ramnit | 2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885

General

Target

2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe
Size

320KB
MD5

554064d9754f879cc5c37d6970755c96
SHA1

2518e4b0e162cf77de755c59a0329c1b74072de0
SHA256

2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885
SHA512

d3e60cb6706f4081b8baf902c24c884490ab9558a0a0206b7f89554a25e953b9327b80a73e3c2e8997a5db2a7f23657e9b50d3679db52723f91ea6c309954aaf

Score

10^/10

ramnit banker evasion spyware stealer trojan upx worm

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe:*:enabled:@shell32.dll,-1"	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 2 IoCs

Processes:

2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885Srv.exeDesktopLayer.exe

pid process

864 2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885Srv.exe
1028 DesktopLayer.exe

pid	process
864	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885Srv.exe
1028	DesktopLayer.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885Srv.exe	upx
C:\Users\Admin\AppData\Local\Temp\2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885Srv.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
behavioral2/memory/864-123-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

Processes:

2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885Srv.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px21D6.tmp	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885Srv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885Srv.exe

Modifies Internet Explorer settings 1 TTPs 40 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "304897416"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30886037"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "304897416"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "327743255"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "309741908"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30886037"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "327791841"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "327759849"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30886037"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3CF09781-B488-11EB-A11C-CE9B817779E4} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exeDesktopLayer.exe

pid	process
3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe
3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe
1028	DesktopLayer.exe
1028	DesktopLayer.exe
1028	DesktopLayer.exe
1028	DesktopLayer.exe
1028	DesktopLayer.exe
1028	DesktopLayer.exe
1028	DesktopLayer.exe
1028	DesktopLayer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

1236 iexplore.exe

pid	process
1236	iexplore.exe

Suspicious behavior: MapViewOfSection 60 IoCs

Processes:

2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe

pid	process
3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe
3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe
3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe
3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe
3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe
3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe
3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe
3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe
3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe
3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe
3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe
3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe
3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe
3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe
3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe
3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe
3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe
3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe
3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe
3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe
3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe
3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe
3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe
3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe
3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe
3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe
3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe
3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe
3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe
3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe
3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe
3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe
3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe
3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe
3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe
3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe
3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe
3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe
3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe
3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe
3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe
3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe
3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe
3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe
3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe
3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe
3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe
3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe
3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe
3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe
3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe
3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe
3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe
3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe
3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe
3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe
3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe
3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe
3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe
3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe

description pid process

Token: SeDebugPrivilege 3724 2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1236 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1236 iexplore.exe
1236 iexplore.exe
3536 IEXPLORE.EXE
3536 IEXPLORE.EXE
3536 IEXPLORE.EXE
3536 IEXPLORE.EXE

description	pid	process
Token: SeDebugPrivilege	3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe

pid	process
1236	iexplore.exe

pid	process
1236	iexplore.exe
1236	iexplore.exe
3536	IEXPLORE.EXE
3536	IEXPLORE.EXE
3536	IEXPLORE.EXE
3536	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885Srv.exeDesktopLayer.exe

description	pid	process	target process
PID 3724 wrote to memory of 864	3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885Srv.exe
PID 3724 wrote to memory of 864	3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885Srv.exe
PID 3724 wrote to memory of 864	3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885Srv.exe
PID 3724 wrote to memory of 552	3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe	winlogon.exe
PID 3724 wrote to memory of 552	3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe	winlogon.exe
PID 3724 wrote to memory of 552	3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe	winlogon.exe
PID 3724 wrote to memory of 552	3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe	winlogon.exe
PID 3724 wrote to memory of 552	3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe	winlogon.exe
PID 3724 wrote to memory of 552	3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe	winlogon.exe
PID 3724 wrote to memory of 632	3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe	lsass.exe
PID 3724 wrote to memory of 632	3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe	lsass.exe
PID 3724 wrote to memory of 632	3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe	lsass.exe
PID 3724 wrote to memory of 632	3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe	lsass.exe
PID 3724 wrote to memory of 632	3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe	lsass.exe
PID 3724 wrote to memory of 632	3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe	lsass.exe
PID 3724 wrote to memory of 716	3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe	fontdrvhost.exe
PID 3724 wrote to memory of 716	3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe	fontdrvhost.exe
PID 3724 wrote to memory of 716	3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe	fontdrvhost.exe
PID 3724 wrote to memory of 716	3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe	fontdrvhost.exe
PID 3724 wrote to memory of 716	3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe	fontdrvhost.exe
PID 3724 wrote to memory of 716	3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe	fontdrvhost.exe
PID 3724 wrote to memory of 720	3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe	fontdrvhost.exe
PID 3724 wrote to memory of 720	3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe	fontdrvhost.exe
PID 3724 wrote to memory of 720	3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe	fontdrvhost.exe
PID 3724 wrote to memory of 720	3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe	fontdrvhost.exe
PID 3724 wrote to memory of 720	3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe	fontdrvhost.exe
PID 3724 wrote to memory of 720	3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe	fontdrvhost.exe
PID 3724 wrote to memory of 736	3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe	svchost.exe
PID 3724 wrote to memory of 736	3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe	svchost.exe
PID 864 wrote to memory of 1028	864	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885Srv.exe	DesktopLayer.exe
PID 864 wrote to memory of 1028	864	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885Srv.exe	DesktopLayer.exe
PID 864 wrote to memory of 1028	864	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885Srv.exe	DesktopLayer.exe
PID 3724 wrote to memory of 736	3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe	svchost.exe
PID 3724 wrote to memory of 736	3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe	svchost.exe
PID 3724 wrote to memory of 736	3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe	svchost.exe
PID 3724 wrote to memory of 736	3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe	svchost.exe
PID 1028 wrote to memory of 1236	1028	DesktopLayer.exe	iexplore.exe
PID 1028 wrote to memory of 1236	1028	DesktopLayer.exe	iexplore.exe
PID 3724 wrote to memory of 804	3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe	svchost.exe
PID 3724 wrote to memory of 804	3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe	svchost.exe
PID 3724 wrote to memory of 804	3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe	svchost.exe
PID 3724 wrote to memory of 804	3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe	svchost.exe
PID 3724 wrote to memory of 804	3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe	svchost.exe
PID 3724 wrote to memory of 804	3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe	svchost.exe
PID 3724 wrote to memory of 856	3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe	svchost.exe
PID 3724 wrote to memory of 856	3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe	svchost.exe
PID 3724 wrote to memory of 856	3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe	svchost.exe
PID 3724 wrote to memory of 856	3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe	svchost.exe
PID 3724 wrote to memory of 856	3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe	svchost.exe
PID 3724 wrote to memory of 856	3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe	svchost.exe
PID 3724 wrote to memory of 896	3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe	svchost.exe
PID 3724 wrote to memory of 896	3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe	svchost.exe
PID 3724 wrote to memory of 896	3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe	svchost.exe
PID 3724 wrote to memory of 896	3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe	svchost.exe
PID 3724 wrote to memory of 896	3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe	svchost.exe
PID 3724 wrote to memory of 896	3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe	svchost.exe
PID 3724 wrote to memory of 984	3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe	dwm.exe
PID 3724 wrote to memory of 984	3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe	dwm.exe
PID 3724 wrote to memory of 984	3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe	dwm.exe
PID 3724 wrote to memory of 984	3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe	dwm.exe
PID 3724 wrote to memory of 984	3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe	dwm.exe
PID 3724 wrote to memory of 984	3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe	dwm.exe
PID 3724 wrote to memory of 348	3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe	svchost.exe
PID 3724 wrote to memory of 348	3724	2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe	svchost.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:632

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:552

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
2⤵
PID:720

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
PID:984

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:348

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1088

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1284

c:\windows\system32\sihost.exe
sihost.exe
2⤵
PID:2428

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1440

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
1⤵
PID:1576

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1880

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s WinHttpAutoProxySvc
1⤵
PID:1724

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
PID:2160

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3c4
1⤵
PID:2280

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
1⤵
PID:2396

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2468

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2592

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
1⤵
PID:2652

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2736

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
PID:3260

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
1⤵
PID:4072

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3752

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
1⤵
PID:3296

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3760

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3464

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
PID:3276

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2116

C:\Users\Admin\AppData\Local\Temp\2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe
"C:\Users\Admin\AppData\Local\Temp\2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885.exe"
2⤵
- Modifies firewall policy service
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3724

C:\Users\Admin\AppData\Local\Temp\2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885Srv.exe
C:\Users\Admin\AppData\Local\Temp\2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885Srv.exe
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:864

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1028

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1236

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1236 CREDAT:82945 /prefetch:2
6⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3536

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2692

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2676

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
2⤵
PID:3336

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
1⤵
PID:2612

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2576

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2376

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2356

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
1⤵
PID:1568

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2028

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
1⤵
PID:1932

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1780

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1760

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
1⤵
PID:1716

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1680

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
1⤵
PID:1548

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s FontCache
1⤵
PID:1512

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
1⤵
PID:1504

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
1⤵
PID:1420

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
1⤵
PID:1316

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1244

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
1⤵
PID:1228

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
1⤵
PID:1132

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
PID:2224

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
1⤵
PID:1052

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
PID:296

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
1⤵
PID:620

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
1⤵
PID:476

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
1⤵
PID:896

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k rpcss
1⤵
PID:856

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
PID:804

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
2⤵
PID:656

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
1⤵
PID:736

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:716

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
MD5
e7efb2a2b36ab241b6c9b770abf95000

SHA1
d4c253cbf80dc65a04747aea4afc91de6a4a4c5d

SHA256
4c7bf8d4e1ad5bd27b4b990791d4968be2a1d9cbb092c1af2e19a42c1b93e4c8

SHA512
958e64677c0acc6b2c0ef8e5ff5c39ea12986b8d5d0820710572af7669fdb6fe740e3ee609c1d9dfcdbfaee6a6f8fdeda25f64f7ad4d335627a024d6a1b4fcf3

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
MD5
e7efb2a2b36ab241b6c9b770abf95000

SHA1
d4c253cbf80dc65a04747aea4afc91de6a4a4c5d

SHA256
4c7bf8d4e1ad5bd27b4b990791d4968be2a1d9cbb092c1af2e19a42c1b93e4c8

SHA512
958e64677c0acc6b2c0ef8e5ff5c39ea12986b8d5d0820710572af7669fdb6fe740e3ee609c1d9dfcdbfaee6a6f8fdeda25f64f7ad4d335627a024d6a1b4fcf3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
ef07b2dc81b7fdcc01d8a9cce1261822

SHA1
535c60f61ed56d43a349e92b86dd5204a1b61859

SHA256
4f4d35e9bbae40c756cb82b60a2bbfe0dfe055b06ddf2494a953ce7565ff8eb6

SHA512
1a26ee805d55b252567caec75c0b75ec5493aa1865b4fd8a1cf6b18972e2ffd82ba778b4a6a80ed85c9d016d841d26be11d4bc6f4bf8d8b512e7261dc7ad3fe3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
2afd8f2820b91b98ed2a5015c5fafe10

SHA1
dd9202793bee41fecb7b5bce9d3f6ab619267170

SHA256
f059baf75fbec900fa036f09d129cb694f6fc9689c3d90df63bec1cc7a32ddf1

SHA512
848c5764b99658a66a295fd8cdc77a35becc9de39e926a0799b59243da96b1a47f2ac920356f29cefb51b7acaf6f26ce4c052de1a9d3c50ad8ec6290ba946b1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\409VGYVK.cookie
MD5
6ede68b286ac2af55d7986f2723bd39a

SHA1
d1b14ac6fc72fa63a35fa39a2ce641e4e1d134bc

SHA256
542f03b208429dc1d370791e7e960f70fdfbb032b66af23a18c48909ee9bdd5a

SHA512
3f9189a51477613427137003d2083f912fd7deaf18db7d1a41d94111ee75754d32beaab65d8cd7ecafff1239c65017a1a9dda2b016e07c556cb94813dbe03704

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\4OO149L2.cookie
MD5
7d69b498ef41632e0a80fb96b05f63c7

SHA1
c8ad80078f4bf9c57ad128f2e9cea2fc8f6cdc10

SHA256
19be813f68d29731b32f5ca70088aeceb32d5dee8ec21db52bd7da89c89d3dd9

SHA512
56abba3fbdb1117b870f787ed27515e6628e0eeeb96dc7d56db711ac5821df184db2de6dea0f305ee9c139a00736c12818722bea5f79cccb71114076a6e4d9d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885Srv.exe
MD5
e7efb2a2b36ab241b6c9b770abf95000

SHA1
d4c253cbf80dc65a04747aea4afc91de6a4a4c5d

SHA256
4c7bf8d4e1ad5bd27b4b990791d4968be2a1d9cbb092c1af2e19a42c1b93e4c8

SHA512
958e64677c0acc6b2c0ef8e5ff5c39ea12986b8d5d0820710572af7669fdb6fe740e3ee609c1d9dfcdbfaee6a6f8fdeda25f64f7ad4d335627a024d6a1b4fcf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\2075f8e945d13b6e8d6526fccd717ac7db550f142cc1ba3865489a99f8e76885Srv.exe
MD5
e7efb2a2b36ab241b6c9b770abf95000

SHA1
d4c253cbf80dc65a04747aea4afc91de6a4a4c5d

SHA256
4c7bf8d4e1ad5bd27b4b990791d4968be2a1d9cbb092c1af2e19a42c1b93e4c8

SHA512
958e64677c0acc6b2c0ef8e5ff5c39ea12986b8d5d0820710572af7669fdb6fe740e3ee609c1d9dfcdbfaee6a6f8fdeda25f64f7ad4d335627a024d6a1b4fcf3

Download Submit
memory/864-123-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/864-122-0x00000000001E0000-0x00000000001EF000-memory.dmp

Filesize
60KB

Download
memory/864-114-0x0000000000000000-mapping.dmp

Download
memory/1028-120-0x00000000004B0000-0x00000000004B1000-memory.dmp

Filesize
4KB

Download
memory/1028-117-0x0000000000000000-mapping.dmp

Download
memory/1236-126-0x00007FFA58570000-0x00007FFA585DB000-memory.dmp

Filesize
428KB

Download
memory/1236-121-0x0000000000000000-mapping.dmp

Download
memory/3536-128-0x0000000000000000-mapping.dmp

Download
memory/3724-127-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads