ramnit | 9705f8dacaee0049cc34c8367fea593d9bd5cd1c9e6e2c0061f4745cd5da5f58

Analysis

max time kernel
119s
max time network
68s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-12-2024 23:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9705f8dacaee0049cc34c8367fea593d9bd5cd1c9e6e2c0061f4745cd5da5f58N.dll
Size

467KB
MD5

450f4419627141275f87fdf4332eeb20
SHA1

3c03fb76df343d0e2c032d92fadadd6759469878
SHA256

9705f8dacaee0049cc34c8367fea593d9bd5cd1c9e6e2c0061f4745cd5da5f58
SHA512

166214547fe31de26f4a6d1b8c97432b92224eb71a5649d034945f5ea4846538331280a45df9ac0671401058e5b1ce8b1babbec0f71e155742c951cbf0162ddb
SSDEEP

6144:7SN9V8FwVH/8N3ziDZdii6x+nzArWz0k08U7eI8YelX+XiHfWED6:7Y9jHw3zi1d5ArWod/yI2YAO

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 2 IoCs

pid	Process
2696	regsvr32Srv.exe
2192	DesktopLayer.exe

Loads dropped DLL 2 IoCs

pid	Process
988	regsvr32.exe
2696	regsvr32Srv.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\regsvr32Srv.exe	regsvr32.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000b000000012259-6.dat	upx
behavioral1/memory/2696-7-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2696-10-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2192-17-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2192-18-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2192-20-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2192-24-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2192-22-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\pxE512.tmp	regsvr32Srv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	regsvr32Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	regsvr32Srv.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32Srv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "440811742"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8B4DC621-BE5E-11EF-AD39-C6DA928D33CD} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBS\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBS Author\OLEScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBScript.Encode\OLEScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBScript Author\ = "VB Script Language Authoring"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VBScript.Encode	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBScript.Encode	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBScript\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBS\OLEScript	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VBScript Author	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B54F3743-5B07-11cf-A4B0-00AA004A55E8}\OLEScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBScript.RegExp	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBScript.Encode\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{F0B7A1A3-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBScript\ = "VB Script Language"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B54F3743-5B07-11CF-A4B0-00AA004A55E8}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F4DACA4-160D-11D2-A8E9-00104B365C9F}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBScript.RegExp\OLEScript	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBScript.RegExp\ = "VBScript Regular Expression"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VBScript\OLESCRIPT	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VBS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBScript Author\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B54F3742-5B07-11cf-A4B0-00AA004A55E8}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B54F3742-5B07-11cf-A4B0-00AA004A55E8}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B54F3743-5B07-11cf-A4B0-00AA004A55E8}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F4DACA4-160D-11D2-A8E9-00104B365C9F}\TypeLib	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VBScript Author\OLESCRIPT	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B54F3742-5B07-11CF-A4B0-00AA004A55E8}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\ProgID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VBS Author\OLESCRIPT	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBScript Author\OLEScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{0AEE2A92-BCBB-11D0-8C72-00C04FC2B085}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B54F3743-5B07-11cf-A4B0-00AA004A55E8}\Implemented Categories\{F0B7A1A3-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBS\ = "VB Script Language"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B54F3742-5B07-11CF-A4B0-00AA004A55E8}\Implemented Categories	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VBScript.Encode\OLESCRIPT	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B54F3743-5B07-11CF-A4B0-00AA004A55E8}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VBScript.RegExp	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F4DACA4-160D-11D2-A8E9-00104B365C9F}\Version	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VBScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBS Author\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B54F3742-5B07-11cf-A4B0-00AA004A55E8}\Implemented Categories\{0AEE2A92-BCBB-11D0-8C72-00C04FC2B085}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B54F3743-5B07-11cf-A4B0-00AA004A55E8}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B54F3743-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBS Author	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBS Author\ = "VB Script Language Authoring"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B54F3742-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B54F3743-5B07-11cf-A4B0-00AA004A55E8}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B54F3743-5B07-11CF-A4B0-00AA004A55E8}\Implemented Categories\{F0B7A1A3-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F4DACA4-160D-11D2-A8E9-00104B365C9F}\ProgID	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2192	DesktopLayer.exe
2192	DesktopLayer.exe
2192	DesktopLayer.exe
2192	DesktopLayer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2916	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2916	iexplore.exe
2916	iexplore.exe
2576	IEXPLORE.EXE
2576	IEXPLORE.EXE
2576	IEXPLORE.EXE
2576	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 988	1668	regsvr32.exe	31
PID 1668 wrote to memory of 988	1668	regsvr32.exe	31
PID 1668 wrote to memory of 988	1668	regsvr32.exe	31
PID 1668 wrote to memory of 988	1668	regsvr32.exe	31
PID 1668 wrote to memory of 988	1668	regsvr32.exe	31
PID 1668 wrote to memory of 988	1668	regsvr32.exe	31
PID 1668 wrote to memory of 988	1668	regsvr32.exe	31
PID 988 wrote to memory of 2696	988	regsvr32.exe	32
PID 988 wrote to memory of 2696	988	regsvr32.exe	32
PID 988 wrote to memory of 2696	988	regsvr32.exe	32
PID 988 wrote to memory of 2696	988	regsvr32.exe	32
PID 2696 wrote to memory of 2192	2696	regsvr32Srv.exe	33
PID 2696 wrote to memory of 2192	2696	regsvr32Srv.exe	33
PID 2696 wrote to memory of 2192	2696	regsvr32Srv.exe	33
PID 2696 wrote to memory of 2192	2696	regsvr32Srv.exe	33
PID 2192 wrote to memory of 2916	2192	DesktopLayer.exe	34
PID 2192 wrote to memory of 2916	2192	DesktopLayer.exe	34
PID 2192 wrote to memory of 2916	2192	DesktopLayer.exe	34
PID 2192 wrote to memory of 2916	2192	DesktopLayer.exe	34
PID 2916 wrote to memory of 2576	2916	iexplore.exe	35
PID 2916 wrote to memory of 2576	2916	iexplore.exe	35
PID 2916 wrote to memory of 2576	2916	iexplore.exe	35
PID 2916 wrote to memory of 2576	2916	iexplore.exe	35

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\9705f8dacaee0049cc34c8367fea593d9bd5cd1c9e6e2c0061f4745cd5da5f58N.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\9705f8dacaee0049cc34c8367fea593d9bd5cd1c9e6e2c0061f4745cd5da5f58N.dll
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:988
- - C:\Windows\SysWOW64\regsvr32Srv.exe
    C:\Windows\SysWOW64\regsvr32Srv.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2192
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2916
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2916 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4238a788853db01472c8d12a2c969baa

SHA1
292900ef06e0648e9c6f7573d61575b5ecfd4cc5

SHA256
24b9c7d8b7ba55df3ca0f3a3484652464d399821647df3ea10d689f7ec8fdd1d

SHA512
8d9b29abd961d32ba02ef86f7aa3c13a09bd8b0e4adea998c032f2c1fb8a404cc3d29666457e166184563e03b19b2e19f972d5fbcb7bca800acfc5cb8ff39ad7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eea5bc98877d2d91abaa8a237428db34

SHA1
6bdbc0446023446f2ef729308785eb17c28cfcce

SHA256
e9c364a532a42c940e9239f866eaa1479676a04b7d97de5e0734b4fc7d7b4215

SHA512
870f623cac93f6d08e6812fdbfea4fada879e1664a500343844f8e325be1ac4f2d23a22553466ca76eb1fb45bc81c743bbdb2c5d97b1fd5899b47988f382907e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3960a90d2269f78ef6e4832aafee147c

SHA1
98f167e1b1667dab00ab581786d8d9beb36f56e4

SHA256
0a7e1a2a9ad12960935beb3894855faa6e90b94128db3608ad74fcd664f06dc2

SHA512
53d2e666f0441bde6439ed819177d86a341ea3a9a2af3c94396161e96a4f5adbd9f4d1bf9d7c2f8670eca12e249d86a5e46ab2f95bf8f336c8e0e5ce49bf8b3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7d4e7aad620de3b283b80c750addf001

SHA1
f07dd84f7509045b2fe32985d1232ddd7f0fc8c9

SHA256
52918ec1ffc4fb78863d6b77bc635209466e968dcecfe565ad5ac0597bb81342

SHA512
3f22097b431a5adb8f8445686cc0f6324d89a9b64ccd687f71fb7dbfe39bf0f67bb2e1b624980507af5e38db69dc02174e2e13707e5cbbd810c1886ea5ddb204

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8c53e9549db8f8ad81d18a6274b39395

SHA1
157b300a4ec1ceadff933689054a6565abb84046

SHA256
368d4223e4fb7112b6fb3f6b6e6a0574f42fa3a679a7607e9ce101f0d6eed383

SHA512
2d7c8b136d8bc021329b56157871cc84ede1e3ac1c4280f212e517dec2ac369d5f74f26a72a483911710f81bc211aaa4759e1ef2a8d16f378196c1209ad0962b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
04c8831b8de723c50e40e3395d2769ca

SHA1
3ab267dac2a9b32a7c873ecb08674fca3d26926c

SHA256
811e87e561914cdbbc5c124dac9684c272cfcd95e132da2508add290da0fd0ec

SHA512
30633e4c530bfe29a68c596efccc43e2ec5b70b105d510f9c19cb0d4ed9e23ded700f840a42ca144facf554746d01299bfb42b7a7a5329c6babb03847baceb9c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
979c28f48e7f49bc7c9c0a7850f809a5

SHA1
e119457e85550dd797b5f8fade0f70a23bb2eeb0

SHA256
1c0c92de79f5c1071ae2475dcbba7f917cd911662dbffca927943de12890329c

SHA512
b84fea87b63b2577f140815278b6ee990dd363dd65b125877488516d337e1819ff5e0b2d32adf44875167dc3cb2907fc6fe1ad014616baec290c929642bb0fff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1309430fd87922a0de85ac7d289f0058

SHA1
e72e9d50329c1fb016871d2cd0f372a3bd5aefc1

SHA256
af281d8465bbf1f71c884f68c46d814d83a55d3a50fdebfd8c3790d0a27460cf

SHA512
1bc1961cdbd7ad0e0cd71a1cb1bf6fb63e6848d975bb9f92882351280a6b0ebc85ce5cce2bb52e418dcbcaa72ea0df9649c8b5f4c5048908a2cd9132cdf0291f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b09375c293bcf9367d0b423d5a3d63e0

SHA1
72676f6c800f048f4223421859b92ca3e9d1e402

SHA256
5efe1395d9461ef57ab253c12d5fc60f76e814ebbe031261e510dc6fab598f05

SHA512
fd41f70b47ed64cd0332d0b62d11418f27acf9d2b6066004123f9a0603dbba65ecf94b1c4f0a81e4e32b798531f9de753fecca8cef118bc5523be2a5e3ac97f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0e54e523d1ce297b12a246e13236fb1f

SHA1
5dbfa33197c539068972917768430960c7015264

SHA256
2b62216186f53d2e2f272fae9f357fd096ef8fa349664c5be079ffb1d7fcb2e8

SHA512
c3709d099d7302fe93d9c7b40a24f7f8e67eb39b99488343d0e64cead8505eccce9618c46f241c7a8c2ddefd9b993558f7d15d2eb42119fa59140a2da95a0c08

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
569c4cf4936f3742498217e7c546b30e

SHA1
d0d22bf62c399fcf51c2bd0bc45e0d7af331048a

SHA256
8c87b5ad9745b9404bcb4eea121272e49fdee01fd354b55e75e603acdffc7973

SHA512
e3b7c58110576493dd1d95926e1ad65e7468b566ad5e1c9707edf6ae5565639a834c53dfe8b9bb7a6eb365b64f25e9425e7d3abc39ad2c1b6d73e7b9f6d84999

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0e45c189b21c092ace81dcb4bcaa4409

SHA1
f91ba52f967183656561f03905d95b53efd3580d

SHA256
9f23091790e9be3c4a5092afc080af644f2e0b9ac2a8d2dca812c5ebc0a6c137

SHA512
e2fd2956d057b385efb4461257add3a3f67d1ff0fa4f7e1bd367064f148b9e314390c3f3410df4da07cea7523ecfd29185f47a9ba47bf6670d21fd0be2572035

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ac9b377b57a62cac64f4eddda6852f36

SHA1
c0f761e748524343ca4d19d080f76ad93b505eff

SHA256
4fa48bd56a45571de1330d700c9542b2de8fa30fcb06b67018c109e02e452075

SHA512
7fb8a131225b762f2c42587cf3cb647342d1080c274b8302e0269dcb4e35df904e7ff5fe74e6509e4155b33537300b73507ff5d0431dceb3d9362b8a72a899ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3e8cdbe9165fa9507958107e68849b90

SHA1
8c11c473a0714f54163502a6d21549f132dda017

SHA256
492bdca7b7c0428aa08a921229e5af255a9c1820657b63a1ff55c70d950dc555

SHA512
3a6d2e119a39d6cf8107dafff5d42174f0957d85939f3fff847cd0416ac4fe4c913819c49941eafce157067ff83bcddd5812d7fafa09c73ee1cafe6a125ffd73

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
10fffb008d10f1e9ec68723ac791e7fd

SHA1
acc6b8c4c06db357e63638a1d1017d2732f23e2c

SHA256
3245f64dbdab5d15feb800abac40ec7e9789ecdce7c8000a79e8fc82348d27dc

SHA512
3ed5427fe00ddfe56b9281eb79d903aa2cfa5d66af946525914c97c01f8378a3eb586e576de0f6ecdb150e3a06422c89c6ed8f26f08aa574a098c6523aa8ad06

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3a962fa733a09a3e9a970fa6088469f7

SHA1
6725baa7566a6497b98aba1a8a8c19db8787e366

SHA256
0c81678b6fa4f8d0b7e81b564d25b6e83950a9ce5be094b6e377cedd49d5b01b

SHA512
21c3409d51f2f2db975bd42a66a2755c8bb5dfe1e3e72e7a9235faf985e1efa37991619b44c317379ef9f02b20c482c9dff12e43306b47ec92e156531bab631a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f7e0f9da6470bb21dc5c98a5b3f39bbc

SHA1
740602fc0d12be96da505dbacb5ad2c3c104f322

SHA256
c7bae80237a367aa6e7226d2755d385ec2956950c8ac253ff24a5ef8b399ce0f

SHA512
025ae7641e14f8fb9863c7c15d1e670d9013eb4a0050814db99f051f56cf111d3d4026269c0af0d567a1e33599ecffce82bc85200ec939b6e732ed4e11423bb2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dc2db42458e85dd7225e63ec14fc1cbb

SHA1
be2c089dbc7ecaa5a1f549e0d303de6a9f3f4b9c

SHA256
fc75d3565fefdd60691e1ab93a8d8b2930c7740da239983f0c0a1894b97bfccc

SHA512
2ab327011cc3a219402c7a4b6b178da64eb450e06e6a40fe0ab7b3a92c39bc2da5f7281aa47d0258fe18a622104020b7ddb6ec71239b2c9798eb0eb58e1c6f5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFAA6.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFB65.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\SysWOW64\regsvr32Srv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/988-1-0x0000000074670000-0x00000000746E9000-memory.dmp

Filesize
484KB

Download
memory/988-4-0x0000000000150000-0x000000000017E000-memory.dmp

Filesize
184KB

Download
memory/2192-24-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2192-17-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2192-18-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2192-20-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2192-21-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2192-22-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2696-7-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2696-10-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2696-9-0x00000000001C0000-0x00000000001CF000-memory.dmp

Filesize
60KB

Download