ramnit | dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94

General

Target

dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe
Size

300KB
MD5

890fde4a1d65e04af6deb530fc7abb9c
SHA1

b77256ee6cc61e0775a6f44286b43484ee9deeff
SHA256

dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94
SHA512

231dfc841600a1e8fd8639d4cf838fa3df75a39cc008996b51d2f7ede93a8ae60cabe57957158d635f811c30b27a655104cfe11326cb3c82a89b16699555e44a

Score

10^/10

ramnit banker evasion spyware stealer trojan upx worm

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe:*:enabled:@shell32.dll,-1"	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 1872 created 4060 1872 WerFault.exe dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe
Executes dropped EXE 2 IoCs

Processes:

dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94Srv.exeDesktopLayer.exe

pid process

224 dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94Srv.exe
4024 DesktopLayer.exe

description	pid	process	target process
PID 1872 created 4060	1872	WerFault.exe	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe

pid	process
224	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94Srv.exe
4024	DesktopLayer.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94Srv.exe	upx
C:\Users\Admin\AppData\Local\Temp\dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94Srv.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
behavioral2/memory/224-123-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

Processes:

dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94Srv.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\pxDF0.tmp	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94Srv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94Srv.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1872 4060 WerFault.exe dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe

pid	pid_target	process	target process
1872	4060	WerFault.exe	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe

Modifies Internet Explorer settings 1 TTPs 40 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4277362077"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "327944227"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30886504"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "327992812"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "327960821"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30886504"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4268924196"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{29C0D300-B65C-11EB-A11C-4624C1D76809} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4268924196"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30886504"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exeDesktopLayer.exeWerFault.exe

pid	process
4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe
4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe
4024	DesktopLayer.exe
4024	DesktopLayer.exe
4024	DesktopLayer.exe
4024	DesktopLayer.exe
4024	DesktopLayer.exe
4024	DesktopLayer.exe
4024	DesktopLayer.exe
4024	DesktopLayer.exe
1872	WerFault.exe
1872	WerFault.exe
1872	WerFault.exe
1872	WerFault.exe
1872	WerFault.exe
1872	WerFault.exe
1872	WerFault.exe
1872	WerFault.exe
1872	WerFault.exe
1872	WerFault.exe
1872	WerFault.exe
1872	WerFault.exe
1872	WerFault.exe
1872	WerFault.exe

Suspicious behavior: MapViewOfSection 61 IoCs

Processes:

dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe

pid	process
4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe
4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe
4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe
4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe
4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe
4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe
4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe
4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe
4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe
4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe
4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe
4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe
4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe
4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe
4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe
4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe
4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe
4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe
4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe
4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe
4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe
4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe
4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe
4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe
4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe
4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe
4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe
4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe
4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe
4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe
4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe
4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe
4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe
4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe
4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe
4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe
4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe
4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe
4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe
4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe
4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe
4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe
4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe
4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe
4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe
4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe
4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe
4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe
4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe
4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe
4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe
4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe
4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe
4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe
4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe
4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe
4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe
4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe
4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe
4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe
4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe
Token: SeRestorePrivilege	1872	WerFault.exe
Token: SeBackupPrivilege	1872	WerFault.exe
Token: SeDebugPrivilege	1872	WerFault.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

836 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

836 iexplore.exe
836 iexplore.exe
2464 IEXPLORE.EXE
2464 IEXPLORE.EXE

pid	process
836	iexplore.exe

pid	process
836	iexplore.exe
836	iexplore.exe
2464	IEXPLORE.EXE
2464	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exedab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94Srv.exe

description	pid	process	target process
PID 4060 wrote to memory of 224	4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94Srv.exe
PID 4060 wrote to memory of 224	4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94Srv.exe
PID 4060 wrote to memory of 224	4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94Srv.exe
PID 224 wrote to memory of 4024	224	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94Srv.exe	DesktopLayer.exe
PID 224 wrote to memory of 4024	224	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94Srv.exe	DesktopLayer.exe
PID 224 wrote to memory of 4024	224	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94Srv.exe	DesktopLayer.exe
PID 4060 wrote to memory of 592	4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe	winlogon.exe
PID 4060 wrote to memory of 592	4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe	winlogon.exe
PID 4060 wrote to memory of 592	4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe	winlogon.exe
PID 4060 wrote to memory of 592	4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe	winlogon.exe
PID 4060 wrote to memory of 592	4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe	winlogon.exe
PID 4060 wrote to memory of 592	4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe	winlogon.exe
PID 4060 wrote to memory of 652	4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe	lsass.exe
PID 4060 wrote to memory of 652	4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe	lsass.exe
PID 4060 wrote to memory of 652	4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe	lsass.exe
PID 4060 wrote to memory of 652	4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe	lsass.exe
PID 4060 wrote to memory of 652	4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe	lsass.exe
PID 4060 wrote to memory of 652	4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe	lsass.exe
PID 4060 wrote to memory of 732	4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe	fontdrvhost.exe
PID 4060 wrote to memory of 732	4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe	fontdrvhost.exe
PID 4060 wrote to memory of 732	4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe	fontdrvhost.exe
PID 4060 wrote to memory of 732	4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe	fontdrvhost.exe
PID 4060 wrote to memory of 732	4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe	fontdrvhost.exe
PID 4060 wrote to memory of 732	4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe	fontdrvhost.exe
PID 4060 wrote to memory of 740	4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe	fontdrvhost.exe
PID 4060 wrote to memory of 740	4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe	fontdrvhost.exe
PID 4060 wrote to memory of 740	4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe	fontdrvhost.exe
PID 4060 wrote to memory of 740	4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe	fontdrvhost.exe
PID 4060 wrote to memory of 740	4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe	fontdrvhost.exe
PID 4060 wrote to memory of 740	4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe	fontdrvhost.exe
PID 4060 wrote to memory of 748	4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe	svchost.exe
PID 4060 wrote to memory of 748	4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe	svchost.exe
PID 4060 wrote to memory of 748	4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe	svchost.exe
PID 4060 wrote to memory of 748	4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe	svchost.exe
PID 4060 wrote to memory of 748	4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe	svchost.exe
PID 4060 wrote to memory of 748	4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe	svchost.exe
PID 4060 wrote to memory of 820	4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe	svchost.exe
PID 4060 wrote to memory of 820	4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe	svchost.exe
PID 4060 wrote to memory of 820	4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe	svchost.exe
PID 4060 wrote to memory of 820	4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe	svchost.exe
PID 4060 wrote to memory of 820	4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe	svchost.exe
PID 4060 wrote to memory of 820	4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe	svchost.exe
PID 4060 wrote to memory of 872	4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe	svchost.exe
PID 4060 wrote to memory of 872	4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe	svchost.exe
PID 4060 wrote to memory of 872	4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe	svchost.exe
PID 4060 wrote to memory of 872	4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe	svchost.exe
PID 4060 wrote to memory of 872	4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe	svchost.exe
PID 4060 wrote to memory of 872	4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe	svchost.exe
PID 4060 wrote to memory of 912	4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe	svchost.exe
PID 4060 wrote to memory of 912	4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe	svchost.exe
PID 4060 wrote to memory of 912	4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe	svchost.exe
PID 4060 wrote to memory of 912	4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe	svchost.exe
PID 4060 wrote to memory of 912	4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe	svchost.exe
PID 4060 wrote to memory of 912	4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe	svchost.exe
PID 4060 wrote to memory of 1000	4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe	dwm.exe
PID 4060 wrote to memory of 1000	4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe	dwm.exe
PID 4060 wrote to memory of 1000	4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe	dwm.exe
PID 4060 wrote to memory of 1000	4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe	dwm.exe
PID 4060 wrote to memory of 1000	4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe	dwm.exe
PID 4060 wrote to memory of 1000	4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe	dwm.exe
PID 4060 wrote to memory of 364	4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe	svchost.exe
PID 4060 wrote to memory of 364	4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe	svchost.exe
PID 4060 wrote to memory of 364	4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe	svchost.exe
PID 4060 wrote to memory of 364	4060	dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe	svchost.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:652

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:592

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
PID:1000

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
2⤵
PID:732

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
1⤵
PID:748

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:364

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
1⤵
PID:708

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
1⤵
PID:720

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
1⤵
PID:1400

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2460

C:\Users\Admin\AppData\Local\Temp\dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe
"C:\Users\Admin\AppData\Local\Temp\dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94.exe"
2⤵
- Modifies firewall policy service
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4060

C:\Users\Admin\AppData\Local\Temp\dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94Srv.exe
C:\Users\Admin\AppData\Local\Temp\dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94Srv.exe
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:224

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4024

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:836

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:836 CREDAT:82945 /prefetch:2
6⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 196
3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1872

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2788

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2252

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
1⤵
PID:1880

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
1⤵
PID:3364

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3660

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3528

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
PID:3336

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
PID:3320

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2756

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2712

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2700

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
2⤵
PID:3624

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
1⤵
PID:2680

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
1⤵
PID:2652

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2644

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
1⤵
PID:2440

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2424

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2408

c:\windows\system32\sihost.exe
sihost.exe
1⤵
PID:2388

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2372

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3b0
1⤵
PID:2284

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
PID:2168

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
1⤵
PID:2096

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1548

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
1⤵
PID:1924

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1864

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
1⤵
PID:1836

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1812

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1784

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
1⤵
PID:1672

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1652

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
1⤵
PID:1624

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
1⤵
PID:1504

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s FontCache
1⤵
PID:1496

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
1⤵
PID:1464

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1452

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1356

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
1⤵
PID:1232

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1212

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1152

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
1⤵
PID:1128

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
PID:1060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
1⤵
PID:1052

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
1⤵
PID:912

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k rpcss
1⤵
PID:872

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
PID:820

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
2⤵
PID:2664

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:740

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
PID:664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
PID:3880

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
1⤵
PID:316

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
MD5
e7efb2a2b36ab241b6c9b770abf95000

SHA1
d4c253cbf80dc65a04747aea4afc91de6a4a4c5d

SHA256
4c7bf8d4e1ad5bd27b4b990791d4968be2a1d9cbb092c1af2e19a42c1b93e4c8

SHA512
958e64677c0acc6b2c0ef8e5ff5c39ea12986b8d5d0820710572af7669fdb6fe740e3ee609c1d9dfcdbfaee6a6f8fdeda25f64f7ad4d335627a024d6a1b4fcf3

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
MD5
e7efb2a2b36ab241b6c9b770abf95000

SHA1
d4c253cbf80dc65a04747aea4afc91de6a4a4c5d

SHA256
4c7bf8d4e1ad5bd27b4b990791d4968be2a1d9cbb092c1af2e19a42c1b93e4c8

SHA512
958e64677c0acc6b2c0ef8e5ff5c39ea12986b8d5d0820710572af7669fdb6fe740e3ee609c1d9dfcdbfaee6a6f8fdeda25f64f7ad4d335627a024d6a1b4fcf3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
55205f68311ba681b087489576566937

SHA1
6365b0130e0cab1958461376ea7058b69a89740f

SHA256
e58e5259c4731c23c6ef713508e2df9162a19e82e36ce67056cc860ef5d1bc03

SHA512
06dceeb161f494f43572a5258d4c740382716adbe1374d9c9fac8143087e2ba7bfb808b05d7b922511ce42908b9c7b7a155536033efec7d74e8323ee2af72261

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
ceab6726ad1ea31f8d89c2bd726c68b9

SHA1
13f1c7546bf1e52aa319dfca9c75280f0569f3e9

SHA256
38c4f3ae6fdbeec058ae8a0a4d91d79d63de366478051e79710afb75f3ff574e

SHA512
132720932dc90c7aa5e8226aa30cf0dd88ba75a4d3806a26016d000e35554e48c7a3950687cb457d58904b14f2e6aff0a53ffbeee805baf4612337317c126428

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\Q5N0JPMF.cookie
MD5
a3803de53a1ddf28bb433ff3833b7c63

SHA1
258ad4c74dc1041a4c59cd7555c0f141ae417ac0

SHA256
320aaefac805ab7dcf67397bbac06b9cfbd62e095d05e28b8ce7ab73cbd823ea

SHA512
0b92acbfb78518abce30fdc073e049f02b3901e2cb5f1ec4c4c08690526d8988a365fe6f981193a8fac7bc8dd3dbf02abc8758a0571bd3b9b6c4bc2fec48b185

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\TQY3GF6P.cookie
MD5
3bdf06888bc0e772b23c2856a9408043

SHA1
f7d7665263533a89e51d053d73eaeecad79e3147

SHA256
8c0aad8cb973a770b096542e097ea1d285b66b51c397670b15825e6b6e12a335

SHA512
6a97b54e83786cc5ec128345fc16549ff5b568c7ffc161e5bb7c585b9701faf07b759180a1c75255765a53b78224139beef6bc5d7b47cea729e7e53030740f57

Download Submit
C:\Users\Admin\AppData\Local\Temp\dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94Srv.exe
MD5
e7efb2a2b36ab241b6c9b770abf95000

SHA1
d4c253cbf80dc65a04747aea4afc91de6a4a4c5d

SHA256
4c7bf8d4e1ad5bd27b4b990791d4968be2a1d9cbb092c1af2e19a42c1b93e4c8

SHA512
958e64677c0acc6b2c0ef8e5ff5c39ea12986b8d5d0820710572af7669fdb6fe740e3ee609c1d9dfcdbfaee6a6f8fdeda25f64f7ad4d335627a024d6a1b4fcf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\dab6a6d06595504920e4b8df3ed14906e84b23cf705391a1dc095bcb24155d94Srv.exe
MD5
e7efb2a2b36ab241b6c9b770abf95000

SHA1
d4c253cbf80dc65a04747aea4afc91de6a4a4c5d

SHA256
4c7bf8d4e1ad5bd27b4b990791d4968be2a1d9cbb092c1af2e19a42c1b93e4c8

SHA512
958e64677c0acc6b2c0ef8e5ff5c39ea12986b8d5d0820710572af7669fdb6fe740e3ee609c1d9dfcdbfaee6a6f8fdeda25f64f7ad4d335627a024d6a1b4fcf3

Download Submit
memory/224-122-0x00000000001E0000-0x00000000001EF000-memory.dmp

Filesize
60KB

Download
memory/224-123-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/224-114-0x0000000000000000-mapping.dmp

Download
memory/836-124-0x00007FFAE8E30000-0x00007FFAE8E9B000-memory.dmp

Filesize
428KB

Download
memory/836-121-0x0000000000000000-mapping.dmp

Download
memory/2464-127-0x0000000000000000-mapping.dmp

Download
memory/4024-117-0x0000000000000000-mapping.dmp

Download
memory/4024-120-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads