ramnit | ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37

General

Target

ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe
Size

355KB
MD5

b04f67e5770cdf247ee3f6312a1036d8
SHA1

1224c2590382c68c8a2d6a5f60649db1e4cdb958
SHA256

ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37
SHA512

fddb000825716688d9610b72ac144ccc5bea69b13a086f4da3ed13908c63f9dab1e050b0fd0d3a8d58bb7d338849b6625f5b0905a3f4ef324297c15ee20c0667

Score

10^/10

ramnit banker evasion spyware stealer trojan upx worm

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe:*:enabled:@shell32.dll,-1"	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 2 IoCs

Processes:

ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37Srv.exeDesktopLayer.exe

pid process

424 ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37Srv.exe
1296 DesktopLayer.exe

pid	process
424	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37Srv.exe
1296	DesktopLayer.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37Srv.exe	upx
C:\Users\Admin\AppData\Local\Temp\ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37Srv.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
behavioral2/memory/424-124-0x0000000000400000-0x0000000000435000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

Processes:

ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37Srv.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\px260C.tmp	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37Srv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37Srv.exe

Modifies Internet Explorer settings 1 TTPs 40 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1416391811"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "327900186"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "327851600"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30886289"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1416391811"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30886289"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1426860507"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "327868194"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7FC43495-B584-11EB-A11C-56A0FB8C6E6D} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30886289"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exeDesktopLayer.exe

pid	process
3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe
3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe
1296	DesktopLayer.exe
1296	DesktopLayer.exe
1296	DesktopLayer.exe
1296	DesktopLayer.exe
1296	DesktopLayer.exe
1296	DesktopLayer.exe
1296	DesktopLayer.exe
1296	DesktopLayer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

1536 iexplore.exe

pid	process
1536	iexplore.exe

Suspicious behavior: MapViewOfSection 60 IoCs

Processes:

ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe

pid	process
3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe
3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe
3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe
3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe
3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe
3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe
3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe
3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe
3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe
3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe
3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe
3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe
3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe
3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe
3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe
3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe
3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe
3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe
3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe
3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe
3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe
3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe
3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe
3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe
3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe
3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe
3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe
3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe
3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe
3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe
3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe
3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe
3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe
3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe
3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe
3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe
3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe
3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe
3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe
3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe
3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe
3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe
3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe
3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe
3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe
3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe
3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe
3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe
3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe
3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe
3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe
3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe
3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe
3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe
3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe
3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe
3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe
3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe
3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe
3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe

description pid process

Token: SeDebugPrivilege 3952 ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1536 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1536 iexplore.exe
1536 iexplore.exe
2804 IEXPLORE.EXE
2804 IEXPLORE.EXE
2804 IEXPLORE.EXE
2804 IEXPLORE.EXE

description	pid	process
Token: SeDebugPrivilege	3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe

pid	process
1536	iexplore.exe

pid	process
1536	iexplore.exe
1536	iexplore.exe
2804	IEXPLORE.EXE
2804	IEXPLORE.EXE
2804	IEXPLORE.EXE
2804	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe

description	pid	process	target process
PID 3952 wrote to memory of 424	3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37Srv.exe
PID 3952 wrote to memory of 424	3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37Srv.exe
PID 3952 wrote to memory of 424	3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37Srv.exe
PID 3952 wrote to memory of 568	3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe	winlogon.exe
PID 3952 wrote to memory of 568	3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe	winlogon.exe
PID 3952 wrote to memory of 568	3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe	winlogon.exe
PID 3952 wrote to memory of 568	3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe	winlogon.exe
PID 3952 wrote to memory of 568	3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe	winlogon.exe
PID 3952 wrote to memory of 568	3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe	winlogon.exe
PID 3952 wrote to memory of 620	3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe	lsass.exe
PID 3952 wrote to memory of 620	3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe	lsass.exe
PID 3952 wrote to memory of 620	3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe	lsass.exe
PID 3952 wrote to memory of 620	3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe	lsass.exe
PID 3952 wrote to memory of 620	3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe	lsass.exe
PID 3952 wrote to memory of 620	3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe	lsass.exe
PID 3952 wrote to memory of 708	3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe	svchost.exe
PID 3952 wrote to memory of 708	3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe	svchost.exe
PID 3952 wrote to memory of 708	3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe	svchost.exe
PID 3952 wrote to memory of 708	3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe	svchost.exe
PID 3952 wrote to memory of 708	3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe	svchost.exe
PID 3952 wrote to memory of 708	3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe	svchost.exe
PID 3952 wrote to memory of 716	3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe	fontdrvhost.exe
PID 3952 wrote to memory of 716	3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe	fontdrvhost.exe
PID 3952 wrote to memory of 716	3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe	fontdrvhost.exe
PID 3952 wrote to memory of 716	3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe	fontdrvhost.exe
PID 3952 wrote to memory of 716	3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe	fontdrvhost.exe
PID 3952 wrote to memory of 716	3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe	fontdrvhost.exe
PID 3952 wrote to memory of 720	3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe	fontdrvhost.exe
PID 3952 wrote to memory of 720	3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe	fontdrvhost.exe
PID 3952 wrote to memory of 720	3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe	fontdrvhost.exe
PID 3952 wrote to memory of 720	3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe	fontdrvhost.exe
PID 3952 wrote to memory of 720	3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe	fontdrvhost.exe
PID 3952 wrote to memory of 720	3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe	fontdrvhost.exe
PID 3952 wrote to memory of 792	3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe	svchost.exe
PID 3952 wrote to memory of 792	3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe	svchost.exe
PID 3952 wrote to memory of 792	3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe	svchost.exe
PID 3952 wrote to memory of 792	3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe	svchost.exe
PID 3952 wrote to memory of 792	3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe	svchost.exe
PID 3952 wrote to memory of 792	3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe	svchost.exe
PID 3952 wrote to memory of 840	3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe	svchost.exe
PID 3952 wrote to memory of 840	3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe	svchost.exe
PID 3952 wrote to memory of 840	3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe	svchost.exe
PID 3952 wrote to memory of 840	3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe	svchost.exe
PID 3952 wrote to memory of 840	3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe	svchost.exe
PID 3952 wrote to memory of 840	3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe	svchost.exe
PID 3952 wrote to memory of 888	3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe	svchost.exe
PID 3952 wrote to memory of 888	3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe	svchost.exe
PID 3952 wrote to memory of 888	3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe	svchost.exe
PID 3952 wrote to memory of 888	3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe	svchost.exe
PID 3952 wrote to memory of 888	3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe	svchost.exe
PID 3952 wrote to memory of 888	3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe	svchost.exe
PID 3952 wrote to memory of 964	3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe	dwm.exe
PID 3952 wrote to memory of 964	3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe	dwm.exe
PID 3952 wrote to memory of 964	3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe	dwm.exe
PID 3952 wrote to memory of 964	3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe	dwm.exe
PID 3952 wrote to memory of 964	3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe	dwm.exe
PID 3952 wrote to memory of 964	3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe	dwm.exe
PID 3952 wrote to memory of 344	3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe	svchost.exe
PID 3952 wrote to memory of 344	3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe	svchost.exe
PID 3952 wrote to memory of 344	3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe	svchost.exe
PID 3952 wrote to memory of 344	3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe	svchost.exe
PID 3952 wrote to memory of 344	3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe	svchost.exe
PID 3952 wrote to memory of 344	3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe	svchost.exe
PID 3952 wrote to memory of 364	3952	ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe	svchost.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:620

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:568

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
PID:964

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
2⤵
PID:720

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
1⤵
PID:708

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k rpcss
1⤵
PID:840

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
1⤵
PID:368

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
1⤵
PID:1136

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1412

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1620

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3ac
2⤵
PID:2100

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1796

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2468

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2672

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2796

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3480

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
1⤵
PID:4024

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1892

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
1⤵
PID:4084

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3704

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
PID:3248

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
PID:3228

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2776

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
2⤵
PID:3988

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2756

C:\Users\Admin\AppData\Local\Temp\ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe
"C:\Users\Admin\AppData\Local\Temp\ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37.exe"
2⤵
- Modifies firewall policy service
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3952

C:\Users\Admin\AppData\Local\Temp\ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37Srv.exe
C:\Users\Admin\AppData\Local\Temp\ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37Srv.exe
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:424

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1296

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1536

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1536 CREDAT:82945 /prefetch:2
6⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2804

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
1⤵
PID:2748

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
1⤵
PID:2704

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2692

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
1⤵
PID:2500

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2488

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2412

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2308

c:\windows\system32\sihost.exe
sihost.exe
1⤵
PID:2300

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
PID:2116

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
1⤵
PID:2052

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1992

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1904

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
1⤵
PID:1788

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1780

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
1⤵
PID:1740

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
1⤵
PID:1568

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s FontCache
1⤵
PID:1500

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
1⤵
PID:1488

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
1⤵
PID:1480

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1356

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
1⤵
PID:1344

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
1⤵
PID:1284

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1268

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
1⤵
PID:1192

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
1⤵
PID:672

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
PID:936

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
1⤵
PID:364

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:344

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
1⤵
PID:888

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
PID:792

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
2⤵
PID:736

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:716

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
PID:1720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
PID:3680

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
MD5
d8ce8e59dc1b438493939ab9753807d0

SHA1
fa3ec7549a6f496749762cbed1038a2cb1951dca

SHA256
61c6b349fe8f639b7d9d56a81b005a2f86b05c5cad20225ff6ba3aa24e592c24

SHA512
7ff83c93e3b9f17a2fae2a14a5a0ddfc498cc3d7cec5dffda45936383b3c2c2ee2aa62719b2165d74b1bf676a71b55191e45702b576cc059fa6af24ba74ae954

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
MD5
d8ce8e59dc1b438493939ab9753807d0

SHA1
fa3ec7549a6f496749762cbed1038a2cb1951dca

SHA256
61c6b349fe8f639b7d9d56a81b005a2f86b05c5cad20225ff6ba3aa24e592c24

SHA512
7ff83c93e3b9f17a2fae2a14a5a0ddfc498cc3d7cec5dffda45936383b3c2c2ee2aa62719b2165d74b1bf676a71b55191e45702b576cc059fa6af24ba74ae954

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
a0a5a4d72ad62fd610b043c84033deaf

SHA1
aa5c3deaba3b479e004880b369f63f2b59b23b9a

SHA256
35d20d28885d84fef2a2e06125bf9626fbab13b99d1238a435a444a8db1cb9c6

SHA512
20dd0d4276e854bca2767bd4cf7f04068a23742ff33926a7ba5296d2b0a453d456f37662e443c4df2fc3027bbead658a8ca6f8be40a61c82e3d6085cf85b9243

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
1c7e85746d6b54b44391772c8e23abf4

SHA1
cfe95b44a2f1d0114fcb6826bef07711367fef49

SHA256
e332e7705e738288735e8ade420cb357b6239b68995d77db73361f68247449ff

SHA512
fb7e6720fb594e324fc70bec4dcaa822e5a0d7742fba6d0d0c300dc4f077e6a6924e01c8ae0a207fc19ceac6ca3c5d5c7e17dca7aac5d5a3b8d3a4cb30261926

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\P9N07U7H.cookie
MD5
005600647f59651224ffa97103b7b4cd

SHA1
6c34a87265639c946cd731d907f4d41c52f8ee81

SHA256
179d495b4ee3f358bd247c2850b403d8bec3b1f082a465c507a8fa905585e2c3

SHA512
1797aa5694f5820f8a901dc65b12a60d4571cbe4a1b92ac6b116b65af863e01b24d6c8a9a5b87bda176a08a50600f1d263b43edd668077a28d2aed5e20b0dbb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\WJRO3K2Q.cookie
MD5
cdfd8bec77072af3106cbd9410e54f4f

SHA1
0af1278f7ec3c4dc918b57c93e11e222a3f95843

SHA256
451d968d2ee6b9c4d78eaff19e2f5f7f49215424ea324bb18fcd9185bab0f61f

SHA512
4fbcb5357e3cc9c4495af812a812b1f2f5780b5d3f47106cfe4ee32bcd29af07bacbbf530c218f4a5416f94f58c64af9831ef07d952549cec9572f538b2d8bd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37Srv.exe
MD5
d8ce8e59dc1b438493939ab9753807d0

SHA1
fa3ec7549a6f496749762cbed1038a2cb1951dca

SHA256
61c6b349fe8f639b7d9d56a81b005a2f86b05c5cad20225ff6ba3aa24e592c24

SHA512
7ff83c93e3b9f17a2fae2a14a5a0ddfc498cc3d7cec5dffda45936383b3c2c2ee2aa62719b2165d74b1bf676a71b55191e45702b576cc059fa6af24ba74ae954

Download Submit
C:\Users\Admin\AppData\Local\Temp\ab147a1987b15dbd897ee3f13eac610cb5a1edd445c08a669f16eefa632ecb37Srv.exe
MD5
d8ce8e59dc1b438493939ab9753807d0

SHA1
fa3ec7549a6f496749762cbed1038a2cb1951dca

SHA256
61c6b349fe8f639b7d9d56a81b005a2f86b05c5cad20225ff6ba3aa24e592c24

SHA512
7ff83c93e3b9f17a2fae2a14a5a0ddfc498cc3d7cec5dffda45936383b3c2c2ee2aa62719b2165d74b1bf676a71b55191e45702b576cc059fa6af24ba74ae954

Download Submit
memory/424-124-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/424-114-0x0000000000000000-mapping.dmp

Download
memory/424-123-0x00000000001E0000-0x00000000001EF000-memory.dmp

Filesize
60KB

Download
memory/1296-117-0x0000000000000000-mapping.dmp

Download
memory/1296-120-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1536-122-0x00007FFA3BAE0000-0x00007FFA3BB4B000-memory.dmp

Filesize
428KB

Download
memory/1536-121-0x0000000000000000-mapping.dmp

Download
memory/2804-125-0x0000000000000000-mapping.dmp

Download
memory/3952-128-0x00000000004D0000-0x000000000061A000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads