ramnit | 1c771a318a92f46a45c33b9ca5515e8f1d427e5a6b7a7ea2c2559acbd962712a

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
31/12/2024, 13:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c771a318a92f46a45c33b9ca5515e8f1d427e5a6b7a7ea2c2559acbd962712aN.dll
Size

90KB
MD5

fb527949bf33a30e9289c96558fba3c0
SHA1

95842df94c1ca38925c08be91258ae497be2f9c4
SHA256

1c771a318a92f46a45c33b9ca5515e8f1d427e5a6b7a7ea2c2559acbd962712a
SHA512

6aad18c7e002aef235217d343aaddf586e7065b30771f1f29b9c35067c2d8d8c168145972a68f06b894eed521772fcaf7ef56649b499552d19995eda412b7993
SSDEEP

1536:pszv184cUdfxY0M5uS4H6wiCIREos/5UyMG/42lc/ft06dmo/6O:yzN9c2m0M5uSdPCIRHshUjGncd0OzSO

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 2 IoCs

pid	Process
2556	regsvr32Srv.exe
2092	DesktopLayer.exe

Loads dropped DLL 2 IoCs

pid	Process
2504	regsvr32.exe
2556	regsvr32Srv.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\regsvr32Srv.exe	regsvr32.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000b00000001225a-6.dat	upx
behavioral1/memory/2556-8-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2504-4-0x0000000000190000-0x00000000001BE000-memory.dmp	upx
behavioral1/memory/2092-20-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2092-16-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\pxB3A6.tmp	regsvr32Srv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	regsvr32Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	regsvr32Srv.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32Srv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "441813629"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3E6EB411-C77B-11EF-A641-FE6EB537C9A6} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe

Modifies registry class 46 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.Windows.ActCtx\CurVer\ = "Microsoft.Windows.ActCtx.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{85BB4477-6DC3-4A8D-84D6-86A0FA1AAF8B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1c771a318a92f46a45c33b9ca5515e8f1d427e5a6b7a7ea2c2559acbd962712aN.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{85BB4477-6DC3-4A8D-84D6-86A0FA1AAF8B}\InprocServer32\ThreadingModel = "Free"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{85BB4477-6DC3-4A8D-84D6-86A0FA1AAF8B}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5E0598D8-34A0-4329-BDBD-9D165C5C1554}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5E0598D8-34A0-4329-BDBD-9D165C5C1554}\1.0\ = "Microsoft.Windows.IsolationAutomation Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5E0598D8-34A0-4329-BDBD-9D165C5C1554}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5E0598D8-34A0-4329-BDBD-9D165C5C1554}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8FA7728F-B69B-4EE5-99F2-E2AA021BEF28}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.Windows.ActCtx\ = "ActCtx Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{85BB4477-6DC3-4A8D-84D6-86A0FA1AAF8B}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5E0598D8-34A0-4329-BDBD-9D165C5C1554}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8FA7728F-B69B-4EE5-99F2-E2AA021BEF28}\TypeLib\ = "{5E0598D8-34A0-4329-BDBD-9D165C5C1554}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.Windows.ActCtx	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{85BB4477-6DC3-4A8D-84D6-86A0FA1AAF8B}\ProgID\ = "Microsoft.Windows.ActCtx.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{85BB4477-6DC3-4A8D-84D6-86A0FA1AAF8B}\VersionIndependentProgID\ = "Microsoft.Windows.ActCtx"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5E0598D8-34A0-4329-BDBD-9D165C5C1554}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1c771a318a92f46a45c33b9ca5515e8f1d427e5a6b7a7ea2c2559acbd962712aN.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5E0598D8-34A0-4329-BDBD-9D165C5C1554}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8FA7728F-B69B-4EE5-99F2-E2AA021BEF28}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8FA7728F-B69B-4EE5-99F2-E2AA021BEF28}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.Windows.ActCtx\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{85BB4477-6DC3-4A8D-84D6-86A0FA1AAF8B}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8FA7728F-B69B-4EE5-99F2-E2AA021BEF28}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.Windows.ActCtx.1\ = "ActCtx Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{85BB4477-6DC3-4A8D-84D6-86A0FA1AAF8B}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{85BB4477-6DC3-4A8D-84D6-86A0FA1AAF8B}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{85BB4477-6DC3-4A8D-84D6-86A0FA1AAF8B}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5E0598D8-34A0-4329-BDBD-9D165C5C1554}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5E0598D8-34A0-4329-BDBD-9D165C5C1554}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8FA7728F-B69B-4EE5-99F2-E2AA021BEF28}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8FA7728F-B69B-4EE5-99F2-E2AA021BEF28}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8FA7728F-B69B-4EE5-99F2-E2AA021BEF28}\TypeLib\ = "{5E0598D8-34A0-4329-BDBD-9D165C5C1554}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{85BB4477-6DC3-4A8D-84D6-86A0FA1AAF8B}\TypeLib\ = "{8143C9AA-38F8-4729-B935-DF6823C616C6}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5E0598D8-34A0-4329-BDBD-9D165C5C1554}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8FA7728F-B69B-4EE5-99F2-E2AA021BEF28}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.Windows.ActCtx.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.Windows.ActCtx\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8FA7728F-B69B-4EE5-99F2-E2AA021BEF28}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8FA7728F-B69B-4EE5-99F2-E2AA021BEF28}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.Windows.ActCtx.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.Windows.ActCtx.1\CLSID\ = "{85BB4477-6DC3-4A8D-84D6-86A0FA1AAF8B}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.Windows.ActCtx\CLSID\ = "{85BB4477-6DC3-4A8D-84D6-86A0FA1AAF8B}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{85BB4477-6DC3-4A8D-84D6-86A0FA1AAF8B}\ = "ActCtx Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8FA7728F-B69B-4EE5-99F2-E2AA021BEF28}\ = "IActCtx"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8FA7728F-B69B-4EE5-99F2-E2AA021BEF28}\ = "IActCtx"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8FA7728F-B69B-4EE5-99F2-E2AA021BEF28}\TypeLib\Version = "1.0"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2092	DesktopLayer.exe
2092	DesktopLayer.exe
2092	DesktopLayer.exe
2092	DesktopLayer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2688	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2688	iexplore.exe
2688	iexplore.exe
2748	IEXPLORE.EXE
2748	IEXPLORE.EXE
2748	IEXPLORE.EXE
2748	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 2504	2120	regsvr32.exe	30
PID 2120 wrote to memory of 2504	2120	regsvr32.exe	30
PID 2120 wrote to memory of 2504	2120	regsvr32.exe	30
PID 2120 wrote to memory of 2504	2120	regsvr32.exe	30
PID 2120 wrote to memory of 2504	2120	regsvr32.exe	30
PID 2120 wrote to memory of 2504	2120	regsvr32.exe	30
PID 2120 wrote to memory of 2504	2120	regsvr32.exe	30
PID 2504 wrote to memory of 2556	2504	regsvr32.exe	31
PID 2504 wrote to memory of 2556	2504	regsvr32.exe	31
PID 2504 wrote to memory of 2556	2504	regsvr32.exe	31
PID 2504 wrote to memory of 2556	2504	regsvr32.exe	31
PID 2556 wrote to memory of 2092	2556	regsvr32Srv.exe	32
PID 2556 wrote to memory of 2092	2556	regsvr32Srv.exe	32
PID 2556 wrote to memory of 2092	2556	regsvr32Srv.exe	32
PID 2556 wrote to memory of 2092	2556	regsvr32Srv.exe	32
PID 2092 wrote to memory of 2688	2092	DesktopLayer.exe	33
PID 2092 wrote to memory of 2688	2092	DesktopLayer.exe	33
PID 2092 wrote to memory of 2688	2092	DesktopLayer.exe	33
PID 2092 wrote to memory of 2688	2092	DesktopLayer.exe	33
PID 2688 wrote to memory of 2748	2688	iexplore.exe	34
PID 2688 wrote to memory of 2748	2688	iexplore.exe	34
PID 2688 wrote to memory of 2748	2688	iexplore.exe	34
PID 2688 wrote to memory of 2748	2688	iexplore.exe	34

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\1c771a318a92f46a45c33b9ca5515e8f1d427e5a6b7a7ea2c2559acbd962712aN.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2120
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\1c771a318a92f46a45c33b9ca5515e8f1d427e5a6b7a7ea2c2559acbd962712aN.dll
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Windows\SysWOW64\regsvr32Srv.exe
    C:\Windows\SysWOW64\regsvr32Srv.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2092
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2688
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2688 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
029ec05bfac7418051cf58ccac060648

SHA1
980bbb8957b423ee351ff66bc79b5cdbe350365a

SHA256
324e00dab719bcf94510871790c7cf1d84ea094cd4d7615de88299eb79882483

SHA512
1eab726a1de5a860c9d42f740bcaf6a160ef0ab84a3b0ce69d0649fb2d18636e283bdeee44e744852f5b6235de3010e99375628da34583abd6f01f095361fd51

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
90da303bd4d2ddcf4ddfeb7daad165a5

SHA1
96b96ea2b90fabd82054dc52ce63c97abf941661

SHA256
08b8e163ba5f3574c77f19624b12bdfb985c6062ab6353a20eb1e729a9f159fd

SHA512
2bca68e7b8ce6cfab460e6651643d8436bbf61fdd0142ca9c627d8d91cc8c91c3af5d27bd0b97887596dee649a2d2eb09eb29461dfd39bbfbaf15245bb3c48b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
51d64ec5dfb1571bdc437683ce0bf5a9

SHA1
59cb4d0e86aa3ab45e8a3964dca7746ccdc349a0

SHA256
d96e4a06d94b10497453f0f10fb455e8f406a9c9811553db45b6668ae2308fd5

SHA512
610482ef8141232784c4dde3ed0d446626a752ae1f4cad960d818b7ad1a7ab0a786cbc36fdcac409dd53980001c9bb5b14707ad1fd1badb6fa45bfbbf80c5b1f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cf0a25a9a836fd3bc250e3136a0742d4

SHA1
aef161e0c7d25b63c3122c657f354c4aabaa4ffe

SHA256
d908d6679b95ebd3918e9197aaae912f01387a0636a8c12696aff20451630366

SHA512
043cfc124e2027fdf408d7e00e5093c14f7eda7ad491d405119f0b5903a2724d5558cbc9ba76cd38049b3ca2af01fd904619d0934636b30ee8f5a541fba1f4ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e2ee8fd46f0cd3bdb6837e785f1bcd19

SHA1
b6fea10253084b0414fd0f8665d930d3365f87a4

SHA256
469f74b67073ba76e01483cfae11e97270aeb9fd7ac108ddf2be16245e558fab

SHA512
557fdb4d0f243d3c223fea1d4b679c577e041318b8ce2730ba0638d3454f291756a11af64af700e7cb4af4792c3f94350a94c0480ab2fc7246eff14143d455d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3bc81432793d9fb35099e8584fbae8ba

SHA1
877049dd9e1370dfd040e6b2b6e45050a41cc572

SHA256
84c9e06502bfda2c35d506e00f26513a43f305cdc8e24ec4c88b648ccdf158c8

SHA512
01da9ff8efa369764079b49691d17f595ee5463e8ac652d216f6c6a8831bce4c6db82f7ff226b0ff6717ac61c2bab2da8f4b0e14000ca40e3ac1d7e2bfec0df4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
98d810718f412fcd98bb9181fea9e23c

SHA1
5069f10c09dfdfed66e348171c04b7a27738c53e

SHA256
869a11fad6420a4666d60c3a976dceee49ebd0d7a7245787ac022db630194c34

SHA512
ba4613e4f8d527ad967c417e20252a3ff9f3618b10046b46ffaa82db4ff437997db0f1335e14c8f727a5900173f514a19f9eec989af5cf75d631363db5bc1ec0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5e7dc66ddf028e32bcb4d853e9e9d437

SHA1
651e80401af96bd8bb3f34eb438f207ef1018f74

SHA256
0430a34374bde51e4b46099275fb3482a4b68fb2092e4ac2a9342b6b21077b2d

SHA512
953a69c85b25699c92f827f4f2104103ea24dfb583d7c240349c7828cea25859454a0da37cfc1a2dc144c49bf510b32e61e70a066f8cd700c58925e9bd59a0e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e2833b0e219c774078610e50b07df55e

SHA1
36a54f20cb55ff579a0ad4107f3099247ed369aa

SHA256
35f7c69cefb57290491445faa9922e44cf7467d412362ebca38ee28e758c4b1f

SHA512
ef7273bea6dfc9c48d3c011e592d561bd9aa2ccecc2bcbb0fd2abb2b925ef1602c043690186b4a2bca6b6da11db3d8e46dbb1d88688f17b4cdd50c2af0d4bc3f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
45519b81f73127b6425c758492336b8e

SHA1
58cc2b290d890193f578664e19865145800a739d

SHA256
fa54d4a431a5a9a68c32472c6ad610192810ea5d0e01fe6d87050e519d360326

SHA512
349439dca8c953c9d2ca628e33c5917cf9b098f5d378ffcbd054bed76b06e8a15b0b4c3c4f836d572f11b558a4e08ec3d9146336f823b563eb017fc3bf4d2d25

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
89a66852ef60e4fa8d8aeb4147060d6c

SHA1
e84de5c6b8ee79cd9fcc45d6a0fe276542e195f7

SHA256
a12b8a85ac01ab5b2cd734d73e034fdbe88f1175af0133ca6d6e16b33a942c67

SHA512
880e6aba46ec269a84834182ecca8a9751a70ba35267b6517cc64d20c9808d9dea25c2a5169dc8dd76795921e342d301f342ce493d3df9308477656db107f234

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
56c974e8cc63919eece139dc5ae1e1f9

SHA1
7071fe1c55672eb712d3445af389d29c084d706c

SHA256
e23087e50fc5f186c908e4bec32faf1ba24344dd1c72e5a0bea0fba7f1e1f0ca

SHA512
ca6e58d7fd124fdb8ed8d21d5a7a3af889463ec3b3b02836d5ffa2beaf0a2db692239e127c20c1ca586028e351bc47026985e46922e1e5192ca7ed85a4f5c264

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0fd1362affb219379afe337296e56515

SHA1
03484a43ad2eb55cc908cd0222a0f544389c3aff

SHA256
a823d8bb1f7b88bb61ced14188b33237eef1de6b63c0de731c8960823215a4ad

SHA512
74e7a3ccd6c44039e9bd5756128002df495b1f31ab688123a0bd1a5b1a3b721231a6b824112f929ea05d4f6113cf54d7778f256053c6997d64650f462d0d33ed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ffbbb6c4fb32bd0dc7d474847c38a999

SHA1
45030d367f6fca93d80fb05a257dc03c0acb6afa

SHA256
ed9df6cc744290012eaf0c9bd44ce686f4d7410517ad409985491c709cd2af44

SHA512
51b3ba4423e5d25a7ede3406804fe26ea731adaf6a58e21b0048fc56b237a98fc370eea8e1f7864cf061c1e62403a10d21db27ca07e516c0ecb88702ee9ee62f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e2c6f91f5b87d6e2814d7235712fd749

SHA1
bc1afdd08ada03107df9aea25f75653f2e717f15

SHA256
b5d6afa01bf074e2d748de25d592b8b25d8970b6c0cb964b126aa1af243b402f

SHA512
819740e2b5bd22a82b07f682581206fab447155e1f428add27c663916152c3735b91c930a591642d3f1d8eaeff25fe70768e011f7c317123d0181adcaa9db9ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e17c7101b794f5c6f70a469bfbf8431f

SHA1
84d03f509ec896c9b88f700f021a154027b5bdde

SHA256
23af4db77b675985727c11ea369cfddea7058acc0f9c84a05f4c08a6d807d998

SHA512
51a845a9c87134a319074a4c4060703b3fe6c7f33fb7d11d0c973596b4db43afd16485d8d50fce0b6abdabf9f2583c5f3afb686bd82f8ed633eef90286880528

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9dc2b04275ebb873743db57889c26620

SHA1
37bd398154df3eb34131fbf5ab6d8a1bea0544ea

SHA256
a97396eaee4a1e8932eadb9bcd99ab95170a5fcf2d74b8e0ef2fceb3439d12fc

SHA512
e26f339623c5274372bb10836194ead74fc2082d74890c22bb78e4aee14814e33aa5b0fe3b9ac5ec8d8fa54921c076bd3fd47c9c8eeb59d1e7ccc61045e9292a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c0f5f9256c54d4a4b8ca5d7e0e933887

SHA1
b21ca0838a2cb498734e57fc679c286f66e655af

SHA256
95df937d3ae6fd83a2d0c7e6e6ca1be30bbf540c249032c90d245141123d5850

SHA512
c8747c6ea7c9348a5002a7877b76f18b8a3315308b34e208826d61ba31c62ccc595b906673e096ea0d03945eb540ca69345a76eba60f1ca4b99732e3a92393b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b2151c899e33115b880140fe6d8f7c02

SHA1
2f873e57bb167d5bc06c97c36be8f63efb50c189

SHA256
056e22a73bf0d071979293d13fc20fda7119910c64b0aa279aaed728423932f4

SHA512
91f2ccc8a3380c9f4ca0a8ef96996d77e05c22a1312655f2f2819155713d27046d276ba94f8edac12dfd60a8c6e8bf3ac0389460be35f3e5f65119ee9fff891e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD378.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD455.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\SysWOW64\regsvr32Srv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/2092-16-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2092-20-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2092-18-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2504-1-0x00000000749D0000-0x00000000749EB000-memory.dmp

Filesize
108KB

Download
memory/2504-4-0x0000000000190000-0x00000000001BE000-memory.dmp

Filesize
184KB

Download
memory/2556-8-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2556-10-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download