ramnit | 33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bf

Analysis

max time kernel
129s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
20-06-2022 00:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bf.exe
Size

357KB
MD5

5945e344a0cfa8ec080fde895923744f
SHA1

0079a2affd973e6e80172ff07afc0c8727765143
SHA256

33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bf
SHA512

b608ec4713859df4937bcd50a163e2b5e7087a543281989a1f67d1046f5c1858a5564ca45397e7aefb241502d17d2173570771fe227fc083241aedb1119eea1b

Score

10^/10

ramnit sality backdoor banker evasion spyware stealer trojan upx worm

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bf.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bf.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bf.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bf.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bf.exe:*:enabled:@shell32.dll,-1"	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bf.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bf.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

Drops file in Drivers directory 1 IoCs

Processes:

33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bf.exe

description	ioc	process
File opened for modification	C:\Windows\system32\DRIVERS\ETC\HOSTS	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bf.exe

Executes dropped EXE 3 IoCs

Processes:

33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exeDesktopLayer.exeDesktopLayerSrv.exe

pid process

2472 33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe
1120 DesktopLayer.exe
2580 DesktopLayerSrv.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3288-131-0x0000000000400000-0x000000000047A000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe	upx
behavioral2/memory/3288-133-0x0000000002240000-0x00000000032CE000-memory.dmp	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\PROGRAM FILES (X86)\MICROSOFT\DESKTOPLAYER.EXE	upx
behavioral2/memory/3288-139-0x0000000000400000-0x000000000047A000-memory.dmp	upx
C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe	upx
C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\33C4503E147D203EBE76E4BF27C1248F167BC02EE42547BC916E905AB7EB81BFSRV.EXE	upx
behavioral2/memory/2472-145-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/1120-146-0x0000000000400000-0x000000000047A000-memory.dmp	upx
behavioral2/memory/1120-148-0x0000000000400000-0x000000000047A000-memory.dmp	upx
behavioral2/memory/2580-147-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/2472-137-0x0000000000400000-0x0000000000444000-memory.dmp	upx

Drops file in Program Files directory 8 IoCs

Processes:

33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bf.exe33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exeDesktopLayer.exeDesktopLayerSrv.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bf.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px6239.tmp	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe	DesktopLayer.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px6333.tmp	DesktopLayerSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	DesktopLayerSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px61DB.tmp	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bf.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bf.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5088 2472 WerFault.exe 33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe

pid	pid_target	process	target process
5088	2472	WerFault.exe	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe

Modifies Internet Explorer settings 1 TTPs 60 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTLogoURL = "http://go.microsoft.com/fwlink/?LinkID=403856&language={language}&scale={scalelevel}&contrast={contrast}"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30966860"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\UpgradeTime = f982cdb29d50d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTSuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&market={language}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IENTSS"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences\3DB9590C4C4C26C4CCBDD94ECAD790359708C3267B = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009ca67aad6973c147a14e4257979b0915000000000200000000001066000000010000200000004a709f981968ddeec9ab4476dabadf3c1e275630128d9eb788a76d8cf76144b9000000000e8000000002000020000000e3e8a9a90c0de891e433711f1baea70dee7455443400fb0c9dcce5e5a7c074325000000000c1d8726f40639835f9a578dfd5959c7f4fc01ae20b1079e296153166e232801c61a65696a7c6b4a14033f22b1ccc52b462685a2d669cda4c0c522306ad319de608251a77e48ce7e1db603b636700cc40000000b6c4a0e6f419fa3f92181bb514fb93ede9a88b3d1b4bf1885488e1cda032b5505370142eb60f1dc61a0970453ed00dde41bc83b21197368d885ae75a13aa0d17	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{A72794A9-F03F-11EC-AC67-4270B13CC2D0} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30966860"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\Version = "5"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IESS02&market={language}"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\User Preferences	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences\2BB20B33B4171CDAAB6469225AE6A582ED33D7B488 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009ca67aad6973c147a14e4257979b091500000000020000000000106600000001000020000000da7f055e2448d836200d4669708222cd3f64bfd6f3fbfcab32970ecbe2130b36000000000e8000000002000020000000da095846ab78044b4a78b787b02eb43148f67515cf457cc2728b09a58be45ff410000000d2bd64caf35e26d20a1d593ab97551c1400000002367dee16e3b00f6b08c6c7428f829b3bfffeb7d9d97ffefc04f60992a77bb030d056443dd3afbee794da063e0c786cba2b1741a1ad637a1142059cbeb567b57	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "362456647"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURLFallback = "http://www.bing.com/favicon.ico"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTTopResultURL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTTR"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURL = "http://www.bing.com/favicon.ico"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2074358933"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2074358933"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{A7206FA4-F03F-11EC-AC67-4270B13CC2D0} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30966860"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTURL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTSR"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTLogoPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IESS02&market={language}"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2089047165"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exeDesktopLayerSrv.exeDesktopLayer.exe

pid	process
2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe
2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe
2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe
2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe
2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe
2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe
2580	DesktopLayerSrv.exe
2580	DesktopLayerSrv.exe
2580	DesktopLayerSrv.exe
2580	DesktopLayerSrv.exe
1120	DesktopLayer.exe
1120	DesktopLayer.exe
1120	DesktopLayer.exe
1120	DesktopLayer.exe
1120	DesktopLayer.exe
1120	DesktopLayer.exe
2580	DesktopLayerSrv.exe
2580	DesktopLayerSrv.exe
2580	DesktopLayerSrv.exe
2580	DesktopLayerSrv.exe
1120	DesktopLayer.exe
1120	DesktopLayer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

364 iexplore.exe

Suspicious behavior: MapViewOfSection 64 IoCs

Processes:

33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe

pid	process
2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe
2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe
2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe
2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe
2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe
2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe
2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe
2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe
2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe
2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe
2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe
2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe
2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe
2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe
2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe
2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe
2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe
2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe
2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe
2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe
2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe
2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe
2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe
2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe
2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe
2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe
2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe
2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe
2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe
2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe
2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe
2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe
2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe
2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe
2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe
2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe
2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe
2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe
2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe
2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe
2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe
2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe
2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe
2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe
2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe
2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe
2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe
2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe
2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe
2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe
2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe
2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe
2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe
2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe
2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe
2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe
2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe
2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe
2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe
2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe
2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe
2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe
2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe
2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe

description pid process

Token: SeDebugPrivilege 2472 33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeiexplore.exe

pid process

364 iexplore.exe
2964 iexplore.exe

description	pid	process
Token: SeDebugPrivilege	2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
364	iexplore.exe
364	iexplore.exe
2964	iexplore.exe
2964	iexplore.exe
4424	IEXPLORE.EXE
4424	IEXPLORE.EXE
2872	IEXPLORE.EXE
2872	IEXPLORE.EXE
4424	IEXPLORE.EXE
4424	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bf.exe33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe

description	pid	process	target process
PID 3288 wrote to memory of 2472	3288	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bf.exe	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe
PID 3288 wrote to memory of 2472	3288	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bf.exe	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe
PID 3288 wrote to memory of 2472	3288	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bf.exe	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe
PID 2472 wrote to memory of 604	2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe	winlogon.exe
PID 2472 wrote to memory of 604	2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe	winlogon.exe
PID 2472 wrote to memory of 604	2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe	winlogon.exe
PID 2472 wrote to memory of 604	2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe	winlogon.exe
PID 2472 wrote to memory of 604	2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe	winlogon.exe
PID 2472 wrote to memory of 604	2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe	winlogon.exe
PID 2472 wrote to memory of 652	2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe	lsass.exe
PID 2472 wrote to memory of 652	2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe	lsass.exe
PID 2472 wrote to memory of 652	2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe	lsass.exe
PID 2472 wrote to memory of 652	2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe	lsass.exe
PID 2472 wrote to memory of 652	2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe	lsass.exe
PID 2472 wrote to memory of 652	2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe	lsass.exe
PID 2472 wrote to memory of 760	2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe	fontdrvhost.exe
PID 2472 wrote to memory of 760	2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe	fontdrvhost.exe
PID 2472 wrote to memory of 760	2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe	fontdrvhost.exe
PID 2472 wrote to memory of 760	2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe	fontdrvhost.exe
PID 2472 wrote to memory of 760	2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe	fontdrvhost.exe
PID 2472 wrote to memory of 760	2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe	fontdrvhost.exe
PID 2472 wrote to memory of 768	2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe	fontdrvhost.exe
PID 2472 wrote to memory of 768	2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe	fontdrvhost.exe
PID 2472 wrote to memory of 768	2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe	fontdrvhost.exe
PID 2472 wrote to memory of 768	2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe	fontdrvhost.exe
PID 2472 wrote to memory of 768	2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe	fontdrvhost.exe
PID 2472 wrote to memory of 768	2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe	fontdrvhost.exe
PID 2472 wrote to memory of 776	2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe	svchost.exe
PID 2472 wrote to memory of 776	2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe	svchost.exe
PID 2472 wrote to memory of 776	2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe	svchost.exe
PID 2472 wrote to memory of 776	2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe	svchost.exe
PID 2472 wrote to memory of 776	2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe	svchost.exe
PID 2472 wrote to memory of 776	2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe	svchost.exe
PID 2472 wrote to memory of 876	2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe	svchost.exe
PID 2472 wrote to memory of 876	2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe	svchost.exe
PID 2472 wrote to memory of 876	2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe	svchost.exe
PID 2472 wrote to memory of 876	2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe	svchost.exe
PID 2472 wrote to memory of 876	2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe	svchost.exe
PID 2472 wrote to memory of 876	2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe	svchost.exe
PID 2472 wrote to memory of 936	2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe	svchost.exe
PID 2472 wrote to memory of 936	2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe	svchost.exe
PID 2472 wrote to memory of 936	2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe	svchost.exe
PID 2472 wrote to memory of 936	2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe	svchost.exe
PID 2472 wrote to memory of 936	2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe	svchost.exe
PID 2472 wrote to memory of 936	2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe	svchost.exe
PID 2472 wrote to memory of 1012	2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe	dwm.exe
PID 2472 wrote to memory of 1012	2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe	dwm.exe
PID 2472 wrote to memory of 1012	2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe	dwm.exe
PID 2472 wrote to memory of 1012	2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe	dwm.exe
PID 2472 wrote to memory of 1012	2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe	dwm.exe
PID 2472 wrote to memory of 1012	2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe	dwm.exe
PID 2472 wrote to memory of 472	2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe	svchost.exe
PID 2472 wrote to memory of 472	2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe	svchost.exe
PID 2472 wrote to memory of 472	2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe	svchost.exe
PID 2472 wrote to memory of 472	2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe	svchost.exe
PID 2472 wrote to memory of 472	2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe	svchost.exe
PID 2472 wrote to memory of 472	2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe	svchost.exe
PID 2472 wrote to memory of 520	2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe	svchost.exe
PID 2472 wrote to memory of 520	2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe	svchost.exe
PID 2472 wrote to memory of 520	2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe	svchost.exe
PID 2472 wrote to memory of 520	2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe	svchost.exe
PID 2472 wrote to memory of 520	2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe	svchost.exe
PID 2472 wrote to memory of 520	2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe	svchost.exe
PID 2472 wrote to memory of 844	2472	33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe	svchost.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:604

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
2⤵
PID:768

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
PID:1012

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:652

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:776

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
2⤵
PID:3440

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
2⤵
PID:3608

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
2⤵
PID:3960

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
2⤵
PID:4180

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
2⤵
PID:3692

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
2⤵
PID:3544

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
2⤵
PID:4440

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
2⤵
PID:4296

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
2⤵
PID:1640

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:472

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:844

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1200

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1424

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
1⤵
PID:1700

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1756

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1932

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1964

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2060

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2228

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2328

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2604

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2764

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2792

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3232

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
PID:4864

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3128

C:\Users\Admin\AppData\Local\Temp\33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bf.exe
"C:\Users\Admin\AppData\Local\Temp\33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bf.exe"
2⤵
- Modifies firewall policy service
- Drops file in Drivers directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3288

C:\Users\Admin\AppData\Local\Temp\33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe
C:\Users\Admin\AppData\Local\Temp\33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 356
4⤵
- Program crash
PID:5088

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1120

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2964

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2964 CREDAT:17410 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2872

C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
"C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2864

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2772

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4140

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:4716

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:2128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2656

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2460

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s W32Time
1⤵
PID:3400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2452

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2176

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2120

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2012

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1940

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1824

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1596

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1228

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1180

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1104

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:896

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc
1⤵
PID:520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:936

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:876

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:364

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:364 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2472 -ip 2472
1⤵
PID:1960

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRAM FILES (X86)\MICROSOFT\DESKTOPLAYER.EXE
Filesize
357KB

MD5
5945e344a0cfa8ec080fde895923744f

SHA1
0079a2affd973e6e80172ff07afc0c8727765143

SHA256
33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bf

SHA512
b608ec4713859df4937bcd50a163e2b5e7087a543281989a1f67d1046f5c1858a5564ca45397e7aefb241502d17d2173570771fe227fc083241aedb1119eea1b

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
Filesize
357KB

MD5
5945e344a0cfa8ec080fde895923744f

SHA1
0079a2affd973e6e80172ff07afc0c8727765143

SHA256
33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bf

SHA512
b608ec4713859df4937bcd50a163e2b5e7087a543281989a1f67d1046f5c1858a5564ca45397e7aefb241502d17d2173570771fe227fc083241aedb1119eea1b

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
Filesize
140KB

MD5
1ab2568e4a86310a921c9c7bcb1a5d33

SHA1
ec6bcec48fb91593590f5765700570b49118acbf

SHA256
7d35bfe88c187b6d90500a8d9c9b50865deb80f302335e53b36ff91cf1b10639

SHA512
8e918242eecfb8498499f677e74e7cfd888992a5e6d7348532aebfc924ee7b853af96aed300dbf388e9374006b3fbc234cd3aa4c066e1664542e8ef3fb071f67

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
Filesize
140KB

MD5
1ab2568e4a86310a921c9c7bcb1a5d33

SHA1
ec6bcec48fb91593590f5765700570b49118acbf

SHA256
7d35bfe88c187b6d90500a8d9c9b50865deb80f302335e53b36ff91cf1b10639

SHA512
8e918242eecfb8498499f677e74e7cfd888992a5e6d7348532aebfc924ee7b853af96aed300dbf388e9374006b3fbc234cd3aa4c066e1664542e8ef3fb071f67

Download Submit
C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\33C4503E147D203EBE76E4BF27C1248F167BC02EE42547BC916E905AB7EB81BFSRV.EXE
Filesize
140KB

MD5
1ab2568e4a86310a921c9c7bcb1a5d33

SHA1
ec6bcec48fb91593590f5765700570b49118acbf

SHA256
7d35bfe88c187b6d90500a8d9c9b50865deb80f302335e53b36ff91cf1b10639

SHA512
8e918242eecfb8498499f677e74e7cfd888992a5e6d7348532aebfc924ee7b853af96aed300dbf388e9374006b3fbc234cd3aa4c066e1664542e8ef3fb071f67

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
471B

MD5
ac894ce763ddb15e950560bb84302782

SHA1
f722dcbc48ef1f2030e58b5e728c74769402562f

SHA256
76e0bc1b2f3a2fb7d536b45a919c9c56eb398ce21e3e999076535529bac97bd5

SHA512
5ea5d7efc228bf1fe5b87cc9f2564f691034dc6a8f3957cf96f3eb7e59b522ac28cea1664290c3f4f3a21feb41397e44727f7a3b858527bc17088a9e6e41fadb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
404B

MD5
6797014463c5c884fab16a78e1cf94d3

SHA1
83d9c69a819169cfff0df410d0b546d3b620490f

SHA256
a9f53051f1ea7c571cae43892e9574bcbe3a04f97d86fd60731c9fbe0748a21c

SHA512
2de72f317a48e0794be277fdb4f5263a1b032fa773b15b72106754c3e114b5b22d325164d585dc77de3e7ddce08679cd49abfb5fa7ad6e4d179f5e8089500169

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A7206FA4-F03F-11EC-AC67-4270B13CC2D0}.dat
Filesize
5KB

MD5
4b3e61465a042217351ab3e6c1205b38

SHA1
6b59a28e8ed0abf3de47d24bf0ae1a9029a58236

SHA256
02de0f7d8243d2aaaf9bbdd8966c406ab98a7b804fe0e99119c4845392828895

SHA512
c169a5f09202d051303a9e9fdc839fb477f3fcc94eec6820d1d561b330e1146a196eac2c1b7cc7bd492ffa1fd10202e1d69b4fcce25453fcab2fed62b1c99dfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A72794A9-F03F-11EC-AC67-4270B13CC2D0}.dat
Filesize
4KB

MD5
3852eab49a81db61ecab3a19f7575f45

SHA1
c422c5faa4d8dbbdaf4feb33b75d7c725c118488

SHA256
0d8acdeed7aa97bc6c1311557975a02604362c9937a38920666c7759bb842585

SHA512
c28d6771c468f89813bb82b93f6a64708c971cae47a992e73435a4588d0131b55ecdc02aa285fa7cea7941130993bf7034144ebf456d932d7a3620c4f3db7ed3

Download Submit
C:\Users\Admin\AppData\Local\Temp\33c4503e147d203ebe76e4bf27c1248f167bc02ee42547bc916e905ab7eb81bfSrv.exe
Filesize
140KB

MD5
1ab2568e4a86310a921c9c7bcb1a5d33

SHA1
ec6bcec48fb91593590f5765700570b49118acbf

SHA256
7d35bfe88c187b6d90500a8d9c9b50865deb80f302335e53b36ff91cf1b10639

SHA512
8e918242eecfb8498499f677e74e7cfd888992a5e6d7348532aebfc924ee7b853af96aed300dbf388e9374006b3fbc234cd3aa4c066e1664542e8ef3fb071f67

Download Submit
memory/1120-134-0x0000000000000000-mapping.dmp

Download
memory/1120-146-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1120-148-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2472-137-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2472-130-0x0000000000000000-mapping.dmp

Download
memory/2472-145-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2580-140-0x0000000000000000-mapping.dmp

Download
memory/2580-147-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3288-131-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3288-139-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3288-133-0x0000000002240000-0x00000000032CE000-memory.dmp

Filesize
16.6MB

Download
memory/3288-141-0x00000000005B0000-0x00000000005BF000-memory.dmp

Filesize
60KB

Download
memory/3288-142-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download