ramnit | 1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61

General

Target

1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe
Size

759KB
MD5

6898211d86ec424227f1c92b80dd35a0
SHA1

08e38fc8f8640f7c69c976316bf8b3cde1fcc265
SHA256

1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61
SHA512

75798984800d11e06a6780e05dc078a3ca4f3997b7e7e10a142993eab1baa7669c685add158eb55af3c56a06dc563599fa6720625a45647e6b1223fbbe6cd8f6

Score

10^/10

ramnit banker evasion spyware stealer trojan upx worm

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe:*:enabled:@shell32.dll,-1"	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 1632 created 3944 1632 WerFault.exe 1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe
Executes dropped EXE 2 IoCs

Processes:

1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61Srv.exeDesktopLayer.exe

pid process

212 1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61Srv.exe
572 DesktopLayer.exe

description	pid	process	target process
PID 1632 created 3944	1632	WerFault.exe	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe

pid	process
212	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61Srv.exe
572	DesktopLayer.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61Srv.exe	upx
C:\Users\Admin\AppData\Local\Temp\1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61Srv.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
behavioral2/memory/212-125-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

Processes:

1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61Srv.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxB12.tmp	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61Srv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61Srv.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1632 3944 WerFault.exe 1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe

pid	pid_target	process	target process
1632	3944	WerFault.exe	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe

Modifies Internet Explorer settings 1 TTPs 40 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B4AEC806-B67A-11EB-A11C-56F1F4F21F1A} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30886535"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2305385582"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30886535"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30886535"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2316948433"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "327973939"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2305385582"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "328005931"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "327957345"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exeDesktopLayer.exeWerFault.exe

pid	process
3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe
3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe
572	DesktopLayer.exe
572	DesktopLayer.exe
572	DesktopLayer.exe
572	DesktopLayer.exe
572	DesktopLayer.exe
572	DesktopLayer.exe
572	DesktopLayer.exe
572	DesktopLayer.exe
1632	WerFault.exe
1632	WerFault.exe
1632	WerFault.exe
1632	WerFault.exe
1632	WerFault.exe
1632	WerFault.exe
1632	WerFault.exe
1632	WerFault.exe
1632	WerFault.exe
1632	WerFault.exe
1632	WerFault.exe
1632	WerFault.exe
1632	WerFault.exe
1632	WerFault.exe
1632	WerFault.exe

Suspicious behavior: MapViewOfSection 58 IoCs

Processes:

1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe

pid	process
3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe
3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe
3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe
3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe
3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe
3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe
3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe
3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe
3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe
3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe
3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe
3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe
3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe
3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe
3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe
3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe
3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe
3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe
3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe
3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe
3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe
3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe
3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe
3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe
3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe
3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe
3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe
3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe
3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe
3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe
3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe
3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe
3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe
3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe
3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe
3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe
3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe
3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe
3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe
3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe
3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe
3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe
3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe
3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe
3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe
3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe
3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe
3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe
3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe
3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe
3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe
3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe
3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe
3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe
3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe
3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe
3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe
3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe
Token: SeRestorePrivilege	1632	WerFault.exe
Token: SeBackupPrivilege	1632	WerFault.exe
Token: SeDebugPrivilege	1632	WerFault.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

3136 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

3136 iexplore.exe
3136 iexplore.exe
2344 IEXPLORE.EXE
2344 IEXPLORE.EXE

pid	process
3136	iexplore.exe

pid	process
3136	iexplore.exe
3136	iexplore.exe
2344	IEXPLORE.EXE
2344	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61Srv.exe

description	pid	process	target process
PID 3944 wrote to memory of 212	3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61Srv.exe
PID 3944 wrote to memory of 212	3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61Srv.exe
PID 3944 wrote to memory of 212	3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61Srv.exe
PID 212 wrote to memory of 572	212	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61Srv.exe	DesktopLayer.exe
PID 212 wrote to memory of 572	212	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61Srv.exe	DesktopLayer.exe
PID 212 wrote to memory of 572	212	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61Srv.exe	DesktopLayer.exe
PID 3944 wrote to memory of 548	3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe	winlogon.exe
PID 3944 wrote to memory of 548	3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe	winlogon.exe
PID 3944 wrote to memory of 548	3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe	winlogon.exe
PID 3944 wrote to memory of 548	3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe	winlogon.exe
PID 3944 wrote to memory of 548	3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe	winlogon.exe
PID 3944 wrote to memory of 548	3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe	winlogon.exe
PID 3944 wrote to memory of 632	3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe	lsass.exe
PID 3944 wrote to memory of 632	3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe	lsass.exe
PID 3944 wrote to memory of 632	3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe	lsass.exe
PID 3944 wrote to memory of 632	3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe	lsass.exe
PID 3944 wrote to memory of 632	3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe	lsass.exe
PID 3944 wrote to memory of 632	3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe	lsass.exe
PID 3944 wrote to memory of 716	3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe	svchost.exe
PID 3944 wrote to memory of 716	3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe	svchost.exe
PID 3944 wrote to memory of 716	3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe	svchost.exe
PID 3944 wrote to memory of 716	3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe	svchost.exe
PID 3944 wrote to memory of 716	3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe	svchost.exe
PID 3944 wrote to memory of 716	3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe	svchost.exe
PID 3944 wrote to memory of 724	3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe	fontdrvhost.exe
PID 3944 wrote to memory of 724	3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe	fontdrvhost.exe
PID 3944 wrote to memory of 724	3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe	fontdrvhost.exe
PID 3944 wrote to memory of 724	3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe	fontdrvhost.exe
PID 3944 wrote to memory of 724	3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe	fontdrvhost.exe
PID 3944 wrote to memory of 724	3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe	fontdrvhost.exe
PID 3944 wrote to memory of 728	3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe	fontdrvhost.exe
PID 3944 wrote to memory of 728	3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe	fontdrvhost.exe
PID 3944 wrote to memory of 728	3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe	fontdrvhost.exe
PID 3944 wrote to memory of 728	3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe	fontdrvhost.exe
PID 3944 wrote to memory of 728	3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe	fontdrvhost.exe
PID 3944 wrote to memory of 728	3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe	fontdrvhost.exe
PID 3944 wrote to memory of 804	3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe	svchost.exe
PID 3944 wrote to memory of 804	3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe	svchost.exe
PID 3944 wrote to memory of 804	3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe	svchost.exe
PID 3944 wrote to memory of 804	3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe	svchost.exe
PID 3944 wrote to memory of 804	3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe	svchost.exe
PID 3944 wrote to memory of 804	3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe	svchost.exe
PID 3944 wrote to memory of 848	3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe	svchost.exe
PID 3944 wrote to memory of 848	3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe	svchost.exe
PID 3944 wrote to memory of 848	3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe	svchost.exe
PID 3944 wrote to memory of 848	3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe	svchost.exe
PID 3944 wrote to memory of 848	3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe	svchost.exe
PID 3944 wrote to memory of 848	3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe	svchost.exe
PID 3944 wrote to memory of 896	3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe	svchost.exe
PID 3944 wrote to memory of 896	3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe	svchost.exe
PID 3944 wrote to memory of 896	3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe	svchost.exe
PID 3944 wrote to memory of 896	3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe	svchost.exe
PID 3944 wrote to memory of 896	3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe	svchost.exe
PID 3944 wrote to memory of 896	3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe	svchost.exe
PID 3944 wrote to memory of 984	3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe	dwm.exe
PID 3944 wrote to memory of 984	3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe	dwm.exe
PID 3944 wrote to memory of 984	3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe	dwm.exe
PID 3944 wrote to memory of 984	3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe	dwm.exe
PID 3944 wrote to memory of 984	3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe	dwm.exe
PID 3944 wrote to memory of 984	3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe	dwm.exe
PID 3944 wrote to memory of 1004	3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe	svchost.exe
PID 3944 wrote to memory of 1004	3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe	svchost.exe
PID 3944 wrote to memory of 1004	3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe	svchost.exe
PID 3944 wrote to memory of 1004	3944	1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe	svchost.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:548

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
PID:984

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
2⤵
PID:724

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:632

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
1⤵
PID:716

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
1⤵
PID:1200

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
1⤵
PID:1724

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2704

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3472

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
1⤵
PID:3288

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
1⤵
PID:1964

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2000

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3792

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
PID:3276

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
PID:3256

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2492

C:\Users\Admin\AppData\Local\Temp\1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe
"C:\Users\Admin\AppData\Local\Temp\1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61.exe"
2⤵
- Modifies firewall policy service
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3944

C:\Users\Admin\AppData\Local\Temp\1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61Srv.exe
C:\Users\Admin\AppData\Local\Temp\1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61Srv.exe
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:212

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 636
3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1632

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2964

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2880

c:\windows\system32\sihost.exe
sihost.exe
1⤵
PID:2844

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2436

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2420

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
2⤵
PID:1744

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x38c
1⤵
PID:2376

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
1⤵
PID:2360

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
1⤵
PID:2308

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2292

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
1⤵
PID:2272

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2260

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2240

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
PID:2156

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
1⤵
PID:1648

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1984

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1880

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
1⤵
PID:1812

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1800

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1776

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1616

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
1⤵
PID:1584

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
1⤵
PID:1548

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s FontCache
1⤵
PID:1492

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
1⤵
PID:1484

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1412

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
1⤵
PID:1396

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1384

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
1⤵
PID:1308

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1184

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
1⤵
PID:1144

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1136

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
1⤵
PID:1072

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
PID:1040

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
1⤵
PID:476

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
1⤵
PID:396

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:1004

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
1⤵
PID:896

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k rpcss
1⤵
PID:848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
PID:804

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:728

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
PID:3148

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3136

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3136 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2344

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
MD5
e7efb2a2b36ab241b6c9b770abf95000

SHA1
d4c253cbf80dc65a04747aea4afc91de6a4a4c5d

SHA256
4c7bf8d4e1ad5bd27b4b990791d4968be2a1d9cbb092c1af2e19a42c1b93e4c8

SHA512
958e64677c0acc6b2c0ef8e5ff5c39ea12986b8d5d0820710572af7669fdb6fe740e3ee609c1d9dfcdbfaee6a6f8fdeda25f64f7ad4d335627a024d6a1b4fcf3

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
MD5
e7efb2a2b36ab241b6c9b770abf95000

SHA1
d4c253cbf80dc65a04747aea4afc91de6a4a4c5d

SHA256
4c7bf8d4e1ad5bd27b4b990791d4968be2a1d9cbb092c1af2e19a42c1b93e4c8

SHA512
958e64677c0acc6b2c0ef8e5ff5c39ea12986b8d5d0820710572af7669fdb6fe740e3ee609c1d9dfcdbfaee6a6f8fdeda25f64f7ad4d335627a024d6a1b4fcf3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
55205f68311ba681b087489576566937

SHA1
6365b0130e0cab1958461376ea7058b69a89740f

SHA256
e58e5259c4731c23c6ef713508e2df9162a19e82e36ce67056cc860ef5d1bc03

SHA512
06dceeb161f494f43572a5258d4c740382716adbe1374d9c9fac8143087e2ba7bfb808b05d7b922511ce42908b9c7b7a155536033efec7d74e8323ee2af72261

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
0c28a5ad582a194f10e03cdba49d437f

SHA1
4532d7e3f9923492e105ce8c9bb5e9f20b479213

SHA256
fd6b9dd13746fd256c3f85e64e25f0e52ce7027201db7a00ca2125d255ce437b

SHA512
4dbae0f426f994fc3d8ba45e3e59d49b8b9d1cc198edb554caf200edfc6fd9075ff01d7c40c1d6c2a1edbee71fa5f592b8bde57be699f7c1b75abd4eb966fa50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\2R0IDYM0.cookie
MD5
dff064e5e04e2bf0195fda1e9a9277a5

SHA1
be79bc46b8d9edc602135c9a0d391716ace9b464

SHA256
ab12c5d1eedd6b7b6126a6418512f967e409e156663624a0847aa8ae58c72674

SHA512
05ebc7537c68f21e19bd30a2a82719ea09660896ea299752c3dfc84c79dcd80b87f4b10f17e367ecf3e9fb25e3f9b2eb691b60416ccdfdaa696bd7ac90a0d835

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\JFSXULEM.cookie
MD5
821ba033e0faa3d096959fbe530e4cb4

SHA1
b3e336883dc7058e98fe18db35cce3cf5c7f9bd0

SHA256
824af663da078f5d8fa3ace02db4ba41b577ba4e509010694599e04a759912ab

SHA512
09d68114b99106bef315a02155ad5ecdd4a6bfbe36d3c2eab120d31d329f82ba43741530b34e3c49afb1211a1bbdb46b0941b2df09a08f042199a234f4bbc5af

Download Submit
C:\Users\Admin\AppData\Local\Temp\1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61Srv.exe
MD5
e7efb2a2b36ab241b6c9b770abf95000

SHA1
d4c253cbf80dc65a04747aea4afc91de6a4a4c5d

SHA256
4c7bf8d4e1ad5bd27b4b990791d4968be2a1d9cbb092c1af2e19a42c1b93e4c8

SHA512
958e64677c0acc6b2c0ef8e5ff5c39ea12986b8d5d0820710572af7669fdb6fe740e3ee609c1d9dfcdbfaee6a6f8fdeda25f64f7ad4d335627a024d6a1b4fcf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1e8bbeb22236d4019e7c178efdbbccbbe37b13b5c5094268d80d2920f2310b61Srv.exe
MD5
e7efb2a2b36ab241b6c9b770abf95000

SHA1
d4c253cbf80dc65a04747aea4afc91de6a4a4c5d

SHA256
4c7bf8d4e1ad5bd27b4b990791d4968be2a1d9cbb092c1af2e19a42c1b93e4c8

SHA512
958e64677c0acc6b2c0ef8e5ff5c39ea12986b8d5d0820710572af7669fdb6fe740e3ee609c1d9dfcdbfaee6a6f8fdeda25f64f7ad4d335627a024d6a1b4fcf3

Download Submit
memory/212-124-0x00000000001E0000-0x00000000001EF000-memory.dmp

Filesize
60KB

Download
memory/212-125-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/212-114-0x0000000000000000-mapping.dmp

Download
memory/572-117-0x0000000000000000-mapping.dmp

Download
memory/572-120-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2344-123-0x0000000000000000-mapping.dmp

Download
memory/3136-121-0x0000000000000000-mapping.dmp

Download
memory/3136-122-0x00007FFDD5720000-0x00007FFDD578B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads