ramnit | 59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824

General

Target

59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
Size

132KB
MD5

100e0bc3237b7ebc9cb567627b521bc5
SHA1

04af221d68b49027bb42280a4182ee2c8cae2414
SHA256

59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824
SHA512

e9168b549678825fbec47172cb62778d5f99a8ea7227d83515a1ecbdb66967e682f997689c0703afe8a289fc75749cd213dfe060fedd693307c7d5a8a8228b15
SSDEEP

3072:sfBgCILyfukodRpLlQtkTeNQ1MDLlXjCtIDNi/IdOY:sfmdkojTT1MDhXRgIo

Score

10^/10

ramnit banker evasion spyware stealer trojan upx worm

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe:*:enabled:@shell32.dll,-1"	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 2 IoCs

Processes:

59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824Srv.exeDesktopLayer.exe

pid process

2108 59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824Srv.exe
1592 DesktopLayer.exe

pid	process
2108	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824Srv.exe
1592	DesktopLayer.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824Srv.exe	upx
C:\Users\Admin\AppData\Local\Temp\59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824Srv.exe	upx
behavioral2/memory/2108-136-0x0000000000400000-0x000000000042E000-memory.dmp	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
behavioral2/memory/1592-140-0x0000000000400000-0x000000000042E000-memory.dmp	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
behavioral2/memory/1592-145-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe

description	ioc	process
File opened (read-only)	\??\W:	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
File opened (read-only)	\??\E:	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
File opened (read-only)	\??\F:	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
File opened (read-only)	\??\J:	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
File opened (read-only)	\??\O:	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
File opened (read-only)	\??\P:	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
File opened (read-only)	\??\Q:	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
File opened (read-only)	\??\S:	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
File opened (read-only)	\??\Y:	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
File opened (read-only)	\??\Z:	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
File opened (read-only)	\??\G:	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
File opened (read-only)	\??\K:	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
File opened (read-only)	\??\L:	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
File opened (read-only)	\??\M:	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
File opened (read-only)	\??\R:	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
File opened (read-only)	\??\T:	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
File opened (read-only)	\??\H:	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
File opened (read-only)	\??\I:	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
File opened (read-only)	\??\U:	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
File opened (read-only)	\??\V:	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
File opened (read-only)	\??\N:	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
File opened (read-only)	\??\X:	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe

Drops file in Program Files directory 3 IoCs

Processes:

59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824Srv.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\px5FE3.tmp	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824Srv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824Srv.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30999385"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30999385"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3393254998"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3404818619"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{F4BBBA8B-6F4C-11ED-89AC-F6A3911CAFFB} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376426160"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30999385"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3393254998"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exeDesktopLayer.exe

pid	process
5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
1592	DesktopLayer.exe
1592	DesktopLayer.exe
5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
1592	DesktopLayer.exe
1592	DesktopLayer.exe
1592	DesktopLayer.exe
1592	DesktopLayer.exe
1592	DesktopLayer.exe
1592	DesktopLayer.exe

Suspicious behavior: MapViewOfSection 64 IoCs

Processes:

59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe

pid	process
5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe

description pid process

Token: SeDebugPrivilege 5040 59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

3284 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

3284 iexplore.exe
3284 iexplore.exe
4388 IEXPLORE.EXE
4388 IEXPLORE.EXE
4388 IEXPLORE.EXE
4388 IEXPLORE.EXE

description	pid	process
Token: SeDebugPrivilege	5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe

pid	process
3284	iexplore.exe

pid	process
3284	iexplore.exe
3284	iexplore.exe
4388	IEXPLORE.EXE
4388	IEXPLORE.EXE
4388	IEXPLORE.EXE
4388	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe

description	pid	process	target process
PID 5040 wrote to memory of 2108	5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824Srv.exe
PID 5040 wrote to memory of 2108	5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824Srv.exe
PID 5040 wrote to memory of 2108	5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824Srv.exe
PID 5040 wrote to memory of 596	5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe	winlogon.exe
PID 5040 wrote to memory of 596	5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe	winlogon.exe
PID 5040 wrote to memory of 596	5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe	winlogon.exe
PID 5040 wrote to memory of 596	5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe	winlogon.exe
PID 5040 wrote to memory of 596	5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe	winlogon.exe
PID 5040 wrote to memory of 596	5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe	winlogon.exe
PID 5040 wrote to memory of 672	5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe	lsass.exe
PID 5040 wrote to memory of 672	5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe	lsass.exe
PID 5040 wrote to memory of 672	5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe	lsass.exe
PID 5040 wrote to memory of 672	5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe	lsass.exe
PID 5040 wrote to memory of 672	5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe	lsass.exe
PID 5040 wrote to memory of 672	5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe	lsass.exe
PID 5040 wrote to memory of 776	5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe	fontdrvhost.exe
PID 5040 wrote to memory of 776	5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe	fontdrvhost.exe
PID 5040 wrote to memory of 776	5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe	fontdrvhost.exe
PID 5040 wrote to memory of 776	5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe	fontdrvhost.exe
PID 5040 wrote to memory of 776	5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe	fontdrvhost.exe
PID 5040 wrote to memory of 776	5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe	fontdrvhost.exe
PID 5040 wrote to memory of 784	5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe	fontdrvhost.exe
PID 5040 wrote to memory of 784	5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe	fontdrvhost.exe
PID 5040 wrote to memory of 784	5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe	fontdrvhost.exe
PID 5040 wrote to memory of 784	5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe	fontdrvhost.exe
PID 5040 wrote to memory of 784	5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe	fontdrvhost.exe
PID 5040 wrote to memory of 784	5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe	fontdrvhost.exe
PID 5040 wrote to memory of 796	5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe	svchost.exe
PID 5040 wrote to memory of 796	5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe	svchost.exe
PID 5040 wrote to memory of 796	5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe	svchost.exe
PID 5040 wrote to memory of 796	5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe	svchost.exe
PID 5040 wrote to memory of 796	5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe	svchost.exe
PID 5040 wrote to memory of 796	5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe	svchost.exe
PID 5040 wrote to memory of 908	5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe	svchost.exe
PID 5040 wrote to memory of 908	5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe	svchost.exe
PID 5040 wrote to memory of 908	5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe	svchost.exe
PID 5040 wrote to memory of 908	5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe	svchost.exe
PID 5040 wrote to memory of 908	5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe	svchost.exe
PID 5040 wrote to memory of 908	5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe	svchost.exe
PID 5040 wrote to memory of 956	5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe	svchost.exe
PID 5040 wrote to memory of 956	5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe	svchost.exe
PID 5040 wrote to memory of 956	5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe	svchost.exe
PID 5040 wrote to memory of 956	5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe	svchost.exe
PID 5040 wrote to memory of 956	5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe	svchost.exe
PID 5040 wrote to memory of 956	5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe	svchost.exe
PID 5040 wrote to memory of 60	5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe	dwm.exe
PID 5040 wrote to memory of 60	5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe	dwm.exe
PID 5040 wrote to memory of 60	5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe	dwm.exe
PID 5040 wrote to memory of 60	5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe	dwm.exe
PID 5040 wrote to memory of 60	5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe	dwm.exe
PID 5040 wrote to memory of 60	5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe	dwm.exe
PID 5040 wrote to memory of 524	5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe	svchost.exe
PID 5040 wrote to memory of 524	5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe	svchost.exe
PID 5040 wrote to memory of 524	5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe	svchost.exe
PID 5040 wrote to memory of 524	5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe	svchost.exe
PID 5040 wrote to memory of 524	5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe	svchost.exe
PID 5040 wrote to memory of 524	5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe	svchost.exe
PID 5040 wrote to memory of 700	5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe	svchost.exe
PID 5040 wrote to memory of 700	5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe	svchost.exe
PID 5040 wrote to memory of 700	5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe	svchost.exe
PID 5040 wrote to memory of 700	5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe	svchost.exe
PID 5040 wrote to memory of 700	5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe	svchost.exe
PID 5040 wrote to memory of 700	5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe	svchost.exe
PID 5040 wrote to memory of 952	5040	59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe	svchost.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:672

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:596

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
PID:60

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
2⤵
PID:784

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:524

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1144

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
2⤵
PID:2580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1192

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1388

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1604

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2100

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2436

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2644

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3508

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3572

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s W32Time
1⤵
PID:3140

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:3056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:2508

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:1440

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:820

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:1504

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
PID:4184

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4604

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4420

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3832

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3660

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3216

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3076

C:\Users\Admin\AppData\Local\Temp\59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe
"C:\Users\Admin\AppData\Local\Temp\59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824.exe"
2⤵
- Modifies firewall policy service
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5040

C:\Users\Admin\AppData\Local\Temp\59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824Srv.exe
C:\Users\Admin\AppData\Local\Temp\59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824Srv.exe
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2108

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1592

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3284

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3284 CREDAT:17410 /prefetch:2
6⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2656

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2592

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2524

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2444

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2280

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2152

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:1780

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1744

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1980

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1916

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1880

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1860

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1756

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1716

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
1⤵
PID:1628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1568

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1472

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1324

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1248

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1220

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1052

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1044

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:700

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:796

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:776

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
471B

MD5
dedb504b3469b24ec0df79c68f5772e2

SHA1
177a8b1045b456316ca32d90aba942bf34774c64

SHA256
e18111fd56db31f02eb16990f0bbc7991a0c80571703281ee66010e229c9f8b0

SHA512
101312fa01991caeaef010d0d21e740244cb3768490a1b82ae12e7524e50b6e7f2e23c08978ac4c373e9013baa0a8f50de8e1994341556b78ecd88ce13df5680

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
434B

MD5
024b249d006ff5421da53d32b4f96e19

SHA1
50627429bad492c67d639b1851bd38d589d4bfab

SHA256
735b452081631e7993398f4faa91018d303c76d75d8a092723443b58032c689c

SHA512
77e69fe5ed7c1cf797fa5bed595b7d29d99bcf2fde3be2cc93e0a6782437a9ba2c134a2e2482dfd5dcb548efb1a66560c5974a003d653c193d642edf6f3f8e45

Download Submit
C:\Users\Admin\AppData\Local\Temp\59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824Srv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\59907ef75a57a8f301a9c9e8bd042287f4e32691e78c05599201e0e53c051824Srv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/1592-144-0x0000000000590000-0x000000000059F000-memory.dmp

Filesize
60KB

Download
memory/1592-138-0x0000000000000000-mapping.dmp

Download
memory/1592-140-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1592-145-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2108-142-0x00000000004B0000-0x00000000004BF000-memory.dmp

Filesize
60KB

Download
memory/2108-137-0x00000000004B0000-0x00000000004BF000-memory.dmp

Filesize
60KB

Download
memory/2108-132-0x0000000000000000-mapping.dmp

Download
memory/2108-136-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5040-141-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/5040-135-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads