ramnit | 8c567466c81c3a9d6df420b22e049b3a6ad018f9919537a52f8399a806ed826c

Analysis

max time kernel
118s
max time network
127s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
26-05-2024 22:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7702edd64fb8c9191d5bd3a4d3dc89b0_JaffaCakes118.html
Size

347KB
MD5

7702edd64fb8c9191d5bd3a4d3dc89b0
SHA1

e9bf06140e93a90fc29ed576280ffc04f845bc5b
SHA256

8c567466c81c3a9d6df420b22e049b3a6ad018f9919537a52f8399a806ed826c
SHA512

5a2df7e7b63994261e741855c11c3b265d77044464a9c2484a1b6a11736468b9609e01c429f2265b4edc8908d77098c152ad1d2e398e45527bceba26ca304b7d
SSDEEP

6144:3sMYod+X3oI+YSsMYod+X3oI+Y5sMYod+X3oI+YQ:b5d+X3S5d+X3f5d+X3+

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 6 IoCs

Processes:

svchost.exeDesktopLayer.exesvchost.exeDesktopLayer.exesvchost.exeDesktopLayer.exe

pid process

2720 svchost.exe
2872 DesktopLayer.exe
2680 svchost.exe
2564 DesktopLayer.exe
1620 svchost.exe
2572 DesktopLayer.exe
Loads dropped DLL 4 IoCs

Processes:

IEXPLORE.EXEsvchost.exe

pid process

2028 IEXPLORE.EXE
2720 svchost.exe
2028 IEXPLORE.EXE
2028 IEXPLORE.EXE

pid	process
2720	svchost.exe
2872	DesktopLayer.exe
2680	svchost.exe
2564	DesktopLayer.exe
1620	svchost.exe
2572	DesktopLayer.exe

pid	process
2028	IEXPLORE.EXE
2720	svchost.exe
2028	IEXPLORE.EXE
2028	IEXPLORE.EXE

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\svchost.exe	upx
behavioral1/memory/2720-6-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2720-10-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2872-19-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2572-35-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 7 IoCs

Processes:

svchost.exesvchost.exesvchost.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\px2481.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px255C.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px258A.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe

Modifies Internet Explorer settings 1 TTPs 40 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422924620"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bd2a7708e9798e4fa0b20f3efd8e936100000000020000000000106600000001000020000000124af835617a0bcc1dbca63253d8a0016eb7356e0369904ba7856f933f609885000000000e80000000020000200000000004114879f7048015ddf026fc913b2ae0f7dea6d83210f8129344b06a128cbd200000004cce757d414b2a1667d0b2d7b3b93b4d4054fc9a3bb2bb46a71c2421eacdbc39400000001340949efd91938d75f96256f95e750a4bc87f7280c986ac7d305283e0e14a66482c1943b243bfcf14f88aba9d17f0a41a3bf4ad536afd82875c928ae94f140b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D8444BE1-1BAF-11EF-B393-E64BF8A7A69F} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d04de3b0bcafda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bd2a7708e9798e4fa0b20f3efd8e93610000000002000000000010660000000100002000000055a3cef04c86e5f2a0050a9348289093ca90ea8a640dcbfdb29424c6c2c7cc7f000000000e8000000002000020000000247a5451fb2aba424b30f026e37319afa0b57e78ebab2734dc00ab5edb11331d900000009314e77bb624a2580dbd91b6c0c566146dd94a2618bcb83b5d92c80f5bc46a3d286e2cfc579a6a139effd26e3775d73cbff86a0eb2deacac1e17c4b17657a9172845314ca40785f8c062558b05f71cd202b75bbc2a1411950fa0227799082a7629f38d59700d16c067983d242ae0df144ac7ed502616a8dd9088637fd7b6b4ab73a08ff186587e4fee886f66f320283640000000be0d50293734ef2b8fc97d76128c30ebbc28cdfcbf488bcd54872a707cacad8ad7e533b5bc126a2c3c2239b7ae17f935ecff0319f6db2c42eec1df2c669e625c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

DesktopLayer.exeDesktopLayer.exeDesktopLayer.exe

pid	process
2872	DesktopLayer.exe
2872	DesktopLayer.exe
2872	DesktopLayer.exe
2872	DesktopLayer.exe
2564	DesktopLayer.exe
2564	DesktopLayer.exe
2564	DesktopLayer.exe
2564	DesktopLayer.exe
2572	DesktopLayer.exe
2572	DesktopLayer.exe
2572	DesktopLayer.exe
2572	DesktopLayer.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

iexplore.exe

pid process

2932 iexplore.exe
2932 iexplore.exe
2932 iexplore.exe
2932 iexplore.exe

Suspicious use of SetWindowsHookEx 18 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
2932	iexplore.exe
2932	iexplore.exe
2028	IEXPLORE.EXE
2028	IEXPLORE.EXE
2932	iexplore.exe
2932	iexplore.exe
2820	IEXPLORE.EXE
2820	IEXPLORE.EXE
2932	iexplore.exe
2932	iexplore.exe
2932	iexplore.exe
2932	iexplore.exe
2812	IEXPLORE.EXE
2812	IEXPLORE.EXE
1636	IEXPLORE.EXE
1636	IEXPLORE.EXE
1636	IEXPLORE.EXE
1636	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

iexplore.exeIEXPLORE.EXEsvchost.exeDesktopLayer.exesvchost.exeDesktopLayer.exesvchost.exeDesktopLayer.exe

description	pid	process	target process
PID 2932 wrote to memory of 2028	2932	iexplore.exe	IEXPLORE.EXE
PID 2932 wrote to memory of 2028	2932	iexplore.exe	IEXPLORE.EXE
PID 2932 wrote to memory of 2028	2932	iexplore.exe	IEXPLORE.EXE
PID 2932 wrote to memory of 2028	2932	iexplore.exe	IEXPLORE.EXE
PID 2028 wrote to memory of 2720	2028	IEXPLORE.EXE	svchost.exe
PID 2028 wrote to memory of 2720	2028	IEXPLORE.EXE	svchost.exe
PID 2028 wrote to memory of 2720	2028	IEXPLORE.EXE	svchost.exe
PID 2028 wrote to memory of 2720	2028	IEXPLORE.EXE	svchost.exe
PID 2720 wrote to memory of 2872	2720	svchost.exe	DesktopLayer.exe
PID 2720 wrote to memory of 2872	2720	svchost.exe	DesktopLayer.exe
PID 2720 wrote to memory of 2872	2720	svchost.exe	DesktopLayer.exe
PID 2720 wrote to memory of 2872	2720	svchost.exe	DesktopLayer.exe
PID 2872 wrote to memory of 2016	2872	DesktopLayer.exe	iexplore.exe
PID 2872 wrote to memory of 2016	2872	DesktopLayer.exe	iexplore.exe
PID 2872 wrote to memory of 2016	2872	DesktopLayer.exe	iexplore.exe
PID 2872 wrote to memory of 2016	2872	DesktopLayer.exe	iexplore.exe
PID 2932 wrote to memory of 2820	2932	iexplore.exe	IEXPLORE.EXE
PID 2932 wrote to memory of 2820	2932	iexplore.exe	IEXPLORE.EXE
PID 2932 wrote to memory of 2820	2932	iexplore.exe	IEXPLORE.EXE
PID 2932 wrote to memory of 2820	2932	iexplore.exe	IEXPLORE.EXE
PID 2028 wrote to memory of 2680	2028	IEXPLORE.EXE	svchost.exe
PID 2028 wrote to memory of 2680	2028	IEXPLORE.EXE	svchost.exe
PID 2028 wrote to memory of 2680	2028	IEXPLORE.EXE	svchost.exe
PID 2028 wrote to memory of 2680	2028	IEXPLORE.EXE	svchost.exe
PID 2680 wrote to memory of 2564	2680	svchost.exe	DesktopLayer.exe
PID 2680 wrote to memory of 2564	2680	svchost.exe	DesktopLayer.exe
PID 2680 wrote to memory of 2564	2680	svchost.exe	DesktopLayer.exe
PID 2680 wrote to memory of 2564	2680	svchost.exe	DesktopLayer.exe
PID 2564 wrote to memory of 2528	2564	DesktopLayer.exe	iexplore.exe
PID 2564 wrote to memory of 2528	2564	DesktopLayer.exe	iexplore.exe
PID 2564 wrote to memory of 2528	2564	DesktopLayer.exe	iexplore.exe
PID 2564 wrote to memory of 2528	2564	DesktopLayer.exe	iexplore.exe
PID 2028 wrote to memory of 1620	2028	IEXPLORE.EXE	svchost.exe
PID 2028 wrote to memory of 1620	2028	IEXPLORE.EXE	svchost.exe
PID 2028 wrote to memory of 1620	2028	IEXPLORE.EXE	svchost.exe
PID 2028 wrote to memory of 1620	2028	IEXPLORE.EXE	svchost.exe
PID 1620 wrote to memory of 2572	1620	svchost.exe	DesktopLayer.exe
PID 1620 wrote to memory of 2572	1620	svchost.exe	DesktopLayer.exe
PID 1620 wrote to memory of 2572	1620	svchost.exe	DesktopLayer.exe
PID 1620 wrote to memory of 2572	1620	svchost.exe	DesktopLayer.exe
PID 2932 wrote to memory of 2812	2932	iexplore.exe	IEXPLORE.EXE
PID 2932 wrote to memory of 2812	2932	iexplore.exe	IEXPLORE.EXE
PID 2932 wrote to memory of 2812	2932	iexplore.exe	IEXPLORE.EXE
PID 2932 wrote to memory of 2812	2932	iexplore.exe	IEXPLORE.EXE
PID 2572 wrote to memory of 2692	2572	DesktopLayer.exe	iexplore.exe
PID 2572 wrote to memory of 2692	2572	DesktopLayer.exe	iexplore.exe
PID 2572 wrote to memory of 2692	2572	DesktopLayer.exe	iexplore.exe
PID 2572 wrote to memory of 2692	2572	DesktopLayer.exe	iexplore.exe
PID 2932 wrote to memory of 1636	2932	iexplore.exe	IEXPLORE.EXE
PID 2932 wrote to memory of 1636	2932	iexplore.exe	IEXPLORE.EXE
PID 2932 wrote to memory of 1636	2932	iexplore.exe	IEXPLORE.EXE
PID 2932 wrote to memory of 1636	2932	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\7702edd64fb8c9191d5bd3a4d3dc89b0_JaffaCakes118.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2932

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2932 CREDAT:275457 /prefetch:2
2⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2028

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2720

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2872

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:2016

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2680

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2564

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:2528

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1620

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2572

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:2692

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2932 CREDAT:275465 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2820

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2932 CREDAT:406540 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2812

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2932 CREDAT:668683 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
2cc3694402ad91eaa6c9ca2948538934

SHA1
17a1f61b4cd9210e444d4130f21a8f9c16470d96

SHA256
6dd35063a0f4cbf8a0ff6186fa5676f107fb0455b7929ca50f3ced1b69b1e10f

SHA512
9971caf36f099c106bfe9660a45cd2d0007c53fe1b7270574a813d8fff70ae5f41c6ef6dd10568da10ee06be6b17505ac3427fa2e2014f5b0f76057fe9e8a9d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
12ca35dbd8e57afffffd7f18f550c720

SHA1
943311038bd945f167ff543fcd377142e2f67ce0

SHA256
b21046bd0df2a49ba4aab9b0e1190b16e707618c630bfa9566988fd8b106ba81

SHA512
c79b350a23d8085e7bcf6fa5655d4de49bfe58f49c02665c618ba6fc9cb0e0c8d517ba038a889e7df9b0c9636e811261a69a8f4e39cd794dd9e3c7debf655648

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
ee2c2343d657b6d6a5950eae3c5fc48c

SHA1
c8d6d728f2ef3713f13521de9d421597bc86d56a

SHA256
342c0c631824102dddee12e49a073dd16802c7c7d2670e9979ca536641f79397

SHA512
110783ea234a019447d8cb6c92a627b7f577e1ffbff9ee01de1b122a9926fba9aa93901ea22b6ec029c082f37a94c178543fc1cd1331806b66aaa6ef3ffa514b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
3acbd6a67d0b8c1b5ab006894f65340d

SHA1
2e8333d756369a0bed2b096dc0ad6fdf8797e7b3

SHA256
5591a292ffb1d814470e9dd3fa3c29a9a8f5abd6a33f88070b236add6f3e2054

SHA512
6f97493b1259ccf542454b698b38a85cf1f0eadcd34db141187e38145d3f7e483426788ea88decbc5f8791b078c2dabbabb503f08667dd61d34c9f3ca220b88a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
c2f30ef18c7430a54ac50c1f82baa269

SHA1
4bc46e3085287144bd95c8854d0ffe79842fe370

SHA256
16cbca93c4cb3afc1450eb7117d9fc7df497a0f7656c63adc30a64046d1393df

SHA512
7278162e42d2b1437acc6c0a0ae478e759eae30dc35faf854df87bb3f01e9324707fb388bf48e13eb0b333d0d1c3150ac444c00ab34f53df3022dd20f2ccb513

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
f124f20f5c38c17ed8c306e7c95b0d3e

SHA1
91a3c75f965c977bc8a6adb98d965eee8a94aad5

SHA256
9d464691e70f82ea11280c53d3210ce4dc259c0ef6f33c786bdac69ef4ab1486

SHA512
f582ffa0ab89035797b37f7c5bd18d62a00f6d4172ba0da260cdf5dc3e690a6f5f8e0ba0c2b81bec24e8526611e19b3ad1253072d6caa24b561a3dd1670d7099

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
9c61a262b73f9d1fa60ae78392b29546

SHA1
59b5f2b4d91a2ea1c2579055237bc6ce4ee9771e

SHA256
80e3107b44f6b1a01cd81476e57a36400c29a71d08998d68a6d317dfe4b7aaa0

SHA512
467335d3726b083bede81f36ddd654673112199f9d678176d1e00e6042f794efad58ce7d3def00a904312df4f954004606c2f19c43a4d2c0ba5a92ac96a95ce0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
95a7e123b888eb8bcd62b9721863f352

SHA1
dd6daeebb9c4f6ea7564f531bf8313785bc8b619

SHA256
f407e6158dd87b2d59cca94dec301c08b40077a446a281c1705cf4ffd0c61c39

SHA512
da47da9c4cfb7842d4555ecb637fb3b3b0f42b9fbe1c66e31f91b22e8dac299abf3f3057c216107d6bef8856b132f88ad3329994b2f77a73cff97faf0a42ef1b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
7fd2c4446618843500f455ba37bf239a

SHA1
f61e7f08299551ddfe0d0a806e01ad58b37107fc

SHA256
c1865627f11efc4007fcf12e297f7f97940f8db8f6d2fefbe9ceaa17b248cd7c

SHA512
41f0e8a8e68bae7ffda2445e7e32ab2640533f03b279195788cd22d6c78d5ca05241819c175f0dbf215860e5009743bd07e182152c0c1ea6215629293907ea88

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2168.tmp
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar21C8.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
55KB

MD5
42bacbdf56184c2fa5fe6770857e2c2d

SHA1
521a63ee9ce2f615eda692c382b16fc1b1d57cac

SHA256
d1a57e19ddb9892e423248cc8ff0c4b1211d22e1ccad6111fcac218290f246f0

SHA512
0ab916dd15278e51bccfd2ccedd80d942b0bddb9544cec3f73120780d4f7234ff7456530e1465caf3846616821d1b385b6ae58a5dff9ffe4d622902c24fd4b71

Download Submit
memory/2564-27-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2572-37-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2572-35-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2720-9-0x00000000003B0000-0x00000000003BF000-memory.dmp

Filesize
60KB

Download
memory/2720-10-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2720-6-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2872-19-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2872-17-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download