Malware Analysis Report

2025-01-22 14:39

Sample ID 241210-y4fk6axlbx
Target ce9615bbb69aed3d293c490f36816a69102fc4473f427bcab6a43b450a7ae992.exe
SHA256 ce9615bbb69aed3d293c490f36816a69102fc4473f427bcab6a43b450a7ae992
Tags
upx bdaejec ramnit aspackv2 backdoor banker discovery spyware stealer trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ce9615bbb69aed3d293c490f36816a69102fc4473f427bcab6a43b450a7ae992

Threat Level: Known bad

The file ce9615bbb69aed3d293c490f36816a69102fc4473f427bcab6a43b450a7ae992.exe was found to be: Known bad.

Malicious Activity Summary

upx bdaejec ramnit aspackv2 backdoor banker discovery spyware stealer trojan worm

Ramnit

Detects Bdaejec Backdoor.

Ramnit family

Bdaejec family

Bdaejec

Executes dropped EXE

Checks computer location settings

ASPack v2.12-2.42

UPX packed file

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-10 20:20

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-10 20:20

Reported

2024-12-10 20:22

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

112s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ce9615bbb69aed3d293c490f36816a69102fc4473f427bcab6a43b450a7ae992.exe"

Signatures

Bdaejec

backdoor bdaejec

Bdaejec family

bdaejec

Detects Bdaejec Backdoor.

Description Indicator Process Target
N/A N/A N/A N/A

Ramnit

trojan spyware stealer worm banker ramnit

Ramnit family

ramnit

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SgnMPh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SgnMPh.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE C:\Users\Admin\AppData\Local\Temp\SgnMPh.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\updater.exe C:\Users\Admin\AppData\Local\Temp\SgnMPh.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe C:\Users\Admin\AppData\Local\Temp\SgnMPh.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe C:\Users\Admin\AppData\Local\Temp\SgnMPh.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe C:\Users\Admin\AppData\Local\Temp\SgnMPh.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ORGCHART.EXE C:\Users\Admin\AppData\Local\Temp\SgnMPh.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOICONS.EXE C:\Users\Admin\AppData\Local\Temp\SgnMPh.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe C:\Users\Admin\AppData\Local\Temp\SgnMPh.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe C:\Users\Admin\AppData\Local\Temp\SgnMPh.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe C:\Users\Admin\AppData\Local\Temp\SgnMPh.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe C:\Users\Admin\AppData\Local\Temp\SgnMPh.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Integration\Integrator.exe C:\Users\Admin\AppData\Local\Temp\SgnMPh.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\WORDICON.EXE C:\Users\Admin\AppData\Local\Temp\SgnMPh.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DWTRIG20.EXE C:\Users\Admin\AppData\Local\Temp\SgnMPh.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe C:\Users\Admin\AppData\Local\Temp\SgnMPh.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe C:\Users\Admin\AppData\Local\Temp\SgnMPh.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe C:\Users\Admin\AppData\Local\Temp\SgnMPh.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe C:\Users\Admin\AppData\Local\Temp\SgnMPh.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe C:\Users\Admin\AppData\Local\Temp\SgnMPh.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\protocolhandler.exe C:\Users\Admin\AppData\Local\Temp\SgnMPh.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe C:\Users\Admin\AppData\Local\Temp\SgnMPh.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeApp.exe C:\Users\Admin\AppData\Local\Temp\SgnMPh.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe C:\Users\Admin\AppData\Local\Temp\SgnMPh.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\SgnMPh.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Win32Bridge.Server.exe C:\Users\Admin\AppData\Local\Temp\SgnMPh.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\WindowsCamera.exe C:\Users\Admin\AppData\Local\Temp\SgnMPh.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe C:\Users\Admin\AppData\Local\Temp\SgnMPh.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe C:\Users\Admin\AppData\Local\Temp\SgnMPh.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE C:\Users\Admin\AppData\Local\Temp\SgnMPh.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\SDXHelper.exe C:\Users\Admin\AppData\Local\Temp\SgnMPh.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE C:\Users\Admin\AppData\Local\Temp\SgnMPh.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe C:\Users\Admin\AppData\Local\Temp\SgnMPh.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe C:\Users\Admin\AppData\Local\Temp\SgnMPh.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe C:\Users\Admin\AppData\Local\Temp\SgnMPh.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe C:\Users\Admin\AppData\Local\Temp\SgnMPh.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\Wordconv.exe C:\Users\Admin\AppData\Local\Temp\SgnMPh.exe N/A
File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe C:\Users\Admin\AppData\Local\Temp\SgnMPh.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe C:\Users\Admin\AppData\Local\Temp\SgnMPh.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe C:\Users\Admin\AppData\Local\Temp\SgnMPh.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe C:\Users\Admin\AppData\Local\Temp\SgnMPh.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerElevatedAppServiceClient.exe C:\Users\Admin\AppData\Local\Temp\SgnMPh.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe C:\Users\Admin\AppData\Local\Temp\SgnMPh.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe C:\Users\Admin\AppData\Local\Temp\SgnMPh.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe C:\Users\Admin\AppData\Local\Temp\SgnMPh.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\fmui\fmui.exe C:\Users\Admin\AppData\Local\Temp\SgnMPh.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\GameBar.exe C:\Users\Admin\AppData\Local\Temp\SgnMPh.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe C:\Users\Admin\AppData\Local\Temp\SgnMPh.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection.exe C:\Users\Admin\AppData\Local\Temp\SgnMPh.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\GetHelp.exe C:\Users\Admin\AppData\Local\Temp\SgnMPh.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe C:\Users\Admin\AppData\Local\Temp\SgnMPh.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exe C:\Users\Admin\AppData\Local\Temp\SgnMPh.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Microsoft.WebMediaExtensions.exe C:\Users\Admin\AppData\Local\Temp\SgnMPh.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe C:\Users\Admin\AppData\Local\Temp\SgnMPh.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\ce9615bbb69aed3d293c490f36816a69102fc4473f427bcab6a43b450a7ae992.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoia.exe C:\Users\Admin\AppData\Local\Temp\SgnMPh.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\filecompare.exe C:\Users\Admin\AppData\Local\Temp\SgnMPh.exe N/A
File opened for modification C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe C:\Users\Admin\AppData\Local\Temp\SgnMPh.exe N/A
File opened for modification C:\Program Files\Windows Photo Viewer\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\SgnMPh.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Weather.exe C:\Users\Admin\AppData\Local\Temp\SgnMPh.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe C:\Users\Admin\AppData\Local\Temp\SgnMPh.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe C:\Users\Admin\AppData\Local\Temp\SgnMPh.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe C:\Users\Admin\AppData\Local\Temp\SgnMPh.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\IEContentService.exe C:\Users\Admin\AppData\Local\Temp\SgnMPh.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\SgnMPh.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ce9615bbb69aed3d293c490f36816a69102fc4473f427bcab6a43b450a7ae992.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SgnMPh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4236659294" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31148864" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31148864" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "440626985" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{27F436EF-B734-11EF-B9D5-D2BD7E71DA05} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31148864" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4233377920" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4233377920" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1964 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\ce9615bbb69aed3d293c490f36816a69102fc4473f427bcab6a43b450a7ae992.exe C:\Users\Admin\AppData\Local\Temp\SgnMPh.exe
PID 1964 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\ce9615bbb69aed3d293c490f36816a69102fc4473f427bcab6a43b450a7ae992.exe C:\Users\Admin\AppData\Local\Temp\SgnMPh.exe
PID 1964 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\ce9615bbb69aed3d293c490f36816a69102fc4473f427bcab6a43b450a7ae992.exe C:\Users\Admin\AppData\Local\Temp\SgnMPh.exe
PID 1964 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\ce9615bbb69aed3d293c490f36816a69102fc4473f427bcab6a43b450a7ae992.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1964 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\ce9615bbb69aed3d293c490f36816a69102fc4473f427bcab6a43b450a7ae992.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1964 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\ce9615bbb69aed3d293c490f36816a69102fc4473f427bcab6a43b450a7ae992.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1884 wrote to memory of 2432 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1884 wrote to memory of 2432 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2432 wrote to memory of 4664 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2432 wrote to memory of 4664 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2432 wrote to memory of 4664 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3080 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\SgnMPh.exe C:\Windows\SysWOW64\cmd.exe
PID 3080 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\SgnMPh.exe C:\Windows\SysWOW64\cmd.exe
PID 3080 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\SgnMPh.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ce9615bbb69aed3d293c490f36816a69102fc4473f427bcab6a43b450a7ae992.exe

"C:\Users\Admin\AppData\Local\Temp\ce9615bbb69aed3d293c490f36816a69102fc4473f427bcab6a43b450a7ae992.exe"

C:\Users\Admin\AppData\Local\Temp\SgnMPh.exe

C:\Users\Admin\AppData\Local\Temp\SgnMPh.exe

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2432 CREDAT:17410 /prefetch:2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\06c54660.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 ddos.dnsnb8.net udp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 8.8.8.8:53 21.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 8.8.8.8:53 api.bing.com udp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/1964-0-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3080-4-0x0000000000360000-0x0000000000369000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SgnMPh.exe

MD5 56b2c3810dba2e939a8bb9fa36d3cf96
SHA1 99ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA256 4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA512 27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

memory/1964-7-0x0000000000450000-0x000000000045F000-memory.dmp

memory/1964-9-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

MD5 74876fc48a70932b998acdd131f6658f
SHA1 b7045114ed5f16b40d6d87df6390798190d08f47
SHA256 ce9615bbb69aed3d293c490f36816a69102fc4473f427bcab6a43b450a7ae992
SHA512 23002857d5041a039900f64ba3349bfe9b3da0ecec222b7ffaf099b0ea4e4490a07acb99c622247d77a1cf4bfdb24a3c93444f6d1c5924d2afde462ed52cea94

memory/1884-14-0x0000000000490000-0x0000000000491000-memory.dmp

memory/1884-16-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1884-12-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1884-17-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\668240A6.exe

MD5 20879c987e2f9a916e578386d499f629
SHA1 c7b33ddcc42361fdb847036fc07e880b81935d5d
SHA256 9f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31
SHA512 bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FQRZN8O7\k2[1].rar

MD5 d3b07384d113edec49eaa6238ad5ff00
SHA1 f1d2d2f924e986ac86fdf7b36c94bcdf32beec15
SHA256 b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c
SHA512 0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6

memory/3080-58-0x0000000000360000-0x0000000000369000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\06c54660.bat

MD5 7cbfe41107c5ade817cce4291550bdc1
SHA1 a3d3e7f60aba28a9753f7047cc89c02ac8616180
SHA256 cfb30d81614c08578abe215d9b8a0313b995227a6ec2193bb49910e9f16b068c
SHA512 4540ce55ea6bb1f62fbda851a5d19e596bd7860c209befbe3251028cbb2afed2475f0d356a58122f7a49606d9f55f667856b25e6f4650cef504b7ddf16fa1632

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 4a7d57ebd62331504a7058edbb901d1e
SHA1 a41d8b41d97eadc9949012b0b9be9f7f6f89bb17
SHA256 8f81ca65d627f89e4e74f89b102a94b88beed1b95f763d095705690c48606ad0
SHA512 4111b7e7207298fadcfabe2122d0506f263fba296ddf55343389c2c1bc4a4cbd5fa317981278c6770ffb9d7cf569b0d05ec0da923428373c1171f1bdc00ab421

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 87f8376b71b1fd35da4b511eff055888
SHA1 0c55fba0aa699282bbe4d129dd0ba16d4e377ce9
SHA256 a1383ed3b4f8967fb19f5b16bfe41eb3242b296ffc06c1098fbe1d1a04a7003f
SHA512 8556ed20a3d9daf8f74b2eceaab6a3773b69d5c9524ba8dbb8af1ad64b2235165e487c41646e357be5906aaa7f0f4c57ff8dc9ea2acc0c87f443d3ad083c9031

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FQRZN8O7\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee