ramnit | 4b75a200664d5e43fb297347fd6f93e8f8685320bd1959c5b07f3c597918c8f2

Analysis

max time kernel
145s
max time network
143s
platform
windows7_x64
resource
win7-20220414-en
submitted
12-07-2022 09:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b75a200664d5e43fb297347fd6f93e8f8685320bd1959c5b07f3c597918c8f2.exe
Size

124KB
MD5

c6ce21c4c9389a23d6deac23d9d43190
SHA1

36036d346993df07681926111f73891dd8f19846
SHA256

4b75a200664d5e43fb297347fd6f93e8f8685320bd1959c5b07f3c597918c8f2
SHA512

fa90bc5a6d1753ae08ee384c6e7d333da416f166edc4b72b605029a01d636773e728743c86d547413e4a9bcd8ea40ddf3d89588c3aca747d20dd9575f2d2110f

Score

10^/10

ramnit aspackv2 banker persistence spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

ASPack v2.12-2.42 8 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\ByNC.exe	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\ByNC.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\ByNC.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\ByNC.exe	aspack_v212_v242
\Windows\Temp\ByNC.exe	aspack_v212_v242
\Windows\Temp\ByNC.exe	aspack_v212_v242
C:\Windows\Temp\ByNC.exe	aspack_v212_v242
C:\Windows\TEMP\ByNC.exe	aspack_v212_v242

Executes dropped EXE 10 IoCs

Processes:

ByNC.exe4b75a200664d5e43fb297347fd6f93e8f8685320bd1959c5b07f3c597918c8f2Srv.exeDesktopLayer.exeEugoqy.exeByNC.exeEugoqySrv.exeDesktopLayer.exeEugoqy.exeEugoqySrv.exeDesktopLayer.exe

pid	process
2044	ByNC.exe
1724	4b75a200664d5e43fb297347fd6f93e8f8685320bd1959c5b07f3c597918c8f2Srv.exe
776	DesktopLayer.exe
1184	Eugoqy.exe
1708	ByNC.exe
1956	EugoqySrv.exe
1976	DesktopLayer.exe
992	Eugoqy.exe
568	EugoqySrv.exe
1968	DesktopLayer.exe

UPX packed file 33 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1080-61-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/memory/1080-63-0x00000000001D0000-0x00000000001D9000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\4b75a200664d5e43fb297347fd6f93e8f8685320bd1959c5b07f3c597918c8f2Srv.exe	upx
C:\Users\Admin\AppData\Local\Temp\4b75a200664d5e43fb297347fd6f93e8f8685320bd1959c5b07f3c597918c8f2Srv.exe	upx
C:\Users\Admin\AppData\Local\Temp\4b75a200664d5e43fb297347fd6f93e8f8685320bd1959c5b07f3c597918c8f2Srv.exe	upx
\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
behavioral1/memory/1724-73-0x0000000000400000-0x0000000000435000-memory.dmp	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
behavioral1/memory/776-76-0x0000000000400000-0x0000000000435000-memory.dmp	upx
C:\Program Files (x86)\Eugoqy.exe	upx
\Program Files (x86)\EugoqySrv.exe	upx
C:\Program Files (x86)\EugoqySrv.exe	upx
behavioral1/memory/1080-90-0x0000000000400000-0x000000000042C000-memory.dmp	upx
C:\Program Files (x86)\EugoqySrv.exe	upx
C:\Program Files (x86)\Eugoqy.exe	upx
C:\Program Files (x86)\Eugoqy.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
\Program Files (x86)\EugoqySrv.exe	upx
C:\Program Files (x86)\EugoqySrv.exe	upx
behavioral1/memory/1184-106-0x0000000000400000-0x000000000042C000-memory.dmp	upx
C:\Program Files (x86)\EugoqySrv.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
behavioral1/memory/992-105-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/memory/1956-96-0x0000000000400000-0x0000000000435000-memory.dmp	upx
\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Program Files (x86)\EugoqySrv.exe	upx
behavioral1/memory/992-129-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/memory/1184-130-0x00000000002C0000-0x00000000002F5000-memory.dmp	upx
behavioral1/memory/992-131-0x0000000000400000-0x000000000042C000-memory.dmp	upx

Loads dropped DLL 10 IoCs

Processes:

4b75a200664d5e43fb297347fd6f93e8f8685320bd1959c5b07f3c597918c8f2.exe4b75a200664d5e43fb297347fd6f93e8f8685320bd1959c5b07f3c597918c8f2Srv.exeEugoqy.exeEugoqySrv.exeEugoqy.exeEugoqySrv.exe

pid	process
1080	4b75a200664d5e43fb297347fd6f93e8f8685320bd1959c5b07f3c597918c8f2.exe
1080	4b75a200664d5e43fb297347fd6f93e8f8685320bd1959c5b07f3c597918c8f2.exe
1080	4b75a200664d5e43fb297347fd6f93e8f8685320bd1959c5b07f3c597918c8f2.exe
1724	4b75a200664d5e43fb297347fd6f93e8f8685320bd1959c5b07f3c597918c8f2Srv.exe
1184	Eugoqy.exe
1184	Eugoqy.exe
1184	Eugoqy.exe
1956	EugoqySrv.exe
992	Eugoqy.exe
568	EugoqySrv.exe

Creates a Windows Service
persistence

Drops file in System32 directory 64 IoCs

Processes:

iexplore.exeByNC.exeiexplore.exeIEXPLORE.EXEie4uinit.exeEugoqy.exeIEXPLORE.EXE

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\6AF8XZJH.txt	iexplore.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\k4[1].rar	ByNC.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{17A0D5E1-01F1-11ED-B669-4659A2147DF1}.dat	iexplore.exe
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoaming	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\DNTException\Low	iexplore.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{17713A63-01F1-11ED-B669-4659A2147DF1}.dat	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\6AF8XZJH.txt	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low	iexplore.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C	Eugoqy.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\1QGV5L5P.txt	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\1QGV5L5P.txt	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	iexplore.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\k2[1].rar	ByNC.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{17A0D5E3-01F1-11ED-B669-4659A2147DF1}.dat	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	iexplore.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C	Eugoqy.exe
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\desktop.ini	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[1].ico	iexplore.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_B2FEEE6B08CF6C854CB2A5F3B5EFD61C	Eugoqy.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\00TOD2JZ.txt	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\NR5YS2MG.txt	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\DNTException\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\0PY7ZWWB.txt	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[2].ico	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\imagestore\mqkd0np\imagestore.dat	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Z66T98MO.txt	iexplore.exe
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\YOG490OX.txt	iexplore.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	Eugoqy.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\H69NXKJ3.txt	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DomainSuggestions\en-US.1	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatCache\Low	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\0PY7ZWWB.txt	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url:favicon	iexplore.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DomainSuggestions\en-US.1	iexplore.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\k3[1].rar	ByNC.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\suggestions[1].en-US	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{17713A6C-01F1-11ED-B669-4659A2147DF1}.dat	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[2].ico	iexplore.exe
File created	C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url\:favicon:$DATA	iexplore.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_B2FEEE6B08CF6C854CB2A5F3B5EFD61C	Eugoqy.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\BLROV203.txt	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\00TOD2JZ.txt	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoaming	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{17A0D5E1-01F1-11ED-B669-4659A2147DF1}.dat	iexplore.exe

Drops file in Program Files directory 64 IoCs

Processes:

ByNC.exeByNC.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ACCICONS.EXE	ByNC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	ByNC.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	ByNC.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{FDD6847E-F168-4017-89D1-17A74E052590}\chrome_installer.exe	ByNC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSQRY32.EXE	ByNC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	ByNC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	ByNC.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	ByNC.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	ByNC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE	ByNC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	ByNC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	ByNC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	ByNC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	ByNC.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdate.exe	ByNC.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	ByNC.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleCrashHandler.exe	ByNC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE	ByNC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	ByNC.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	ByNC.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	ByNC.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\MSOHTMED.EXE	ByNC.exe
File opened for modification	C:\Program Files\Windows Mail\wabmig.exe	ByNC.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	ByNC.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	ByNC.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\Hearts.exe	ByNC.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	ByNC.exe
File opened for modification	C:\Program Files\Windows Defender\MpCmdRun.exe	ByNC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	ByNC.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	ByNC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	ByNC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	ByNC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	ByNC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	ByNC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSTORE.EXE	ByNC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE	ByNC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	ByNC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	ByNC.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-hang-ui.exe	ByNC.exe
File opened for modification	C:\Program Files\Windows Mail\WinMail.exe	ByNC.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe	ByNC.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\chrome_installer.exe	ByNC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSACCESS.EXE	ByNC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OIS.EXE	ByNC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	ByNC.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	ByNC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	ByNC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	ByNC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.EXE	ByNC.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	ByNC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	ByNC.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	ByNC.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	ByNC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE	ByNC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SCANPST.EXE	ByNC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	ByNC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	ByNC.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	ByNC.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	ByNC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	ByNC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	ByNC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	ByNC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	ByNC.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateCore.exe	ByNC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "364402026"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{16EBED61-01F1-11ED-B669-4659A2147DF1} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

iexplore.exeEugoqy.exeIEXPLORE.EXEByNC.exeiexplore.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7a-98-6d-4e-6a-3d\WpadDecisionTime = 00df6adefd95d801	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	Eugoqy.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	ByNC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\F12	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Recovery	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Feeds\SyncTask = "User_Feed_Synchronization-{1DC9900C-0E27-49B4-AB21-3260970E60CA}"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7a-98-6d-4e-6a-3d\WpadDecision = "0"	Eugoqy.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	Eugoqy.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	Eugoqy.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Suggested Sites\DataStreamEnabledState = "0"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	Eugoqy.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EF8CB47B-A664-49A4-981A-1FBA99B1249C}\WpadDecisionTime = 2045fa04fe95d801	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	ByNC.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Blocked = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\LoadTimeArray = 85000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7a-98-6d-4e-6a-3d\WpadDecisionTime = 80b443ddfd95d801	ByNC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	Eugoqy.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	Eugoqy.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EF8CB47B-A664-49A4-981A-1FBA99B1249C}\WpadDecisionReason = "1"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\Software\Microsoft\Internet Explorer	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Time = e607070002000c000e002c000c002403	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\LoadTimeArray = 00000000000000002f000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Count = "3"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	Eugoqy.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Type = "3"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\TLDUpdates = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EF8CB47B-A664-49A4-981A-1FBA99B1249C}\WpadDecisionReason = "1"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	Eugoqy.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	Eugoqy.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	Eugoqy.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Time = e607070002000c000e002c001300c800	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	Eugoqy.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EF8CB47B-A664-49A4-981A-1FBA99B1249C}	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\Flags = "1024"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021494-0000-0000-C000-000000000046}\Enum	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	Eugoqy.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7a-98-6d-4e-6a-3d\WpadDecisionTime = 404d31e2fd95d801	iexplore.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Eugoqy.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	Eugoqy.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	Eugoqy.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

DesktopLayer.exeDesktopLayer.exeDesktopLayer.exe

pid	process
776	DesktopLayer.exe
776	DesktopLayer.exe
776	DesktopLayer.exe
776	DesktopLayer.exe
1976	DesktopLayer.exe
1976	DesktopLayer.exe
1976	DesktopLayer.exe
1976	DesktopLayer.exe
1968	DesktopLayer.exe
1968	DesktopLayer.exe
1968	DesktopLayer.exe
1968	DesktopLayer.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

4b75a200664d5e43fb297347fd6f93e8f8685320bd1959c5b07f3c597918c8f2.exe

pid process

1080 4b75a200664d5e43fb297347fd6f93e8f8685320bd1959c5b07f3c597918c8f2.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

4b75a200664d5e43fb297347fd6f93e8f8685320bd1959c5b07f3c597918c8f2.exe

description pid process

Token: SeDebugPrivilege 1080 4b75a200664d5e43fb297347fd6f93e8f8685320bd1959c5b07f3c597918c8f2.exe

description	pid	process
Token: SeDebugPrivilege	1080	4b75a200664d5e43fb297347fd6f93e8f8685320bd1959c5b07f3c597918c8f2.exe

Suspicious use of FindShellTrayWindow 10 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exe

pid	process
1088	iexplore.exe
1088	iexplore.exe
980	iexplore.exe
916	iexplore.exe
1088	iexplore.exe
1088	iexplore.exe
1088	iexplore.exe
1088	iexplore.exe
1088	iexplore.exe
1088	iexplore.exe

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
916	iexplore.exe
916	iexplore.exe
1088	iexplore.exe
1088	iexplore.exe
980	iexplore.exe
980	iexplore.exe
1624	IEXPLORE.EXE
1624	IEXPLORE.EXE
1632	IEXPLORE.EXE
1632	IEXPLORE.EXE
1988	IEXPLORE.EXE
1988	IEXPLORE.EXE
1988	IEXPLORE.EXE
1988	IEXPLORE.EXE
1632	IEXPLORE.EXE
1632	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4b75a200664d5e43fb297347fd6f93e8f8685320bd1959c5b07f3c597918c8f2.exe4b75a200664d5e43fb297347fd6f93e8f8685320bd1959c5b07f3c597918c8f2Srv.exeDesktopLayer.exeEugoqy.exeiexplore.exeEugoqySrv.exeEugoqy.exeDesktopLayer.exeiexplore.exeEugoqySrv.exeDesktopLayer.exeiexplore.exeByNC.exe

description	pid	process	target process
PID 1080 wrote to memory of 2044	1080	4b75a200664d5e43fb297347fd6f93e8f8685320bd1959c5b07f3c597918c8f2.exe	ByNC.exe
PID 1080 wrote to memory of 2044	1080	4b75a200664d5e43fb297347fd6f93e8f8685320bd1959c5b07f3c597918c8f2.exe	ByNC.exe
PID 1080 wrote to memory of 2044	1080	4b75a200664d5e43fb297347fd6f93e8f8685320bd1959c5b07f3c597918c8f2.exe	ByNC.exe
PID 1080 wrote to memory of 2044	1080	4b75a200664d5e43fb297347fd6f93e8f8685320bd1959c5b07f3c597918c8f2.exe	ByNC.exe
PID 1080 wrote to memory of 1724	1080	4b75a200664d5e43fb297347fd6f93e8f8685320bd1959c5b07f3c597918c8f2.exe	4b75a200664d5e43fb297347fd6f93e8f8685320bd1959c5b07f3c597918c8f2Srv.exe
PID 1080 wrote to memory of 1724	1080	4b75a200664d5e43fb297347fd6f93e8f8685320bd1959c5b07f3c597918c8f2.exe	4b75a200664d5e43fb297347fd6f93e8f8685320bd1959c5b07f3c597918c8f2Srv.exe
PID 1080 wrote to memory of 1724	1080	4b75a200664d5e43fb297347fd6f93e8f8685320bd1959c5b07f3c597918c8f2.exe	4b75a200664d5e43fb297347fd6f93e8f8685320bd1959c5b07f3c597918c8f2Srv.exe
PID 1080 wrote to memory of 1724	1080	4b75a200664d5e43fb297347fd6f93e8f8685320bd1959c5b07f3c597918c8f2.exe	4b75a200664d5e43fb297347fd6f93e8f8685320bd1959c5b07f3c597918c8f2Srv.exe
PID 1724 wrote to memory of 776	1724	4b75a200664d5e43fb297347fd6f93e8f8685320bd1959c5b07f3c597918c8f2Srv.exe	DesktopLayer.exe
PID 1724 wrote to memory of 776	1724	4b75a200664d5e43fb297347fd6f93e8f8685320bd1959c5b07f3c597918c8f2Srv.exe	DesktopLayer.exe
PID 1724 wrote to memory of 776	1724	4b75a200664d5e43fb297347fd6f93e8f8685320bd1959c5b07f3c597918c8f2Srv.exe	DesktopLayer.exe
PID 1724 wrote to memory of 776	1724	4b75a200664d5e43fb297347fd6f93e8f8685320bd1959c5b07f3c597918c8f2Srv.exe	DesktopLayer.exe
PID 776 wrote to memory of 916	776	DesktopLayer.exe	iexplore.exe
PID 776 wrote to memory of 916	776	DesktopLayer.exe	iexplore.exe
PID 776 wrote to memory of 916	776	DesktopLayer.exe	iexplore.exe
PID 776 wrote to memory of 916	776	DesktopLayer.exe	iexplore.exe
PID 1184 wrote to memory of 1708	1184	Eugoqy.exe	ByNC.exe
PID 1184 wrote to memory of 1708	1184	Eugoqy.exe	ByNC.exe
PID 1184 wrote to memory of 1708	1184	Eugoqy.exe	ByNC.exe
PID 1184 wrote to memory of 1708	1184	Eugoqy.exe	ByNC.exe
PID 1184 wrote to memory of 1956	1184	Eugoqy.exe	EugoqySrv.exe
PID 1184 wrote to memory of 1956	1184	Eugoqy.exe	EugoqySrv.exe
PID 1184 wrote to memory of 1956	1184	Eugoqy.exe	EugoqySrv.exe
PID 1184 wrote to memory of 1956	1184	Eugoqy.exe	EugoqySrv.exe
PID 916 wrote to memory of 1624	916	iexplore.exe	IEXPLORE.EXE
PID 916 wrote to memory of 1624	916	iexplore.exe	IEXPLORE.EXE
PID 916 wrote to memory of 1624	916	iexplore.exe	IEXPLORE.EXE
PID 916 wrote to memory of 1624	916	iexplore.exe	IEXPLORE.EXE
PID 1184 wrote to memory of 992	1184	Eugoqy.exe	Eugoqy.exe
PID 1184 wrote to memory of 992	1184	Eugoqy.exe	Eugoqy.exe
PID 1184 wrote to memory of 992	1184	Eugoqy.exe	Eugoqy.exe
PID 1184 wrote to memory of 992	1184	Eugoqy.exe	Eugoqy.exe
PID 1956 wrote to memory of 1976	1956	EugoqySrv.exe	DesktopLayer.exe
PID 1956 wrote to memory of 1976	1956	EugoqySrv.exe	DesktopLayer.exe
PID 1956 wrote to memory of 1976	1956	EugoqySrv.exe	DesktopLayer.exe
PID 1956 wrote to memory of 1976	1956	EugoqySrv.exe	DesktopLayer.exe
PID 992 wrote to memory of 568	992	Eugoqy.exe	EugoqySrv.exe
PID 992 wrote to memory of 568	992	Eugoqy.exe	EugoqySrv.exe
PID 992 wrote to memory of 568	992	Eugoqy.exe	EugoqySrv.exe
PID 992 wrote to memory of 568	992	Eugoqy.exe	EugoqySrv.exe
PID 1976 wrote to memory of 1088	1976	DesktopLayer.exe	iexplore.exe
PID 1976 wrote to memory of 1088	1976	DesktopLayer.exe	iexplore.exe
PID 1976 wrote to memory of 1088	1976	DesktopLayer.exe	iexplore.exe
PID 1976 wrote to memory of 1088	1976	DesktopLayer.exe	iexplore.exe
PID 1088 wrote to memory of 1912	1088	iexplore.exe	ie4uinit.exe
PID 1088 wrote to memory of 1912	1088	iexplore.exe	ie4uinit.exe
PID 1088 wrote to memory of 1912	1088	iexplore.exe	ie4uinit.exe
PID 568 wrote to memory of 1968	568	EugoqySrv.exe	DesktopLayer.exe
PID 568 wrote to memory of 1968	568	EugoqySrv.exe	DesktopLayer.exe
PID 568 wrote to memory of 1968	568	EugoqySrv.exe	DesktopLayer.exe
PID 568 wrote to memory of 1968	568	EugoqySrv.exe	DesktopLayer.exe
PID 1968 wrote to memory of 980	1968	DesktopLayer.exe	iexplore.exe
PID 1968 wrote to memory of 980	1968	DesktopLayer.exe	iexplore.exe
PID 1968 wrote to memory of 980	1968	DesktopLayer.exe	iexplore.exe
PID 1968 wrote to memory of 980	1968	DesktopLayer.exe	iexplore.exe
PID 1088 wrote to memory of 1632	1088	iexplore.exe	IEXPLORE.EXE
PID 1088 wrote to memory of 1632	1088	iexplore.exe	IEXPLORE.EXE
PID 1088 wrote to memory of 1632	1088	iexplore.exe	IEXPLORE.EXE
PID 1088 wrote to memory of 1632	1088	iexplore.exe	IEXPLORE.EXE
PID 980 wrote to memory of 1988	980	iexplore.exe	IEXPLORE.EXE
PID 980 wrote to memory of 1988	980	iexplore.exe	IEXPLORE.EXE
PID 980 wrote to memory of 1988	980	iexplore.exe	IEXPLORE.EXE
PID 980 wrote to memory of 1988	980	iexplore.exe	IEXPLORE.EXE
PID 2044 wrote to memory of 2108	2044	ByNC.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\4b75a200664d5e43fb297347fd6f93e8f8685320bd1959c5b07f3c597918c8f2.exe
"C:\Users\Admin\AppData\Local\Temp\4b75a200664d5e43fb297347fd6f93e8f8685320bd1959c5b07f3c597918c8f2.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1080

C:\Users\Admin\AppData\Local\Temp\ByNC.exe
C:\Users\Admin\AppData\Local\Temp\ByNC.exe
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\3d6147be.bat" "
3⤵
PID:2108

C:\Users\Admin\AppData\Local\Temp\4b75a200664d5e43fb297347fd6f93e8f8685320bd1959c5b07f3c597918c8f2Srv.exe
C:\Users\Admin\AppData\Local\Temp\4b75a200664d5e43fb297347fd6f93e8f8685320bd1959c5b07f3c597918c8f2Srv.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1724

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:776

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:916

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:916 CREDAT:275457 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1624

C:\Program Files (x86)\Eugoqy.exe
"C:\Program Files (x86)\Eugoqy.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1184

C:\Windows\TEMP\ByNC.exe
C:\Windows\TEMP\ByNC.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:1708

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Windows\TEMP\6d6d007b.bat" "
3⤵
PID:2232

C:\Program Files (x86)\EugoqySrv.exe
"C:\Program Files (x86)\EugoqySrv.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1956

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1976

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\System32\ie4uinit.exe
"C:\Windows\System32\ie4uinit.exe" -ShowQLIcon
5⤵
- Drops file in System32 directory
PID:1912

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1088 CREDAT:275457 /prefetch:2
5⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1632

C:\Program Files (x86)\Eugoqy.exe
"C:\Program Files (x86)\Eugoqy.exe" Win7
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:992

C:\Program Files (x86)\EugoqySrv.exe
"C:\Program Files (x86)\EugoqySrv.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:568

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1968

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:980

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:980 CREDAT:275457 /prefetch:2
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1988

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Eugoqy.exe
Filesize
124KB

MD5
c6ce21c4c9389a23d6deac23d9d43190

SHA1
36036d346993df07681926111f73891dd8f19846

SHA256
4b75a200664d5e43fb297347fd6f93e8f8685320bd1959c5b07f3c597918c8f2

SHA512
fa90bc5a6d1753ae08ee384c6e7d333da416f166edc4b72b605029a01d636773e728743c86d547413e4a9bcd8ea40ddf3d89588c3aca747d20dd9575f2d2110f

Download Submit
C:\Program Files (x86)\Eugoqy.exe
Filesize
124KB

MD5
c6ce21c4c9389a23d6deac23d9d43190

SHA1
36036d346993df07681926111f73891dd8f19846

SHA256
4b75a200664d5e43fb297347fd6f93e8f8685320bd1959c5b07f3c597918c8f2

SHA512
fa90bc5a6d1753ae08ee384c6e7d333da416f166edc4b72b605029a01d636773e728743c86d547413e4a9bcd8ea40ddf3d89588c3aca747d20dd9575f2d2110f

Download Submit
C:\Program Files (x86)\Eugoqy.exe
Filesize
124KB

MD5
c6ce21c4c9389a23d6deac23d9d43190

SHA1
36036d346993df07681926111f73891dd8f19846

SHA256
4b75a200664d5e43fb297347fd6f93e8f8685320bd1959c5b07f3c597918c8f2

SHA512
fa90bc5a6d1753ae08ee384c6e7d333da416f166edc4b72b605029a01d636773e728743c86d547413e4a9bcd8ea40ddf3d89588c3aca747d20dd9575f2d2110f

Download Submit
C:\Program Files (x86)\EugoqySrv.exe
Filesize
83KB

MD5
c5c99988728c550282ae76270b649ea1

SHA1
113e8ff0910f393a41d5e63d43ec3653984c63d6

SHA256
d7ec3fcd80b3961e5bab97015c91c843803bb915c13a4a35dfb5e9bdf556c6d3

SHA512
66e45f6fabff097a7997c5d4217408405f17bad11748e835403559b526d2d031490b2b74a5ffcb218fa9621a1c3a3caa197f2e5738ebea00f2cf6161d8d0af0d

Download Submit
C:\Program Files (x86)\EugoqySrv.exe
Filesize
83KB

MD5
c5c99988728c550282ae76270b649ea1

SHA1
113e8ff0910f393a41d5e63d43ec3653984c63d6

SHA256
d7ec3fcd80b3961e5bab97015c91c843803bb915c13a4a35dfb5e9bdf556c6d3

SHA512
66e45f6fabff097a7997c5d4217408405f17bad11748e835403559b526d2d031490b2b74a5ffcb218fa9621a1c3a3caa197f2e5738ebea00f2cf6161d8d0af0d

Download Submit
C:\Program Files (x86)\EugoqySrv.exe
Filesize
100KB

MD5
30a4ac1b2416df0e4a40780313f70046

SHA1
aa393fc11ca6c3cae468fc818eead2ace1cea72f

SHA256
c994351fc56014f900e3d09bcfbade6ccf0056c4ce07d67ad64688f61ced6ef5

SHA512
f7592df3f085d2d827452a981e109cfd265c82abc8653b36a815d10ac5de87d1d92da98873fc5f551e780ead28802935c0951aaf7860c19d93a67e63a6ba214c

Download Submit
C:\Program Files (x86)\EugoqySrv.exe
Filesize
83KB

MD5
c5c99988728c550282ae76270b649ea1

SHA1
113e8ff0910f393a41d5e63d43ec3653984c63d6

SHA256
d7ec3fcd80b3961e5bab97015c91c843803bb915c13a4a35dfb5e9bdf556c6d3

SHA512
66e45f6fabff097a7997c5d4217408405f17bad11748e835403559b526d2d031490b2b74a5ffcb218fa9621a1c3a3caa197f2e5738ebea00f2cf6161d8d0af0d

Download Submit
C:\Program Files (x86)\EugoqySrv.exe
Filesize
83KB

MD5
c5c99988728c550282ae76270b649ea1

SHA1
113e8ff0910f393a41d5e63d43ec3653984c63d6

SHA256
d7ec3fcd80b3961e5bab97015c91c843803bb915c13a4a35dfb5e9bdf556c6d3

SHA512
66e45f6fabff097a7997c5d4217408405f17bad11748e835403559b526d2d031490b2b74a5ffcb218fa9621a1c3a3caa197f2e5738ebea00f2cf6161d8d0af0d

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
Filesize
83KB

MD5
c5c99988728c550282ae76270b649ea1

SHA1
113e8ff0910f393a41d5e63d43ec3653984c63d6

SHA256
d7ec3fcd80b3961e5bab97015c91c843803bb915c13a4a35dfb5e9bdf556c6d3

SHA512
66e45f6fabff097a7997c5d4217408405f17bad11748e835403559b526d2d031490b2b74a5ffcb218fa9621a1c3a3caa197f2e5738ebea00f2cf6161d8d0af0d

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
Filesize
83KB

MD5
c5c99988728c550282ae76270b649ea1

SHA1
113e8ff0910f393a41d5e63d43ec3653984c63d6

SHA256
d7ec3fcd80b3961e5bab97015c91c843803bb915c13a4a35dfb5e9bdf556c6d3

SHA512
66e45f6fabff097a7997c5d4217408405f17bad11748e835403559b526d2d031490b2b74a5ffcb218fa9621a1c3a3caa197f2e5738ebea00f2cf6161d8d0af0d

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
Filesize
83KB

MD5
c5c99988728c550282ae76270b649ea1

SHA1
113e8ff0910f393a41d5e63d43ec3653984c63d6

SHA256
d7ec3fcd80b3961e5bab97015c91c843803bb915c13a4a35dfb5e9bdf556c6d3

SHA512
66e45f6fabff097a7997c5d4217408405f17bad11748e835403559b526d2d031490b2b74a5ffcb218fa9621a1c3a3caa197f2e5738ebea00f2cf6161d8d0af0d

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
Filesize
83KB

MD5
c5c99988728c550282ae76270b649ea1

SHA1
113e8ff0910f393a41d5e63d43ec3653984c63d6

SHA256
d7ec3fcd80b3961e5bab97015c91c843803bb915c13a4a35dfb5e9bdf556c6d3

SHA512
66e45f6fabff097a7997c5d4217408405f17bad11748e835403559b526d2d031490b2b74a5ffcb218fa9621a1c3a3caa197f2e5738ebea00f2cf6161d8d0af0d

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
Filesize
83KB

MD5
c5c99988728c550282ae76270b649ea1

SHA1
113e8ff0910f393a41d5e63d43ec3653984c63d6

SHA256
d7ec3fcd80b3961e5bab97015c91c843803bb915c13a4a35dfb5e9bdf556c6d3

SHA512
66e45f6fabff097a7997c5d4217408405f17bad11748e835403559b526d2d031490b2b74a5ffcb218fa9621a1c3a3caa197f2e5738ebea00f2cf6161d8d0af0d

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
Filesize
83KB

MD5
c5c99988728c550282ae76270b649ea1

SHA1
113e8ff0910f393a41d5e63d43ec3653984c63d6

SHA256
d7ec3fcd80b3961e5bab97015c91c843803bb915c13a4a35dfb5e9bdf556c6d3

SHA512
66e45f6fabff097a7997c5d4217408405f17bad11748e835403559b526d2d031490b2b74a5ffcb218fa9621a1c3a3caa197f2e5738ebea00f2cf6161d8d0af0d

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
31KB

MD5
f33376738b984986a180cc16d91db294

SHA1
080fb02ac846b0970d0c80a4870d862451e2499c

SHA256
755c175da39572f1b4762be3b68455a5661c1486a7bd9ccd416c52f25f23ff8e

SHA512
f5e17a8c148afc159fab36cdf0a9baac8b34c6f2ece2ffbb68e87b246dabdb45b1f5dcd6f1d9090017874b31b41e15e708130a8855f90294b177c73b64c0685a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3d6147be.bat
Filesize
183B

MD5
b1988462d8370789570c56fe8be3398e

SHA1
8248e70fba2983f5567fd5619016a6c22b4fd424

SHA256
53bd3a50aa64f3f3e42700ebdf422439762e2c0fcf809d1efdfca7c730c739d2

SHA512
3039a84f033300fd6143c837530184ae458d3e47c6c76d4d5e14e989c4407462c4e5afba7484d9199ca1a6096d7b6f829a039fe040de303143acf4e2278caf18

Download Submit
C:\Users\Admin\AppData\Local\Temp\4b75a200664d5e43fb297347fd6f93e8f8685320bd1959c5b07f3c597918c8f2Srv.exe
Filesize
83KB

MD5
c5c99988728c550282ae76270b649ea1

SHA1
113e8ff0910f393a41d5e63d43ec3653984c63d6

SHA256
d7ec3fcd80b3961e5bab97015c91c843803bb915c13a4a35dfb5e9bdf556c6d3

SHA512
66e45f6fabff097a7997c5d4217408405f17bad11748e835403559b526d2d031490b2b74a5ffcb218fa9621a1c3a3caa197f2e5738ebea00f2cf6161d8d0af0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\4b75a200664d5e43fb297347fd6f93e8f8685320bd1959c5b07f3c597918c8f2Srv.exe
Filesize
83KB

MD5
c5c99988728c550282ae76270b649ea1

SHA1
113e8ff0910f393a41d5e63d43ec3653984c63d6

SHA256
d7ec3fcd80b3961e5bab97015c91c843803bb915c13a4a35dfb5e9bdf556c6d3

SHA512
66e45f6fabff097a7997c5d4217408405f17bad11748e835403559b526d2d031490b2b74a5ffcb218fa9621a1c3a3caa197f2e5738ebea00f2cf6161d8d0af0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ByNC.exe
Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ByNC.exe
Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\AYFJ3R3D.txt
Filesize
595B

MD5
7596273f4418c40e379179b762f730a5

SHA1
3a91d566073a0ac675be5aff172e43dedcebca8d

SHA256
a81d1360dd108bb5027ed6048ee2a3ed93405601a2406528b9caa8baa409ee22

SHA512
0600e0e958aefbe6bc8ce6b06e0254ee1fa59c78eef9fc7540f65f16fcc5b2032820344ab7e3dc6cc8eb7ff7a22682ea1fbefb755006d9daef7e0bcde8d94e52

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\desktop.ini
Filesize
402B

MD5
881dfac93652edb0a8228029ba92d0f5

SHA1
5b317253a63fecb167bf07befa05c5ed09c4ccea

SHA256
a45e345556901cd98b9bf8700b2a263f1da2b2e53dbdf69b9e6cfab6e0bd3464

SHA512
592b24deb837d6b82c692da781b8a69d9fa20bbaa3041d6c651839e72f45ac075a86cb967ea2df08fa0635ae28d6064a900f5d15180b9037bb8ba02f9e8e1810

Download Submit
C:\Windows\TEMP\6d6d007b.bat
Filesize
129B

MD5
891d7ea39b180e161a9bf202cce55c37

SHA1
dad2ce9f808a5d10dca1de11838016068ec0fdb0

SHA256
51249228013d19f60c42548b9fae7ec1ef835a47e73a66296520b351cdc309a2

SHA512
44be0bcdf7f098a1f4b4cb4424377d387a52fee60288500ee5312f5257cbfcb70384e4b16c2475dc5ad8eb6218c851f013c3976a5efb0c1f9847d6d09e92085a

Download Submit
C:\Windows\TEMP\ByNC.exe
Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
C:\Windows\Temp\ByNC.exe
Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63
Filesize
1KB

MD5
8c8793779f737bc2399d1408079dd882

SHA1
1841589ca658d6216673c5022210f942c9872b94

SHA256
d8e66cce178979bcc2dad6f6d8e0265e5297b43804ea9644199d4ac580764bd9

SHA512
928d3cc0f439a9cfacc52f8a0956f8218050483e8859fe910a71412bdef4487fdc931d186f4ea2a2e693f2c46da0f11af2ed3611b8d5037911a66bfb16e71afb

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63
Filesize
434B

MD5
5cb2760f9d66293d846c7dc0974dd1bf

SHA1
7b5696461149da2aa69295abd300dd8d427072bf

SHA256
32db567448d9fb160ad40969c09f96e37f23d343b1be1d1de59311e7beee56ae

SHA512
8e71b5060817f5609500e3fda7317d48f996dab0417b45bd2d860ad8764838bfddede21263f2c6c679419b3f4d57e7a5eaba09110bac753390ff58fa491ac7aa

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{17713A61-01F1-11ED-B669-4659A2147DF1}.dat
Filesize
3KB

MD5
f8fbf50eda59e672dbd795015d93d16d

SHA1
8d218dabe72fc9af178425e7144835ab735dbdf5

SHA256
3ad5ecfacc820435a2f86cd03859edbcae31333e89a49a3a9997b97d72866767

SHA512
2e86f8b01d0778d20e735626d464b9041817b7070cbbf0f2730150e12a08760044639f7a1b43a88a09d7d97dc55e11ebff06b0982a357fcdec1048e070f77344

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{17A0D5E1-01F1-11ED-B669-4659A2147DF1}.dat
Filesize
5KB

MD5
33a888a502134752933f13351062660e

SHA1
725d663b3e6e63a32466f59591746601711b6dbd

SHA256
9c6446eb09ec7b1ad690c60d71e5e3da6ec3cddc0868552ae87d16618cb0ddc9

SHA512
a6ad9647a15bacd07551e84f05ead1fbfb007e6deac85f5a1c881d079667756a0d18d6272fd5312fbc4e8bdf58357a56382c5a917d75efbc23a6faecb63dce05

Download Submit
\Program Files (x86)\EugoqySrv.exe
Filesize
83KB

MD5
c5c99988728c550282ae76270b649ea1

SHA1
113e8ff0910f393a41d5e63d43ec3653984c63d6

SHA256
d7ec3fcd80b3961e5bab97015c91c843803bb915c13a4a35dfb5e9bdf556c6d3

SHA512
66e45f6fabff097a7997c5d4217408405f17bad11748e835403559b526d2d031490b2b74a5ffcb218fa9621a1c3a3caa197f2e5738ebea00f2cf6161d8d0af0d

Download Submit
\Program Files (x86)\EugoqySrv.exe
Filesize
83KB

MD5
c5c99988728c550282ae76270b649ea1

SHA1
113e8ff0910f393a41d5e63d43ec3653984c63d6

SHA256
d7ec3fcd80b3961e5bab97015c91c843803bb915c13a4a35dfb5e9bdf556c6d3

SHA512
66e45f6fabff097a7997c5d4217408405f17bad11748e835403559b526d2d031490b2b74a5ffcb218fa9621a1c3a3caa197f2e5738ebea00f2cf6161d8d0af0d

Download Submit
\Program Files (x86)\Microsoft\DesktopLayer.exe
Filesize
83KB

MD5
c5c99988728c550282ae76270b649ea1

SHA1
113e8ff0910f393a41d5e63d43ec3653984c63d6

SHA256
d7ec3fcd80b3961e5bab97015c91c843803bb915c13a4a35dfb5e9bdf556c6d3

SHA512
66e45f6fabff097a7997c5d4217408405f17bad11748e835403559b526d2d031490b2b74a5ffcb218fa9621a1c3a3caa197f2e5738ebea00f2cf6161d8d0af0d

Download Submit
\Program Files (x86)\Microsoft\DesktopLayer.exe
Filesize
83KB

MD5
c5c99988728c550282ae76270b649ea1

SHA1
113e8ff0910f393a41d5e63d43ec3653984c63d6

SHA256
d7ec3fcd80b3961e5bab97015c91c843803bb915c13a4a35dfb5e9bdf556c6d3

SHA512
66e45f6fabff097a7997c5d4217408405f17bad11748e835403559b526d2d031490b2b74a5ffcb218fa9621a1c3a3caa197f2e5738ebea00f2cf6161d8d0af0d

Download Submit
\Program Files (x86)\Microsoft\DesktopLayer.exe
Filesize
83KB

MD5
c5c99988728c550282ae76270b649ea1

SHA1
113e8ff0910f393a41d5e63d43ec3653984c63d6

SHA256
d7ec3fcd80b3961e5bab97015c91c843803bb915c13a4a35dfb5e9bdf556c6d3

SHA512
66e45f6fabff097a7997c5d4217408405f17bad11748e835403559b526d2d031490b2b74a5ffcb218fa9621a1c3a3caa197f2e5738ebea00f2cf6161d8d0af0d

Download Submit
\Users\Admin\AppData\Local\Temp\4b75a200664d5e43fb297347fd6f93e8f8685320bd1959c5b07f3c597918c8f2Srv.exe
Filesize
83KB

MD5
c5c99988728c550282ae76270b649ea1

SHA1
113e8ff0910f393a41d5e63d43ec3653984c63d6

SHA256
d7ec3fcd80b3961e5bab97015c91c843803bb915c13a4a35dfb5e9bdf556c6d3

SHA512
66e45f6fabff097a7997c5d4217408405f17bad11748e835403559b526d2d031490b2b74a5ffcb218fa9621a1c3a3caa197f2e5738ebea00f2cf6161d8d0af0d

Download Submit
\Users\Admin\AppData\Local\Temp\ByNC.exe
Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
\Users\Admin\AppData\Local\Temp\ByNC.exe
Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
\Windows\Temp\ByNC.exe
Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
\Windows\Temp\ByNC.exe
Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
memory/568-103-0x0000000000000000-mapping.dmp

Download
memory/776-76-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/776-71-0x0000000000000000-mapping.dmp

Download
memory/992-131-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/992-129-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/992-118-0x0000000000370000-0x00000000003A5000-memory.dmp

Filesize
212KB

Download
memory/992-93-0x0000000000000000-mapping.dmp

Download
memory/992-105-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1080-90-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1080-63-0x00000000001D0000-0x00000000001D9000-memory.dmp

Filesize
36KB

Download
memory/1080-61-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1080-54-0x00000000752D1000-0x00000000752D3000-memory.dmp

Filesize
8KB

Download
memory/1080-62-0x00000000001D0000-0x00000000001D9000-memory.dmp

Filesize
36KB

Download
memory/1184-135-0x00000000002C0000-0x00000000002C9000-memory.dmp

Filesize
36KB

Download
memory/1184-130-0x00000000002C0000-0x00000000002F5000-memory.dmp

Filesize
212KB

Download
memory/1184-106-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1184-136-0x00000000002C0000-0x00000000002C9000-memory.dmp

Filesize
36KB

Download
memory/1184-115-0x00000000002C0000-0x00000000002F5000-memory.dmp

Filesize
212KB

Download
memory/1184-109-0x00000000002C0000-0x00000000002C9000-memory.dmp

Filesize
36KB

Download
memory/1708-113-0x0000000001070000-0x0000000001079000-memory.dmp

Filesize
36KB

Download
memory/1708-81-0x0000000000000000-mapping.dmp

Download
memory/1708-127-0x0000000001070000-0x0000000001079000-memory.dmp

Filesize
36KB

Download
memory/1724-66-0x0000000000000000-mapping.dmp

Download
memory/1724-73-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1912-104-0x0000000000000000-mapping.dmp

Download
memory/1956-96-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1956-87-0x0000000000000000-mapping.dmp

Download
memory/1968-112-0x0000000000000000-mapping.dmp

Download
memory/1976-95-0x0000000000000000-mapping.dmp

Download
memory/2044-64-0x0000000000300000-0x0000000000309000-memory.dmp

Filesize
36KB

Download
memory/2044-57-0x0000000000000000-mapping.dmp

Download
memory/2044-124-0x0000000000300000-0x0000000000309000-memory.dmp

Filesize
36KB

Download
memory/2108-123-0x0000000000000000-mapping.dmp

Download
memory/2232-126-0x0000000000000000-mapping.dmp

Download