Malware Analysis Report

2025-08-10 23:56

Sample ID 240314-a8mchaee6x
Target c7453fccf113e393515bb6c6af7f0b73
SHA256 e25d37f0e34e022913ed08284f08fc44538cf8ce9aacf24f492774ef7445b40e
Tags
ramnit banker spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e25d37f0e34e022913ed08284f08fc44538cf8ce9aacf24f492774ef7445b40e

Threat Level: Known bad

The file c7453fccf113e393515bb6c6af7f0b73 was found to be: Known bad.

Malicious Activity Summary

ramnit banker spyware stealer trojan upx worm

Ramnit

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Modifies Internet Explorer settings

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of UnmapMainImage

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-14 00:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-14 00:53

Reported

2024-03-14 00:55

Platform

win7-20240221-en

Max time kernel

118s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c7453fccf113e393515bb6c6af7f0b73.exe"

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\pxCBD.tmp C:\Users\Admin\AppData\Local\Temp\c7453fccf113e393515bb6c6af7f0b73Srv.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\c7453fccf113e393515bb6c6af7f0b73Srv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\c7453fccf113e393515bb6c6af7f0b73Srv.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{37BA2831-E19D-11EE-AB41-FA5112F1BCBF} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "416539456" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vcf C:\Users\Admin\AppData\Local\Temp\c7453fccf113e393515bb6c6af7f0b73.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\vcard_wab_auto_file\shell\open\command C:\Users\Admin\AppData\Local\Temp\c7453fccf113e393515bb6c6af7f0b73.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\vcard_wab_auto_file\shell\open\command\ = "\"C:\\Program Files (x86)\\Windows Mail\\wab.exe\" /vcard %1" C:\Users\Admin\AppData\Local\Temp\c7453fccf113e393515bb6c6af7f0b73.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\vcard_wab_auto_file\DefaultIcon C:\Users\Admin\AppData\Local\Temp\c7453fccf113e393515bb6c6af7f0b73.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wab C:\Users\Admin\AppData\Local\Temp\c7453fccf113e393515bb6c6af7f0b73.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vcf\ = "vcard_wab_auto_file" C:\Users\Admin\AppData\Local\Temp\c7453fccf113e393515bb6c6af7f0b73.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vcf\Content Type = "text/x-vcard" C:\Users\Admin\AppData\Local\Temp\c7453fccf113e393515bb6c6af7f0b73.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\vcard_wab_auto_file C:\Users\Admin\AppData\Local\Temp\c7453fccf113e393515bb6c6af7f0b73.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\vcard_wab_auto_file\ = "vCard File" C:\Users\Admin\AppData\Local\Temp\c7453fccf113e393515bb6c6af7f0b73.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\vcard_wab_auto_file\DefaultIcon\ = "\"C:\\Program Files (x86)\\Windows Mail\\wab.exe\",1" C:\Users\Admin\AppData\Local\Temp\c7453fccf113e393515bb6c6af7f0b73.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\text/x-vcard C:\Users\Admin\AppData\Local\Temp\c7453fccf113e393515bb6c6af7f0b73.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\text/x-vcard\Extension = ".vcf" C:\Users\Admin\AppData\Local\Temp\c7453fccf113e393515bb6c6af7f0b73.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7453fccf113e393515bb6c6af7f0b73Srv.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2240 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\c7453fccf113e393515bb6c6af7f0b73.exe C:\Users\Admin\AppData\Local\Temp\c7453fccf113e393515bb6c6af7f0b73Srv.exe
PID 2240 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\c7453fccf113e393515bb6c6af7f0b73.exe C:\Users\Admin\AppData\Local\Temp\c7453fccf113e393515bb6c6af7f0b73Srv.exe
PID 2240 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\c7453fccf113e393515bb6c6af7f0b73.exe C:\Users\Admin\AppData\Local\Temp\c7453fccf113e393515bb6c6af7f0b73Srv.exe
PID 2240 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\c7453fccf113e393515bb6c6af7f0b73.exe C:\Users\Admin\AppData\Local\Temp\c7453fccf113e393515bb6c6af7f0b73Srv.exe
PID 1656 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\c7453fccf113e393515bb6c6af7f0b73Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1656 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\c7453fccf113e393515bb6c6af7f0b73Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1656 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\c7453fccf113e393515bb6c6af7f0b73Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1656 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\c7453fccf113e393515bb6c6af7f0b73Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2952 wrote to memory of 2532 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2952 wrote to memory of 2532 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2952 wrote to memory of 2532 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2952 wrote to memory of 2532 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2532 wrote to memory of 2796 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2532 wrote to memory of 2796 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2532 wrote to memory of 2796 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2532 wrote to memory of 2796 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\c7453fccf113e393515bb6c6af7f0b73.exe

"C:\Users\Admin\AppData\Local\Temp\c7453fccf113e393515bb6c6af7f0b73.exe"

C:\Users\Admin\AppData\Local\Temp\c7453fccf113e393515bb6c6af7f0b73Srv.exe

C:\Users\Admin\AppData\Local\Temp\c7453fccf113e393515bb6c6af7f0b73Srv.exe

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2532 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2240-0-0x0000000001000000-0x000000000101C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c7453fccf113e393515bb6c6af7f0b73Srv.exe

MD5 17efb7e40d4cadaf3a4369435a8772ec
SHA1 eb9302063ac2ab599ae93aaa1e45b88bbeacbca2
SHA256 f515564b67efd06fa42f57532feafc49d40b0fc36c5d4935300dd55416f0a386
SHA512 522fba06304950860fa9aa8933b12b9323dea47dbda363db3f57535396c156c4cf6934a9db38fff8c77503fcb889d030fadb639094a1f34bbad54c79c8734450

memory/1656-10-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2240-12-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2240-9-0x0000000000400000-0x0000000000413000-memory.dmp

memory/1656-21-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2952-28-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2952-27-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2952-26-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2952-24-0x0000000000230000-0x0000000000232000-memory.dmp

memory/2952-30-0x0000000076F4F000-0x0000000076F50000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\Local\Temp\Tar29D6.tmp

MD5 dd73cead4b93366cf3465c8cd32e2796
SHA1 74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256 a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512 ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

memory/2240-398-0x0000000001000000-0x000000000101C000-memory.dmp

memory/1656-509-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2952-510-0x0000000076F4F000-0x0000000076F50000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f200e2eb8d59d5c59fba04d6659b2899
SHA1 20793a820d5dda38223bb25d9ae3d5b64cf6c6e6
SHA256 32cdafe39570e447679b3bf399aa284aaa352867c9aef365ee7719c4a80e4083
SHA512 2399ead92fa19b2089b5dbdf102d42f08800eea0a7cd0453bc25f02cee50f8e5f09af3ddcaa29c2aee32124e561ed8894dc32e1b24f75689f9815a34fcdcefce

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5d1c11fb2150e61980c813678efb3a3c
SHA1 6d1da4224ae1319a658f3d4aa67e356bfa50fc05
SHA256 3087a728146b04f12b6f80b904a2bd91b3be90849b78e85d7756f5b666d6fd78
SHA512 d72583427f6151c1c85506abc0dbc94ec44e4816d933c22e56b3af2159bf7c5fcf0f03d3f59fd2fb491453166bedb9fb261b1e2c3dbd817f34c021f5e133c142

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-14 00:53

Reported

2024-03-14 00:55

Platform

win10v2004-20240226-en

Max time kernel

146s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c7453fccf113e393515bb6c6af7f0b73.exe"

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\pxA160.tmp C:\Users\Admin\AppData\Local\Temp\c7453fccf113e393515bb6c6af7f0b73Srv.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\c7453fccf113e393515bb6c6af7f0b73Srv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\c7453fccf113e393515bb6c6af7f0b73Srv.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "472282137" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "475094861" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31094186" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31094186" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "475249748" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "417142587" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{47054E14-E19D-11EE-96FD-D65EEEF40ABB} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "472282137" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31094186" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31094186" C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wab C:\Users\Admin\AppData\Local\Temp\c7453fccf113e393515bb6c6af7f0b73.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vcf C:\Users\Admin\AppData\Local\Temp\c7453fccf113e393515bb6c6af7f0b73.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\vcard_wab_auto_file\DefaultIcon C:\Users\Admin\AppData\Local\Temp\c7453fccf113e393515bb6c6af7f0b73.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\text/x-vcard C:\Users\Admin\AppData\Local\Temp\c7453fccf113e393515bb6c6af7f0b73.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\c7453fccf113e393515bb6c6af7f0b73.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vcf\ = "vcard_wab_auto_file" C:\Users\Admin\AppData\Local\Temp\c7453fccf113e393515bb6c6af7f0b73.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\vcard_wab_auto_file C:\Users\Admin\AppData\Local\Temp\c7453fccf113e393515bb6c6af7f0b73.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\vcard_wab_auto_file\ = "vCard File" C:\Users\Admin\AppData\Local\Temp\c7453fccf113e393515bb6c6af7f0b73.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\text/x-vcard\Extension = ".vcf" C:\Users\Admin\AppData\Local\Temp\c7453fccf113e393515bb6c6af7f0b73.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\vcard_wab_auto_file\shell\open\command C:\Users\Admin\AppData\Local\Temp\c7453fccf113e393515bb6c6af7f0b73.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\vcard_wab_auto_file\shell\open\command\ = "\"C:\\Program Files (x86)\\Windows Mail\\wab.exe\" /vcard %1" C:\Users\Admin\AppData\Local\Temp\c7453fccf113e393515bb6c6af7f0b73.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\vcard_wab_auto_file\DefaultIcon\ = "\"C:\\Program Files (x86)\\Windows Mail\\wab.exe\",1" C:\Users\Admin\AppData\Local\Temp\c7453fccf113e393515bb6c6af7f0b73.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vcf\Content Type = "text/x-vcard" C:\Users\Admin\AppData\Local\Temp\c7453fccf113e393515bb6c6af7f0b73.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4672 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\c7453fccf113e393515bb6c6af7f0b73.exe C:\Users\Admin\AppData\Local\Temp\c7453fccf113e393515bb6c6af7f0b73Srv.exe
PID 4672 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\c7453fccf113e393515bb6c6af7f0b73.exe C:\Users\Admin\AppData\Local\Temp\c7453fccf113e393515bb6c6af7f0b73Srv.exe
PID 4672 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\c7453fccf113e393515bb6c6af7f0b73.exe C:\Users\Admin\AppData\Local\Temp\c7453fccf113e393515bb6c6af7f0b73Srv.exe
PID 620 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\c7453fccf113e393515bb6c6af7f0b73Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 620 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\c7453fccf113e393515bb6c6af7f0b73Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 620 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\c7453fccf113e393515bb6c6af7f0b73Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 4748 wrote to memory of 3116 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4748 wrote to memory of 3116 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3116 wrote to memory of 1544 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3116 wrote to memory of 1544 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3116 wrote to memory of 1544 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\c7453fccf113e393515bb6c6af7f0b73.exe

"C:\Users\Admin\AppData\Local\Temp\c7453fccf113e393515bb6c6af7f0b73.exe"

C:\Users\Admin\AppData\Local\Temp\c7453fccf113e393515bb6c6af7f0b73Srv.exe

C:\Users\Admin\AppData\Local\Temp\c7453fccf113e393515bb6c6af7f0b73Srv.exe

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3116 CREDAT:17410 /prefetch:2

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 45.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp

Files

memory/4672-0-0x0000000001000000-0x000000000101C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c7453fccf113e393515bb6c6af7f0b73Srv.exe

MD5 17efb7e40d4cadaf3a4369435a8772ec
SHA1 eb9302063ac2ab599ae93aaa1e45b88bbeacbca2
SHA256 f515564b67efd06fa42f57532feafc49d40b0fc36c5d4935300dd55416f0a386
SHA512 522fba06304950860fa9aa8933b12b9323dea47dbda363db3f57535396c156c4cf6934a9db38fff8c77503fcb889d030fadb639094a1f34bbad54c79c8734450

memory/620-4-0x0000000000400000-0x0000000000413000-memory.dmp

memory/620-7-0x0000000000400000-0x0000000000413000-memory.dmp

memory/620-8-0x0000000000570000-0x0000000000572000-memory.dmp

memory/620-14-0x0000000000400000-0x0000000000413000-memory.dmp

memory/4748-16-0x0000000002020000-0x0000000002021000-memory.dmp

memory/4748-17-0x0000000077DE2000-0x0000000077DE3000-memory.dmp

memory/4748-19-0x0000000000400000-0x0000000000413000-memory.dmp

memory/4748-18-0x0000000077DE2000-0x0000000077DE3000-memory.dmp

memory/4672-21-0x0000000001000000-0x000000000101C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver2BBE.tmp

MD5 1a545d0052b581fbb2ab4c52133846bc
SHA1 62f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256 557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512 bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\TMWGKKVJ\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee