3fab93e694d5e220dc48bf0c4

SHA256
68492169f14b36562d813f4ae7506f4b324b85f0e6aec352a37faba29b289616

SHA512
211ecb686dec8e8dd57cc8aeebdb8953f81aa56eebec9b463df4d41d98942317ed001ae5ffc9cc0c3ce5c542317cd0838447b885016697411b99f68190bd430b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
b9ce1ad1fbffe7050f344e2140c6e384

SHA1
bfe2afb58974f9e6833e893420afd7bec899c314

SHA256
863eb9884130eb3cbb96b6e6c5b07e4a00cc02c07b2fd257437ecc1cf45b2f6d

SHA512
d53412e7790d0b204a22c3f5344ac51a96197813183f741a1d652f44fdf5f14ba6c02de4311d2ffe51f5018342c8dc15608f02ba44c0cf611d05712e84beda16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\109Z28HJ.cookie
MD5
6d4c6fe720d04a1a8aaf3ac3afbcee39

SHA1
3376afa92d6d50da6cf5ccdf19059faf82cb3e9f

SHA256
ae382ead855b0fa287a16e866240c4c63334ce79fd69bcd84d6b9a9db49c7bbd

SHA512
a29fc0277b384b225e268727253bcc3221813ce0cbe0a46918e6f050ff145b2ade5d27d2e43fc14a0cdf5c57dc6deb24622bc53a818c7520c1663ee6d9170ebe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\FCJ1260F.cookie
MD5
31aa55e542a5f8ac12d9ee115ad71a0b

SHA1
86acd60e99a3fcec12aaee4bca6266fc75ec4da2

SHA256
ba35f7e86538b99167908690094ad85470f8447736c3ddfbe8054babfd2af05f

SHA512
53c73733b2193b4bbb5ef83151ebed9d6366e855db4fe714b59fab96096095c39da54a82492ccfb15efd3d1ff3904351ec8db5e824fab32e1ea00e9b74e39676

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002aSrv.exe
MD5
d8ce8e59dc1b438493939ab9753807d0

SHA1
fa3ec7549a6f496749762cbed1038a2cb1951dca

SHA256
61c6b349fe8f639b7d9d56a81b005a2f86b05c5cad20225ff6ba3aa24e592c24

SHA512
7ff83c93e3b9f17a2fae2a14a5a0ddfc498cc3d7cec5dffda45936383b3c2c2ee2aa62719b2165d74b1bf676a71b55191e45702b576cc059fa6af24ba74ae954

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3df5e992ae7854a8296e8d1639ed3dcab84accffe987e3e80a8118ac168002aSrv.exe
MD5
d8ce8e59dc1b438493939ab9753807d0

SHA1
fa3ec7549a6f496749762cbed1038a2cb1951dca

SHA256
61c6b349fe8f639b7d9d56a81b005a2f86b05c5cad20225ff6ba3aa24e592c24

SHA512
7ff83c93e3b9f17a2fae2a14a5a0ddfc498cc3d7cec5dffda45936383b3c2c2ee2aa62719b2165d74b1bf676a71b55191e45702b576cc059fa6af24ba74ae954

Download Submit
memory/396-121-0x00000000001E0000-0x00000000001EF000-memory.dmp

Filesize
60KB

Download
memory/396-114-0x0000000000000000-mapping.dmp

Download
memory/396-123-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1056-117-0x0000000000000000-mapping.dmp

Download
memory/1056-120-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/1364-122-0x0000000000000000-mapping.dmp

Download
memory/1364-125-0x00007FF858070000-0x00007FF8580DB000-memory.dmp

Filesize
428KB

Download
memory/2780-129-0x0000000000000000-mapping.dmp

Download
memory/3904-127-0x0000000000400000-0x000000000089B000-memory.dmp

Filesize
4.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads