ramnit | 03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683

General

Target

03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe
Size

306KB
MD5

f1380563caff56b0847c81bbbbdd37f5
SHA1

9d167fef0749448a3e121bc0bf6304904c5b63f0
SHA256

03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683
SHA512

2a1de292465385756bca95aa01fb033df6c36f0394a5059a40e16c94672dd907f9c1b0e92678c1b9805c40a71ca1f2ed848d6f6b044d0574a72f83890b798cdf

Score

10^/10

ramnit banker evasion spyware stealer trojan upx worm

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe:*:enabled:@shell32.dll,-1"	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 2 IoCs

Processes:

03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683Srv.exeDesktopLayer.exe

pid process

3744 03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683Srv.exe
2660 DesktopLayer.exe

pid	process
3744	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683Srv.exe
2660	DesktopLayer.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683Srv.exe	upx
C:\Users\Admin\AppData\Local\Temp\03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683Srv.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
behavioral2/memory/3744-124-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

Processes:

03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683Srv.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\px15D0.tmp	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683Srv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683Srv.exe

Modifies Internet Explorer settings 1 TTPs 40 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30886301"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "327905538"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30886301"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F65E5793-B590-11EB-A11C-465F29FC5D21} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "327873546"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3410534591"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30886301"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "327856953"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3404440931"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3404440931"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exeDesktopLayer.exe

pid	process
3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe
3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe
2660	DesktopLayer.exe
2660	DesktopLayer.exe
2660	DesktopLayer.exe
2660	DesktopLayer.exe
2660	DesktopLayer.exe
2660	DesktopLayer.exe
2660	DesktopLayer.exe
2660	DesktopLayer.exe

Suspicious behavior: MapViewOfSection 62 IoCs

Processes:

03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe

pid	process
3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe
3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe
3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe
3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe
3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe
3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe
3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe
3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe
3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe
3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe
3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe
3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe
3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe
3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe
3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe
3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe
3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe
3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe
3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe
3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe
3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe
3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe
3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe
3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe
3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe
3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe
3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe
3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe
3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe
3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe
3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe
3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe
3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe
3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe
3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe
3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe
3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe
3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe
3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe
3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe
3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe
3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe
3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe
3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe
3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe
3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe
3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe
3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe
3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe
3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe
3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe
3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe
3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe
3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe
3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe
3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe
3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe
3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe
3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe
3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe
3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe
3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe

description pid process

Token: SeDebugPrivilege 3196 03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

188 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

188 iexplore.exe
188 iexplore.exe
2224 IEXPLORE.EXE
2224 IEXPLORE.EXE

description	pid	process
Token: SeDebugPrivilege	3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe

pid	process
188	iexplore.exe

pid	process
188	iexplore.exe
188	iexplore.exe
2224	IEXPLORE.EXE
2224	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683Srv.exe

description	pid	process	target process
PID 3196 wrote to memory of 3744	3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683Srv.exe
PID 3196 wrote to memory of 3744	3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683Srv.exe
PID 3196 wrote to memory of 3744	3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683Srv.exe
PID 3744 wrote to memory of 2660	3744	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683Srv.exe	DesktopLayer.exe
PID 3744 wrote to memory of 2660	3744	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683Srv.exe	DesktopLayer.exe
PID 3744 wrote to memory of 2660	3744	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683Srv.exe	DesktopLayer.exe
PID 3196 wrote to memory of 572	3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe	winlogon.exe
PID 3196 wrote to memory of 572	3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe	winlogon.exe
PID 3196 wrote to memory of 572	3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe	winlogon.exe
PID 3196 wrote to memory of 572	3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe	winlogon.exe
PID 3196 wrote to memory of 572	3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe	winlogon.exe
PID 3196 wrote to memory of 572	3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe	winlogon.exe
PID 3196 wrote to memory of 632	3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe	lsass.exe
PID 3196 wrote to memory of 632	3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe	lsass.exe
PID 3196 wrote to memory of 632	3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe	lsass.exe
PID 3196 wrote to memory of 632	3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe	lsass.exe
PID 3196 wrote to memory of 632	3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe	lsass.exe
PID 3196 wrote to memory of 632	3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe	lsass.exe
PID 3196 wrote to memory of 716	3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe	svchost.exe
PID 3196 wrote to memory of 716	3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe	svchost.exe
PID 3196 wrote to memory of 716	3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe	svchost.exe
PID 3196 wrote to memory of 716	3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe	svchost.exe
PID 3196 wrote to memory of 716	3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe	svchost.exe
PID 3196 wrote to memory of 716	3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe	svchost.exe
PID 3196 wrote to memory of 732	3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe	fontdrvhost.exe
PID 3196 wrote to memory of 732	3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe	fontdrvhost.exe
PID 3196 wrote to memory of 732	3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe	fontdrvhost.exe
PID 3196 wrote to memory of 732	3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe	fontdrvhost.exe
PID 3196 wrote to memory of 732	3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe	fontdrvhost.exe
PID 3196 wrote to memory of 732	3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe	fontdrvhost.exe
PID 3196 wrote to memory of 736	3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe	fontdrvhost.exe
PID 3196 wrote to memory of 736	3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe	fontdrvhost.exe
PID 3196 wrote to memory of 736	3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe	fontdrvhost.exe
PID 3196 wrote to memory of 736	3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe	fontdrvhost.exe
PID 3196 wrote to memory of 736	3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe	fontdrvhost.exe
PID 3196 wrote to memory of 736	3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe	fontdrvhost.exe
PID 3196 wrote to memory of 796	3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe	svchost.exe
PID 3196 wrote to memory of 796	3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe	svchost.exe
PID 3196 wrote to memory of 796	3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe	svchost.exe
PID 3196 wrote to memory of 796	3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe	svchost.exe
PID 3196 wrote to memory of 796	3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe	svchost.exe
PID 3196 wrote to memory of 796	3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe	svchost.exe
PID 3196 wrote to memory of 856	3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe	svchost.exe
PID 3196 wrote to memory of 856	3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe	svchost.exe
PID 3196 wrote to memory of 856	3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe	svchost.exe
PID 3196 wrote to memory of 856	3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe	svchost.exe
PID 3196 wrote to memory of 856	3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe	svchost.exe
PID 3196 wrote to memory of 856	3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe	svchost.exe
PID 3196 wrote to memory of 896	3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe	svchost.exe
PID 3196 wrote to memory of 896	3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe	svchost.exe
PID 3196 wrote to memory of 896	3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe	svchost.exe
PID 3196 wrote to memory of 896	3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe	svchost.exe
PID 3196 wrote to memory of 896	3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe	svchost.exe
PID 3196 wrote to memory of 896	3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe	svchost.exe
PID 3196 wrote to memory of 980	3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe	dwm.exe
PID 3196 wrote to memory of 980	3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe	dwm.exe
PID 3196 wrote to memory of 980	3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe	dwm.exe
PID 3196 wrote to memory of 980	3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe	dwm.exe
PID 3196 wrote to memory of 980	3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe	dwm.exe
PID 3196 wrote to memory of 980	3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe	dwm.exe
PID 3196 wrote to memory of 1000	3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe	svchost.exe
PID 3196 wrote to memory of 1000	3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe	svchost.exe
PID 3196 wrote to memory of 1000	3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe	svchost.exe
PID 3196 wrote to memory of 1000	3196	03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe	svchost.exe

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
1⤵
PID:1768

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1896

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
1⤵
PID:1872

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
1⤵
PID:1604

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x390
1⤵
PID:2172

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
PID:2204

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
1⤵
PID:2372

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2404

c:\windows\system32\sihost.exe
sihost.exe
1⤵
PID:2424

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
1⤵
PID:2612

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3052

C:\Users\Admin\AppData\Local\Temp\03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe
"C:\Users\Admin\AppData\Local\Temp\03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683.exe"
2⤵
- Modifies firewall policy service
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3196

C:\Users\Admin\AppData\Local\Temp\03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683Srv.exe
C:\Users\Admin\AppData\Local\Temp\03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683Srv.exe
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3744

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2660

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:188

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:188 CREDAT:82945 /prefetch:2
6⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2224

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2744

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2712

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2688

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
2⤵
PID:3896

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2672

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1948

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
1⤵
PID:1520

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
1⤵
PID:3388

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3728

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3464

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
PID:3276

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
PID:3260

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
1⤵
PID:2664

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2600

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2464

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2364

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1808

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1784

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1664

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
1⤵
PID:1584

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
1⤵
PID:1560

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s FontCache
1⤵
PID:1504

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
1⤵
PID:1496

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1456

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
1⤵
PID:1408

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
1⤵
PID:1304

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
1⤵
PID:1284

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1272

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1264

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
1⤵
PID:1168

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1068

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
1⤵
PID:1036

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
PID:948

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
1⤵
PID:620

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
1⤵
PID:396

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:1000

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:980

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
1⤵
PID:896

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k rpcss
1⤵
PID:856

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
PID:796

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
2⤵
PID:1112

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
2⤵
PID:3580

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:736

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:732

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
1⤵
PID:716

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:632

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:572

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
PID:2792

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
1⤵
PID:1428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
PID:3980

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
MD5
e7efb2a2b36ab241b6c9b770abf95000

SHA1
d4c253cbf80dc65a04747aea4afc91de6a4a4c5d

SHA256
4c7bf8d4e1ad5bd27b4b990791d4968be2a1d9cbb092c1af2e19a42c1b93e4c8

SHA512
958e64677c0acc6b2c0ef8e5ff5c39ea12986b8d5d0820710572af7669fdb6fe740e3ee609c1d9dfcdbfaee6a6f8fdeda25f64f7ad4d335627a024d6a1b4fcf3

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
MD5
e7efb2a2b36ab241b6c9b770abf95000

SHA1
d4c253cbf80dc65a04747aea4afc91de6a4a4c5d

SHA256
4c7bf8d4e1ad5bd27b4b990791d4968be2a1d9cbb092c1af2e19a42c1b93e4c8

SHA512
958e64677c0acc6b2c0ef8e5ff5c39ea12986b8d5d0820710572af7669fdb6fe740e3ee609c1d9dfcdbfaee6a6f8fdeda25f64f7ad4d335627a024d6a1b4fcf3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
a0a5a4d72ad62fd610b043c84033deaf

SHA1
aa5c3deaba3b479e004880b369f63f2b59b23b9a

SHA256
35d20d28885d84fef2a2e06125bf9626fbab13b99d1238a435a444a8db1cb9c6

SHA512
20dd0d4276e854bca2767bd4cf7f04068a23742ff33926a7ba5296d2b0a453d456f37662e443c4df2fc3027bbead658a8ca6f8be40a61c82e3d6085cf85b9243

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
5934fd131a319dc33730cd20bd45103f

SHA1
8c582a3b2f710eda7a7c1e35413bd1d76677740c

SHA256
e799fab0545f95c599e19ea65ac15a47e3867b12a32261346420310e986842ac

SHA512
def006169c5a406d918c408c607b67fb13b64c17356e6c7e4d51e8f7926f3c5dc398bb3d7809b53daba34f56914ae21d191cd45677c0086e2557051fc8742efb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\K55PUGGH.cookie
MD5
711bf622a3e287f60555d5e0a8543b37

SHA1
dd71770dd5a68442d9dd9c1c770a96160c7f968b

SHA256
3f5fb7d655e7b42338adf3fbcf682500cdc0810ef43df6a95b3fc6fd6e7a4fe5

SHA512
91e6e35c5d27b5a988dd5782b9cbcae21771ebae9ea0b74fe3aa319b520188eb660692994e7c9e18586deb7b537a1f9e81948b50279e14597525e696a08017c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\VXYSPXE3.cookie
MD5
ce94fe559dafb8008034dd1705c28446

SHA1
eea9f51c12a75061331a398c2a715205aee2707e

SHA256
f3df62d425a9840ad9caa4bacedd6ea8612bbc374d82376a94a54570fd4c0154

SHA512
6fd5d59dcd14f8d16618cc359072a2078c45c582b4553aaf7205cbd7cdccfbc34744046e02805e8e73e34e079b2fbee63a4527dcb8a3bebf4ca1ae4cafff48c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683Srv.exe
MD5
e7efb2a2b36ab241b6c9b770abf95000

SHA1
d4c253cbf80dc65a04747aea4afc91de6a4a4c5d

SHA256
4c7bf8d4e1ad5bd27b4b990791d4968be2a1d9cbb092c1af2e19a42c1b93e4c8

SHA512
958e64677c0acc6b2c0ef8e5ff5c39ea12986b8d5d0820710572af7669fdb6fe740e3ee609c1d9dfcdbfaee6a6f8fdeda25f64f7ad4d335627a024d6a1b4fcf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\03972841581917922e355d754ac6fcd5ef8ff10656bf9f030d8f11686c3ad683Srv.exe
MD5
e7efb2a2b36ab241b6c9b770abf95000

SHA1
d4c253cbf80dc65a04747aea4afc91de6a4a4c5d

SHA256
4c7bf8d4e1ad5bd27b4b990791d4968be2a1d9cbb092c1af2e19a42c1b93e4c8

SHA512
958e64677c0acc6b2c0ef8e5ff5c39ea12986b8d5d0820710572af7669fdb6fe740e3ee609c1d9dfcdbfaee6a6f8fdeda25f64f7ad4d335627a024d6a1b4fcf3

Download Submit
memory/188-122-0x00007FF9EBA70000-0x00007FF9EBADB000-memory.dmp

Filesize
428KB

Download
memory/188-121-0x0000000000000000-mapping.dmp

Download
memory/2224-127-0x0000000000000000-mapping.dmp

Download
memory/2660-120-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2660-117-0x0000000000000000-mapping.dmp

Download
memory/3196-128-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/3744-123-0x00000000001E0000-0x00000000001EF000-memory.dmp

Filesize
60KB

Download
memory/3744-124-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3744-114-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads