ramnit | a917b242f7af139debd38e393e5ed1ef6bed580e8926181e1b73a1416bad7361

General

Target

a917b242f7af139debd38e393e5ed1ef6bed580e8926181e1b73a1416bad7361.dll
Size

2.8MB
MD5

039b1e1e8c58087536034cf7f4e83735
SHA1

26118108ec54eb0482cf5556f607cf6d1bae6065
SHA256

a917b242f7af139debd38e393e5ed1ef6bed580e8926181e1b73a1416bad7361
SHA512

7c2ac0958979159626022191cab4a68d98e1155a8f2062f9ed45c409a74afd96cc7027f92e2f9ad2cce42fa246c2d08768e164f7e62400ea3f75ab40169510ac

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 2 IoCs

Processes:

regsvr32Srv.exeDesktopLayer.exe

pid process

1256 regsvr32Srv.exe
200 DesktopLayer.exe

pid	process
1256	regsvr32Srv.exe
200	DesktopLayer.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\SysWOW64\regsvr32Srv.exe	upx
C:\Windows\SysWOW64\regsvr32Srv.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
behavioral2/memory/1256-126-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

Processes:

regsvr32.exe

description ioc process

File created C:\Windows\SysWOW64\regsvr32Srv.exe regsvr32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\regsvr32Srv.exe	regsvr32.exe

Drops file in Program Files directory 3 IoCs

Processes:

regsvr32Srv.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	regsvr32Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	regsvr32Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px1216.tmp	regsvr32Srv.exe

Modifies Internet Explorer settings 1 TTPs 40 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1784765316"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "327658206"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9531ECE0-B39B-11EB-A11C-4624C1D76809} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30885800"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "327690197"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "327641612"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30885800"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30885800"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1774765650"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1774765650"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe

Modifies registry class 35 IoCs

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AF6C6F71-5822-463A-8CA1-EA496D0CA2C7}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AF6C6F71-5822-463A-8CA1-EA496D0CA2C7}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a917b242f7af139debd38e393e5ed1ef6bed580e8926181e1b73a1416bad7361.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{362B8108-62ED-4F80-BC1D-FE904A262CE2}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{362B8108-62ED-4F80-BC1D-FE904A262CE2}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VqqSpeedDl.VqqDownload.1\ = "VqqDownload Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VqqSpeedDl.VqqDownload\ = "VqqDownload Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VqqSpeedDl.VqqDownload\CLSID\ = "{AF6C6F71-5822-463A-8CA1-EA496D0CA2C7}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AF6C6F71-5822-463A-8CA1-EA496D0CA2C7}\TypeLib\ = "{25BD9BB7-33EC-4220-B725-56C470146288}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VqqSpeedDl.VqqDownload\CurVer\ = "VqqSpeedDl.VqqDownload.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AF6C6F71-5822-463A-8CA1-EA496D0CA2C7}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{362B8108-62ED-4F80-BC1D-FE904A262CE2}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{362B8108-62ED-4F80-BC1D-FE904A262CE2}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a917b242f7af139debd38e393e5ed1ef6bed580e8926181e1b73a1416bad7361.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AF6C6F71-5822-463A-8CA1-EA496D0CA2C7}\VersionIndependentProgID\ = "VqqSpeedDl.VqqDownload"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AF6C6F71-5822-463A-8CA1-EA496D0CA2C7}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{362B8108-62ED-4F80-BC1D-FE904A262CE2}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{362B8108-62ED-4F80-BC1D-FE904A262CE2}\1.0\HELPDIR\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{B85AFBF6-2E43-4F13-8AAE-332C9A18A866}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{B85AFBF6-2E43-4F13-8AAE-332C9A18A866}\ = "VqqSpeedDl"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\VqqSpeedDl.DLL\AppID = "{B85AFBF6-2E43-4F13-8AAE-332C9A18A866}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VqqSpeedDl.VqqDownload\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\VqqSpeedDl.DLL	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VqqSpeedDl.VqqDownload	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VqqSpeedDl.VqqDownload\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{362B8108-62ED-4F80-BC1D-FE904A262CE2}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AF6C6F71-5822-463A-8CA1-EA496D0CA2C7}\AppID = "{B85AFBF6-2E43-4F13-8AAE-332C9A18A866}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{362B8108-62ED-4F80-BC1D-FE904A262CE2}\1.0\ = "VqqSpeedDl 1.0 ÀàÐÍ¿â"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VqqSpeedDl.VqqDownload.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VqqSpeedDl.VqqDownload.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AF6C6F71-5822-463A-8CA1-EA496D0CA2C7}\ = "VqqDownload Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AF6C6F71-5822-463A-8CA1-EA496D0CA2C7}\ProgID\ = "VqqSpeedDl.VqqDownload.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{362B8108-62ED-4F80-BC1D-FE904A262CE2}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VqqSpeedDl.VqqDownload.1\CLSID\ = "{AF6C6F71-5822-463A-8CA1-EA496D0CA2C7}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AF6C6F71-5822-463A-8CA1-EA496D0CA2C7}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AF6C6F71-5822-463A-8CA1-EA496D0CA2C7}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{362B8108-62ED-4F80-BC1D-FE904A262CE2}	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

DesktopLayer.exe

pid	process
200	DesktopLayer.exe
200	DesktopLayer.exe
200	DesktopLayer.exe
200	DesktopLayer.exe
200	DesktopLayer.exe
200	DesktopLayer.exe
200	DesktopLayer.exe
200	DesktopLayer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

3900 iexplore.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

3900 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

3900 iexplore.exe
3900 iexplore.exe
2116 IEXPLORE.EXE
2116 IEXPLORE.EXE
2116 IEXPLORE.EXE
2116 IEXPLORE.EXE

pid	process
3900	iexplore.exe

pid	process
3900	iexplore.exe

pid	process
3900	iexplore.exe
3900	iexplore.exe
2116	IEXPLORE.EXE
2116	IEXPLORE.EXE
2116	IEXPLORE.EXE
2116	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

regsvr32.exeregsvr32.exeregsvr32Srv.exeDesktopLayer.exeiexplore.exe

description	pid	process	target process
PID 1908 wrote to memory of 3332	1908	regsvr32.exe	regsvr32.exe
PID 1908 wrote to memory of 3332	1908	regsvr32.exe	regsvr32.exe
PID 1908 wrote to memory of 3332	1908	regsvr32.exe	regsvr32.exe
PID 3332 wrote to memory of 1256	3332	regsvr32.exe	regsvr32Srv.exe
PID 3332 wrote to memory of 1256	3332	regsvr32.exe	regsvr32Srv.exe
PID 3332 wrote to memory of 1256	3332	regsvr32.exe	regsvr32Srv.exe
PID 1256 wrote to memory of 200	1256	regsvr32Srv.exe	DesktopLayer.exe
PID 1256 wrote to memory of 200	1256	regsvr32Srv.exe	DesktopLayer.exe
PID 1256 wrote to memory of 200	1256	regsvr32Srv.exe	DesktopLayer.exe
PID 200 wrote to memory of 3900	200	DesktopLayer.exe	iexplore.exe
PID 200 wrote to memory of 3900	200	DesktopLayer.exe	iexplore.exe
PID 3900 wrote to memory of 2116	3900	iexplore.exe	IEXPLORE.EXE
PID 3900 wrote to memory of 2116	3900	iexplore.exe	IEXPLORE.EXE
PID 3900 wrote to memory of 2116	3900	iexplore.exe	IEXPLORE.EXE

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\a917b242f7af139debd38e393e5ed1ef6bed580e8926181e1b73a1416bad7361.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1908

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\a917b242f7af139debd38e393e5ed1ef6bed580e8926181e1b73a1416bad7361.dll
2⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3332

C:\Windows\SysWOW64\regsvr32Srv.exe
C:\Windows\SysWOW64\regsvr32Srv.exe
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1256

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:200

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3900

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3900 CREDAT:82945 /prefetch:2
6⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
4310fd34f132e1254705b5c31a563e96

SHA1
c457428f94727a63fa6ac9af2c73e3c39e433451

SHA256
3d4bf006b18d7c3dc8cd4de63c65e9a5d00018f0d4a85e1ec5f612f6449efbd9

SHA512
b74c9fe854cc54ee5aa7fb0d2a03678efe18ca056c852e6a64237b05cc201bab63f4a9fe64a955083d7980048520d68f0314333ac2c9a9845e6da2c700efc303

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
4af47d03b4b36312c57489e4eadbbf6d

SHA1
5b72d28f4552dfefc1836d5224e7a945ef7cda1e

SHA256
82964bd1f267873ec0ce233b477091743aa8fcb70352dfa7b072a95665ecd5d0

SHA512
1f8f3b47a5af3bc4cc4294d8798925dc501ab654b049de17fa9529948afb710bf78b3c7dd0f39ce90c58427b5d7330920e871ba5978241efdb3856e78c7b1721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\6A6SS77N.cookie
MD5
8984881bd7fef8940ba045994d6534ad

SHA1
6060b419d724fbabfae08786620bf7d0d5769729

SHA256
a234919d3beac9896eb765b716dc8030931a711a6d7440e41025ddac34b86be3

SHA512
aa1cb6fe42e2560fece019216cc243d4ba47a5715464a9c58e5d8b69eea65d89cf263236b85e984d163f97f16bc188f29c788c56bdd8ea1473bc953293476907

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\HDQPZ2RS.cookie
MD5
524eaedc8a765e0134320f7b4a5401f1

SHA1
bf0e214e64585be7450efc79c108205437d01963

SHA256
3fd2714c41dae64736c1f99988f1406ba8fb5c53eaa814bc36dad66843cad615

SHA512
7365e561c9c9ad97ebc8b00341fd52e411cdb1389b12192542a684910087858281f89791812e130ed09b27a22deed2f54d4581dc029b905d5063d58f76bf2392

Download Submit
C:\Windows\SysWOW64\regsvr32Srv.exe
MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Windows\SysWOW64\regsvr32Srv.exe
MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/200-118-0x0000000000000000-mapping.dmp

Download
memory/200-121-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1256-126-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1256-125-0x00000000001E0000-0x00000000001EF000-memory.dmp

Filesize
60KB

Download
memory/1256-115-0x0000000000000000-mapping.dmp

Download
memory/2116-124-0x0000000000000000-mapping.dmp

Download
memory/3332-114-0x0000000000000000-mapping.dmp

Download
memory/3900-123-0x00007FFAE8B90000-0x00007FFAE8BFB000-memory.dmp

Filesize
428KB

Download
memory/3900-122-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads