ramnit | 97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152

General

Target

97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe
Size

304KB
MD5

c0fc7dc762af31654acb88083973715c
SHA1

74923cbf47ee8df4c4bd8fa37a08cc6635a52a42
SHA256

97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152
SHA512

99a7310b7c7128ddc541a2e8f460583dddee881a11c48f9d53263f16092ce68f5ac1144abb8a280812a9d337e5190c6a917aed7d28fb1910546198d62c1bf9a9

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs

Processes:

WerFault.exeWerFault.exe

description	pid	process	target process
PID 1384 created 3628	1384	WerFault.exe	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe
PID 2416 created 1544	2416	WerFault.exe	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152Srv.exe

Executes dropped EXE 1 IoCs

Processes:

97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152Srv.exe

pid process

1544 97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152Srv.exe

pid	process
1544	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152Srv.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152Srv.exe	upx
C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\97B857828A5257F9C06B5CE110352661FA320A5231C769E2C3742CB80CBE3152SRV.EXE	upx
behavioral2/memory/1544-121-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

Processes:

97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152Srv.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\px27D1.tmp	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152Srv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152Srv.exe

Drops file in Windows directory 1 IoCs

Processes:

WerFault.exe

description ioc process

File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe

description	ioc	process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
1384	3628	WerFault.exe	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe
2416	1544	WerFault.exe	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152Srv.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exeWerFault.exeWerFault.exe

pid	process
3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe
3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe
2416	WerFault.exe
2416	WerFault.exe
2416	WerFault.exe
1384	WerFault.exe
2416	WerFault.exe
1384	WerFault.exe
2416	WerFault.exe
1384	WerFault.exe
2416	WerFault.exe
1384	WerFault.exe
1384	WerFault.exe
2416	WerFault.exe
1384	WerFault.exe
2416	WerFault.exe
1384	WerFault.exe
2416	WerFault.exe
1384	WerFault.exe
1384	WerFault.exe
2416	WerFault.exe
1384	WerFault.exe
2416	WerFault.exe
1384	WerFault.exe
2416	WerFault.exe
1384	WerFault.exe
2416	WerFault.exe
1384	WerFault.exe
2416	WerFault.exe
1384	WerFault.exe

Suspicious behavior: MapViewOfSection 61 IoCs

Processes:

97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe

pid	process
3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe
3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe
3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe
3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe
3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe
3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe
3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe
3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe
3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe
3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe
3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe
3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe
3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe
3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe
3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe
3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe
3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe
3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe
3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe
3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe
3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe
3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe
3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe
3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe
3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe
3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe
3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe
3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe
3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe
3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe
3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe
3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe
3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe
3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe
3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe
3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe
3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe
3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe
3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe
3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe
3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe
3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe
3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe
3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe
3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe
3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe
3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe
3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe
3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe
3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe
3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe
3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe
3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe
3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe
3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe
3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe
3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe
3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe
3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe
3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe
3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exeWerFault.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe
Token: SeRestorePrivilege	1384	WerFault.exe
Token: SeBackupPrivilege	1384	WerFault.exe
Token: SeRestorePrivilege	2416	WerFault.exe
Token: SeBackupPrivilege	2416	WerFault.exe
Token: SeBackupPrivilege	2416	WerFault.exe
Token: SeDebugPrivilege	2416	WerFault.exe
Token: SeDebugPrivilege	1384	WerFault.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe

description	pid	process	target process
PID 3628 wrote to memory of 1544	3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152Srv.exe
PID 3628 wrote to memory of 1544	3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152Srv.exe
PID 3628 wrote to memory of 1544	3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152Srv.exe
PID 3628 wrote to memory of 572	3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe	winlogon.exe
PID 3628 wrote to memory of 572	3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe	winlogon.exe
PID 3628 wrote to memory of 572	3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe	winlogon.exe
PID 3628 wrote to memory of 572	3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe	winlogon.exe
PID 3628 wrote to memory of 572	3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe	winlogon.exe
PID 3628 wrote to memory of 572	3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe	winlogon.exe
PID 3628 wrote to memory of 632	3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe	lsass.exe
PID 3628 wrote to memory of 632	3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe	lsass.exe
PID 3628 wrote to memory of 632	3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe	lsass.exe
PID 3628 wrote to memory of 632	3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe	lsass.exe
PID 3628 wrote to memory of 632	3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe	lsass.exe
PID 3628 wrote to memory of 632	3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe	lsass.exe
PID 3628 wrote to memory of 716	3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe	svchost.exe
PID 3628 wrote to memory of 716	3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe	svchost.exe
PID 3628 wrote to memory of 716	3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe	svchost.exe
PID 3628 wrote to memory of 716	3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe	svchost.exe
PID 3628 wrote to memory of 716	3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe	svchost.exe
PID 3628 wrote to memory of 716	3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe	svchost.exe
PID 3628 wrote to memory of 732	3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe	fontdrvhost.exe
PID 3628 wrote to memory of 732	3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe	fontdrvhost.exe
PID 3628 wrote to memory of 732	3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe	fontdrvhost.exe
PID 3628 wrote to memory of 732	3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe	fontdrvhost.exe
PID 3628 wrote to memory of 732	3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe	fontdrvhost.exe
PID 3628 wrote to memory of 732	3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe	fontdrvhost.exe
PID 3628 wrote to memory of 736	3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe	fontdrvhost.exe
PID 3628 wrote to memory of 736	3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe	fontdrvhost.exe
PID 3628 wrote to memory of 736	3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe	fontdrvhost.exe
PID 3628 wrote to memory of 736	3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe	fontdrvhost.exe
PID 3628 wrote to memory of 736	3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe	fontdrvhost.exe
PID 3628 wrote to memory of 736	3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe	fontdrvhost.exe
PID 3628 wrote to memory of 796	3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe	svchost.exe
PID 3628 wrote to memory of 796	3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe	svchost.exe
PID 3628 wrote to memory of 796	3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe	svchost.exe
PID 3628 wrote to memory of 796	3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe	svchost.exe
PID 3628 wrote to memory of 796	3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe	svchost.exe
PID 3628 wrote to memory of 796	3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe	svchost.exe
PID 3628 wrote to memory of 856	3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe	svchost.exe
PID 3628 wrote to memory of 856	3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe	svchost.exe
PID 3628 wrote to memory of 856	3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe	svchost.exe
PID 3628 wrote to memory of 856	3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe	svchost.exe
PID 3628 wrote to memory of 856	3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe	svchost.exe
PID 3628 wrote to memory of 856	3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe	svchost.exe
PID 3628 wrote to memory of 896	3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe	svchost.exe
PID 3628 wrote to memory of 896	3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe	svchost.exe
PID 3628 wrote to memory of 896	3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe	svchost.exe
PID 3628 wrote to memory of 896	3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe	svchost.exe
PID 3628 wrote to memory of 896	3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe	svchost.exe
PID 3628 wrote to memory of 896	3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe	svchost.exe
PID 3628 wrote to memory of 980	3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe	dwm.exe
PID 3628 wrote to memory of 980	3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe	dwm.exe
PID 3628 wrote to memory of 980	3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe	dwm.exe
PID 3628 wrote to memory of 980	3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe	dwm.exe
PID 3628 wrote to memory of 980	3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe	dwm.exe
PID 3628 wrote to memory of 980	3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe	dwm.exe
PID 3628 wrote to memory of 1000	3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe	svchost.exe
PID 3628 wrote to memory of 1000	3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe	svchost.exe
PID 3628 wrote to memory of 1000	3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe	svchost.exe
PID 3628 wrote to memory of 1000	3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe	svchost.exe
PID 3628 wrote to memory of 1000	3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe	svchost.exe
PID 3628 wrote to memory of 1000	3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe	svchost.exe
PID 3628 wrote to memory of 396	3628	97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe	svchost.exe

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2688

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
2⤵
PID:4052

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
PID:3260

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
1⤵
PID:1520

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1948

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
1⤵
PID:3388

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3728

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3464

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
PID:3276

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3052

C:\Users\Admin\AppData\Local\Temp\97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe
"C:\Users\Admin\AppData\Local\Temp\97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3628

C:\Users\Admin\AppData\Local\Temp\97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152Srv.exe
C:\Users\Admin\AppData\Local\Temp\97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152Srv.exe
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 480
4⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Drops file in Windows directory
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3628 -s 328
3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1384

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2744

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2712

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2672

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
1⤵
PID:2664

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
1⤵
PID:2612

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2600

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2464

c:\windows\system32\sihost.exe
sihost.exe
1⤵
PID:2424

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2404

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2364

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
1⤵
PID:2372

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
PID:2204

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x390
1⤵
PID:2172

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
1⤵
PID:1604

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2040

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1896

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
1⤵
PID:1872

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1808

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1784

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
1⤵
PID:1768

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1664

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
1⤵
PID:1584

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
1⤵
PID:1560

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s FontCache
1⤵
PID:1504

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
1⤵
PID:1496

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1456

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
1⤵
PID:1408

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
1⤵
PID:1304

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
1⤵
PID:1284

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1272

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1264

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
1⤵
PID:1168

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1068

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
1⤵
PID:1036

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
PID:948

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
1⤵
PID:620

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
1⤵
PID:396

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:1000

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:980

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
1⤵
PID:896

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k rpcss
1⤵
PID:856

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
PID:796

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
2⤵
PID:1160

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:736

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:732

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
1⤵
PID:716

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:632

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:572

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
PID:728

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
PID:816

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2B5B.tmp.WERInternalMetadata.xml
MD5
789e679ccd0b01a644a4e78adf97570c

SHA1
b0bdab420fb1f1fc52806ebc240237567e6cebb1

SHA256
9bd1daf35579369dfeca6864ea0c9e70c647c5d7858d20b606dd14cf2f1643e9

SHA512
5b10523950c5690330d0440610178be84d9b923b0514b7f1e105f99d64ec686be95e78c59dac52d2ea071b170d74506ec1e92d64014ae916482cb0e6f911b103

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2B5B.tmp.WERInternalMetadata.xml
MD5
eeb04370e803e48a809f44a54fc3ec81

SHA1
3e2370232a460def294c1180a4232ca1bfd4596e

SHA256
4e77126c21b83a8b90e1f9e06ce192e17fb647a7c5cb29f249655f26615e6883

SHA512
f074ce9a3a4a0ec2be630354ef8b6fe29e40009842c14ea8dbca2a3c534010a6dbb27d566f595fdce48b04067384cc3761ec7f68f335c68fbe2edb1994dd6e49

Download Submit
C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\97B857828A5257F9C06B5CE110352661FA320A5231C769E2C3742CB80CBE3152SRV.EXE
MD5
e7efb2a2b36ab241b6c9b770abf95000

SHA1
d4c253cbf80dc65a04747aea4afc91de6a4a4c5d

SHA256
4c7bf8d4e1ad5bd27b4b990791d4968be2a1d9cbb092c1af2e19a42c1b93e4c8

SHA512
958e64677c0acc6b2c0ef8e5ff5c39ea12986b8d5d0820710572af7669fdb6fe740e3ee609c1d9dfcdbfaee6a6f8fdeda25f64f7ad4d335627a024d6a1b4fcf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\97b857828a5257f9c06b5ce110352661fa320a5231c769e2c3742cb80cbe3152Srv.exe
MD5
e7efb2a2b36ab241b6c9b770abf95000

SHA1
d4c253cbf80dc65a04747aea4afc91de6a4a4c5d

SHA256
4c7bf8d4e1ad5bd27b4b990791d4968be2a1d9cbb092c1af2e19a42c1b93e4c8

SHA512
958e64677c0acc6b2c0ef8e5ff5c39ea12986b8d5d0820710572af7669fdb6fe740e3ee609c1d9dfcdbfaee6a6f8fdeda25f64f7ad4d335627a024d6a1b4fcf3

Download Submit
memory/1544-114-0x0000000000000000-mapping.dmp

Download
memory/1544-116-0x000000007FEA0000-0x000000007FEAC000-memory.dmp

Filesize
48KB

Download
memory/1544-119-0x00000000001E0000-0x00000000001EF000-memory.dmp

Filesize
60KB

Download
memory/1544-121-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads