ramnit | 34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd

General

Target

34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe
Size

464KB
MD5

655d8239ee74f2b0f3864fd40db619db
SHA1

5e774ae154b092b7540d69a16e0e799ade49c083
SHA256

34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd
SHA512

c178c3b7b1c29c044040d9a3ac6780cd9533282d7a5052272f3697f3f95720a4e3c9751a55fca13e6a826b23683f79678479f4187d369d43efb376eb657f3760

Score

10^/10

ramnit banker evasion spyware stealer trojan upx worm

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe:*:enabled:@shell32.dll,-1"	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 3828 created 3656 3828 WerFault.exe 34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe
Executes dropped EXE 2 IoCs

Processes:

34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfdSrv.exeDesktopLayer.exe

pid process

1712 34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfdSrv.exe
2008 DesktopLayer.exe

description	pid	process	target process
PID 3828 created 3656	3828	WerFault.exe	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe

pid	process
1712	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfdSrv.exe
2008	DesktopLayer.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfdSrv.exe	upx
C:\Users\Admin\AppData\Local\Temp\34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfdSrv.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
behavioral2/memory/1712-125-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

Processes:

34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfdSrv.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\px27B2.tmp	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfdSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfdSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfdSrv.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3828 3656 WerFault.exe 34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe

pid	pid_target	process	target process
3828	3656	WerFault.exe	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe

Modifies Internet Explorer settings 1 TTPs 40 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "327884643"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30886253"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "614010390"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30886253"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "614010390"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4FFD70A8-B560-11EB-A11C-E62B3DD6123B} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30886253"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "623228999"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "327836058"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "327852651"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exeDesktopLayer.exeWerFault.exe

pid	process
3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe
3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe
2008	DesktopLayer.exe
2008	DesktopLayer.exe
2008	DesktopLayer.exe
2008	DesktopLayer.exe
2008	DesktopLayer.exe
2008	DesktopLayer.exe
2008	DesktopLayer.exe
2008	DesktopLayer.exe
3828	WerFault.exe
3828	WerFault.exe
3828	WerFault.exe
3828	WerFault.exe
3828	WerFault.exe
3828	WerFault.exe
3828	WerFault.exe
3828	WerFault.exe
3828	WerFault.exe
3828	WerFault.exe
3828	WerFault.exe
3828	WerFault.exe
3828	WerFault.exe
3828	WerFault.exe

Suspicious behavior: MapViewOfSection 61 IoCs

Processes:

34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe

pid	process
3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe
3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe
3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe
3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe
3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe
3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe
3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe
3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe
3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe
3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe
3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe
3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe
3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe
3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe
3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe
3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe
3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe
3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe
3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe
3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe
3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe
3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe
3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe
3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe
3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe
3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe
3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe
3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe
3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe
3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe
3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe
3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe
3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe
3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe
3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe
3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe
3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe
3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe
3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe
3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe
3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe
3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe
3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe
3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe
3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe
3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe
3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe
3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe
3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe
3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe
3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe
3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe
3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe
3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe
3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe
3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe
3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe
3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe
3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe
3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe
3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe
Token: SeRestorePrivilege	3828	WerFault.exe
Token: SeBackupPrivilege	3828	WerFault.exe
Token: SeDebugPrivilege	3828	WerFault.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2348 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2348 iexplore.exe
2348 iexplore.exe
3484 IEXPLORE.EXE
3484 IEXPLORE.EXE

pid	process
2348	iexplore.exe

pid	process
2348	iexplore.exe
2348	iexplore.exe
3484	IEXPLORE.EXE
3484	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfdSrv.exe

description	pid	process	target process
PID 3656 wrote to memory of 1712	3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfdSrv.exe
PID 3656 wrote to memory of 1712	3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfdSrv.exe
PID 3656 wrote to memory of 1712	3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfdSrv.exe
PID 3656 wrote to memory of 564	3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe	winlogon.exe
PID 3656 wrote to memory of 564	3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe	winlogon.exe
PID 3656 wrote to memory of 564	3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe	winlogon.exe
PID 3656 wrote to memory of 564	3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe	winlogon.exe
PID 3656 wrote to memory of 564	3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe	winlogon.exe
PID 3656 wrote to memory of 564	3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe	winlogon.exe
PID 3656 wrote to memory of 624	3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe	lsass.exe
PID 3656 wrote to memory of 624	3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe	lsass.exe
PID 3656 wrote to memory of 624	3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe	lsass.exe
PID 3656 wrote to memory of 624	3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe	lsass.exe
PID 3656 wrote to memory of 624	3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe	lsass.exe
PID 3656 wrote to memory of 624	3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe	lsass.exe
PID 3656 wrote to memory of 708	3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe	fontdrvhost.exe
PID 3656 wrote to memory of 708	3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe	fontdrvhost.exe
PID 3656 wrote to memory of 708	3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe	fontdrvhost.exe
PID 3656 wrote to memory of 708	3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe	fontdrvhost.exe
PID 3656 wrote to memory of 708	3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe	fontdrvhost.exe
PID 3656 wrote to memory of 708	3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe	fontdrvhost.exe
PID 3656 wrote to memory of 712	3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe	fontdrvhost.exe
PID 3656 wrote to memory of 712	3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe	fontdrvhost.exe
PID 3656 wrote to memory of 712	3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe	fontdrvhost.exe
PID 3656 wrote to memory of 712	3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe	fontdrvhost.exe
PID 3656 wrote to memory of 712	3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe	fontdrvhost.exe
PID 3656 wrote to memory of 712	3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe	fontdrvhost.exe
PID 3656 wrote to memory of 724	3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe	svchost.exe
PID 3656 wrote to memory of 724	3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe	svchost.exe
PID 1712 wrote to memory of 2008	1712	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfdSrv.exe	DesktopLayer.exe
PID 1712 wrote to memory of 2008	1712	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfdSrv.exe	DesktopLayer.exe
PID 1712 wrote to memory of 2008	1712	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfdSrv.exe	DesktopLayer.exe
PID 3656 wrote to memory of 724	3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe	svchost.exe
PID 3656 wrote to memory of 724	3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe	svchost.exe
PID 3656 wrote to memory of 724	3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe	svchost.exe
PID 3656 wrote to memory of 724	3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe	svchost.exe
PID 3656 wrote to memory of 792	3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe	svchost.exe
PID 3656 wrote to memory of 792	3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe	svchost.exe
PID 3656 wrote to memory of 792	3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe	svchost.exe
PID 3656 wrote to memory of 792	3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe	svchost.exe
PID 3656 wrote to memory of 792	3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe	svchost.exe
PID 3656 wrote to memory of 792	3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe	svchost.exe
PID 3656 wrote to memory of 848	3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe	svchost.exe
PID 3656 wrote to memory of 848	3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe	svchost.exe
PID 3656 wrote to memory of 848	3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe	svchost.exe
PID 3656 wrote to memory of 848	3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe	svchost.exe
PID 3656 wrote to memory of 848	3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe	svchost.exe
PID 3656 wrote to memory of 848	3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe	svchost.exe
PID 3656 wrote to memory of 888	3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe	svchost.exe
PID 3656 wrote to memory of 888	3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe	svchost.exe
PID 3656 wrote to memory of 888	3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe	svchost.exe
PID 3656 wrote to memory of 888	3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe	svchost.exe
PID 3656 wrote to memory of 888	3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe	svchost.exe
PID 3656 wrote to memory of 888	3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe	svchost.exe
PID 3656 wrote to memory of 972	3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe	dwm.exe
PID 3656 wrote to memory of 972	3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe	dwm.exe
PID 3656 wrote to memory of 972	3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe	dwm.exe
PID 3656 wrote to memory of 972	3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe	dwm.exe
PID 3656 wrote to memory of 972	3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe	dwm.exe
PID 3656 wrote to memory of 972	3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe	dwm.exe
PID 3656 wrote to memory of 68	3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe	svchost.exe
PID 3656 wrote to memory of 68	3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe	svchost.exe
PID 3656 wrote to memory of 68	3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe	svchost.exe
PID 3656 wrote to memory of 68	3656	34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe	svchost.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:624

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:564

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
2⤵
PID:712

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
PID:972

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3040

C:\Users\Admin\AppData\Local\Temp\34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe
"C:\Users\Admin\AppData\Local\Temp\34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfd.exe"
2⤵
- Modifies firewall policy service
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3656

C:\Users\Admin\AppData\Local\Temp\34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfdSrv.exe
C:\Users\Admin\AppData\Local\Temp\34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfdSrv.exe
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1712

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2008

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2348

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2348 CREDAT:82945 /prefetch:2
6⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 188
3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3828

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
1⤵
PID:1472

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3708

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
1⤵
PID:2860

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3820

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3580

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
PID:3256

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
PID:3244

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2712

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2656

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
1⤵
PID:2648

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2640

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
2⤵
PID:3024

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
1⤵
PID:2592

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2572

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2556

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2480

c:\windows\system32\sihost.exe
sihost.exe
1⤵
PID:2432

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
1⤵
PID:2372

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2336

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2328

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
PID:2184

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x398
1⤵
PID:2096

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
1⤵
PID:948

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
1⤵
PID:1944

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1900

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1788

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
1⤵
PID:1740

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
1⤵
PID:1704

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1688

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1676

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
1⤵
PID:1640

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1540

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
1⤵
PID:1460

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s FontCache
1⤵
PID:1452

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
1⤵
PID:1444

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1368

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
1⤵
PID:1320

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1244

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
1⤵
PID:1196

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1188

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
1⤵
PID:1144

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
1⤵
PID:1032

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
1⤵
PID:608

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
PID:684

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
1⤵
PID:424

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:68

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
1⤵
PID:888

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k rpcss
1⤵
PID:848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
PID:792

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
2⤵
PID:356

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
1⤵
PID:724

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:708

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
PID:1876

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
PID:640

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
1⤵
PID:1568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
MD5
e7efb2a2b36ab241b6c9b770abf95000

SHA1
d4c253cbf80dc65a04747aea4afc91de6a4a4c5d

SHA256
4c7bf8d4e1ad5bd27b4b990791d4968be2a1d9cbb092c1af2e19a42c1b93e4c8

SHA512
958e64677c0acc6b2c0ef8e5ff5c39ea12986b8d5d0820710572af7669fdb6fe740e3ee609c1d9dfcdbfaee6a6f8fdeda25f64f7ad4d335627a024d6a1b4fcf3

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
MD5
e7efb2a2b36ab241b6c9b770abf95000

SHA1
d4c253cbf80dc65a04747aea4afc91de6a4a4c5d

SHA256
4c7bf8d4e1ad5bd27b4b990791d4968be2a1d9cbb092c1af2e19a42c1b93e4c8

SHA512
958e64677c0acc6b2c0ef8e5ff5c39ea12986b8d5d0820710572af7669fdb6fe740e3ee609c1d9dfcdbfaee6a6f8fdeda25f64f7ad4d335627a024d6a1b4fcf3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
a0a5a4d72ad62fd610b043c84033deaf

SHA1
aa5c3deaba3b479e004880b369f63f2b59b23b9a

SHA256
35d20d28885d84fef2a2e06125bf9626fbab13b99d1238a435a444a8db1cb9c6

SHA512
20dd0d4276e854bca2767bd4cf7f04068a23742ff33926a7ba5296d2b0a453d456f37662e443c4df2fc3027bbead658a8ca6f8be40a61c82e3d6085cf85b9243

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
2011c48e65ed8a7fb8b89dda343d2ca1

SHA1
15e414dbdd68325236bfe9303ac84a5e9a50600a

SHA256
0327cfb1d176d061a66c6fdca4157bcacdd8e7c60da0bcd1776400f88be9d2e9

SHA512
6de9416443fe52a9f4d75a6c7f477c8a2aa010d9143064d82b5144fdbadfbe7d5a6a4ca806d3636c23903f51bf067ebf1d3ce3203c3a31dbe72107b946f9cdb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\1VNPP1UO.cookie
MD5
1b28d47007f73de81ae1fa1fad1a9c8b

SHA1
55e8c8dc98dee32d7b19ef57732153107bd84595

SHA256
86bc570bd66d2702f54e51daa6b19a827ef83c4c85347b1b33cf45f9b6ca7093

SHA512
c885b5113806a5f8dba34c4d822b71f105118eebbe32b2b51f9dca811333daee8143346860470775db8d8011bfeb993dd2a9345765dd7bd08ece7388c8825501

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\VHDWVTXE.cookie
MD5
8d96a7f22fdac1f3c7d07114c4647607

SHA1
6b829922d3269920a670efd07b6560b02988c02b

SHA256
70430a3dccc1adaaa3329751226f1c57810792463c10f6a1d312926041baf3e6

SHA512
2fe8b0fc2ef9eb43a1fb420d63d1e13942e23df977cc4070ce6a1904e4be010bcf3842612b7a5dad57c91302c7260a21a07f83597d6527da6aadcc1f300598a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfdSrv.exe
MD5
e7efb2a2b36ab241b6c9b770abf95000

SHA1
d4c253cbf80dc65a04747aea4afc91de6a4a4c5d

SHA256
4c7bf8d4e1ad5bd27b4b990791d4968be2a1d9cbb092c1af2e19a42c1b93e4c8

SHA512
958e64677c0acc6b2c0ef8e5ff5c39ea12986b8d5d0820710572af7669fdb6fe740e3ee609c1d9dfcdbfaee6a6f8fdeda25f64f7ad4d335627a024d6a1b4fcf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\34c30797a9be382cf26eab6e73f43b9635f6a5bc23b667207d489ab5ae50adfdSrv.exe
MD5
e7efb2a2b36ab241b6c9b770abf95000

SHA1
d4c253cbf80dc65a04747aea4afc91de6a4a4c5d

SHA256
4c7bf8d4e1ad5bd27b4b990791d4968be2a1d9cbb092c1af2e19a42c1b93e4c8

SHA512
958e64677c0acc6b2c0ef8e5ff5c39ea12986b8d5d0820710572af7669fdb6fe740e3ee609c1d9dfcdbfaee6a6f8fdeda25f64f7ad4d335627a024d6a1b4fcf3

Download Submit
memory/1712-125-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1712-114-0x0000000000000000-mapping.dmp

Download
memory/1712-124-0x00000000001E0000-0x00000000001EF000-memory.dmp

Filesize
60KB

Download
memory/2008-117-0x0000000000000000-mapping.dmp

Download
memory/2008-120-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2348-122-0x00007FF88D480000-0x00007FF88D4EB000-memory.dmp

Filesize
428KB

Download
memory/2348-121-0x0000000000000000-mapping.dmp

Download
memory/3484-123-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads