ramnit | fe54d24b94dc9b828d4f0b02b6f2dd5e4faf7ea18252d01d1e71bbc5cfd8f210

Analysis

max time kernel
118s
max time network
127s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
11/05/2024, 06:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33267f5a260fd94c71738c6b6cfe2471_JaffaCakes118.html
Size

1.6MB
MD5

33267f5a260fd94c71738c6b6cfe2471
SHA1

9cf3418182be3c3ff4209360d0d1ecc9546cedfe
SHA256

fe54d24b94dc9b828d4f0b02b6f2dd5e4faf7ea18252d01d1e71bbc5cfd8f210
SHA512

042db15684a2f59747c80a88a5f4de6fd6521347c281b209704068a434419bcb74b9963833fd24506e03256c11c99d16dda0382200b0f5fff8bfde3280ca9cf9
SSDEEP

24576:d+/9LYWAX+/9LYWAz+/9LYWAZ+/9LYWA6+/9LYWAg:F

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 14 IoCs

pid	Process
2944	svchost.exe
2112	svchost.exe
2676	svchost.exe
2584	DesktopLayer.exe
2920	svchost.exe
1584	svchost.exe
2912	svchost.exe
2668	svchost.exe
1952	DesktopLayer.exe
1988	svchost.exe
856	svchost.exe
2884	DesktopLayer.exe
680	svchost.exe
412	DesktopLayer.exe

Loads dropped DLL 11 IoCs

pid	Process
2180	IEXPLORE.EXE
2180	IEXPLORE.EXE
2180	IEXPLORE.EXE
2180	IEXPLORE.EXE
2944	svchost.exe
2180	IEXPLORE.EXE
2180	IEXPLORE.EXE
2180	IEXPLORE.EXE
2180	IEXPLORE.EXE
2180	IEXPLORE.EXE
2180	IEXPLORE.EXE

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0009000000012d51-2.dat	upx
behavioral1/memory/2944-9-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2112-12-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2112-24-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2920-34-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2668-46-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1952-52-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/856-62-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2884-70-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2920-33-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2584-32-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2584-31-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2112-13-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 21 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxA67C.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxA62E.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxA6DA.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxA709.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxA62E.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxA66D.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxA766.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxA6BB.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxA60F.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxA6AB.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe

Modifies Internet Explorer settings 1 TTPs 52 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "421570090"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff4b00000000000000d104000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff19000000190000009f0400007e020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000072f36b04922c6b4a8b24614885b168cd000000000200000000001066000000010000200000005f4ffb515fa206474ca83655211496e274d4182cf23dff72cc8e4e06320b4d50000000000e8000000002000020000000e85b7e5083d860df8f30666109b3ed75127f7c3d7f6066550fdaa38d64e2c41690000000657cbcda7ac4cb30e487c686606ea4e06b0784a8f608ddf0e0ee00ed80e0936fc21e225ccdb5359ed9efcea5729ce4b133567719fb1778551dd1b0536c60a3d8de50e1f8bd2eac2fe0bd07f42df59f73bb45a6764002654e3ea23bf8abe748ddfa449c68932ae7483c7708b1df933afddbf0954ede492316ac745fa24a12a46a7b81f93bd3fd9e9fef20ac512d7003f14000000027300abf6262cfa8e781e523b577e72044c1adefc80c902d8b03e502900f9a653ea094ec580629aae965d90db49d4da8b6499bfb22293772b98da48393039962	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1502E361-0F5E-11EF-AC1E-72D103486AAB} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000072f36b04922c6b4a8b24614885b168cd000000000200000000001066000000010000200000007118b4340a9a7782b8e13e5e8ff91467a947f22e03b7b24c6f23ef13afad5e97000000000e8000000002000020000000e38220cf3d222f7b26e881d9d8a57641b813c7c0c45c1b5129a081cd93e47b5c20000000bc29b9e7efe7a14f471fc18e95bc690d0c220cd544ab3cf473c16f75ab7708154000000076cbff88267c5ba457fe3e3142b1c5ce8a1a58ded0853ff17c296dd72ee9414fe3b94e4b5e6d408855690e5cf54f5bda59abdfa1d1f6e693d875cd6463db2b95	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3200000032000000b804000097020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90477b036ba3da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6400000019000000ea0400007e020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
2112	svchost.exe
2676	svchost.exe
2112	svchost.exe
2676	svchost.exe
2112	svchost.exe
2112	svchost.exe
2676	svchost.exe
2676	svchost.exe
2584	DesktopLayer.exe
2584	DesktopLayer.exe
2584	DesktopLayer.exe
2584	DesktopLayer.exe
2920	svchost.exe
2920	svchost.exe
2920	svchost.exe
2920	svchost.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe
2668	svchost.exe
2668	svchost.exe
2668	svchost.exe
2668	svchost.exe
1952	DesktopLayer.exe
1952	DesktopLayer.exe
1988	svchost.exe
1952	DesktopLayer.exe
1988	svchost.exe
1952	DesktopLayer.exe
1988	svchost.exe
1988	svchost.exe
2884	DesktopLayer.exe
2884	DesktopLayer.exe
2884	DesktopLayer.exe
2884	DesktopLayer.exe
412	DesktopLayer.exe
412	DesktopLayer.exe
412	DesktopLayer.exe
412	DesktopLayer.exe

Suspicious use of FindShellTrayWindow 11 IoCs

pid	Process
2248	iexplore.exe
2248	iexplore.exe
2248	iexplore.exe
2248	iexplore.exe
2248	iexplore.exe
2248	iexplore.exe
2248	iexplore.exe
2248	iexplore.exe
2248	iexplore.exe
2248	iexplore.exe
2248	iexplore.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2248	iexplore.exe
2248	iexplore.exe
2180	IEXPLORE.EXE
2180	IEXPLORE.EXE
2180	IEXPLORE.EXE
2180	IEXPLORE.EXE
2248	iexplore.exe
2248	iexplore.exe
2248	iexplore.exe
2248	iexplore.exe
2248	iexplore.exe
2248	iexplore.exe
2248	iexplore.exe
2248	iexplore.exe
2248	iexplore.exe
2248	iexplore.exe
2248	iexplore.exe
2248	iexplore.exe
2248	iexplore.exe
2248	iexplore.exe
2248	iexplore.exe
2248	iexplore.exe
2248	iexplore.exe
2248	iexplore.exe
2248	iexplore.exe
2248	iexplore.exe
3048	IEXPLORE.EXE
3048	IEXPLORE.EXE
1196	IEXPLORE.EXE
1196	IEXPLORE.EXE
2052	IEXPLORE.EXE
2052	IEXPLORE.EXE
1272	IEXPLORE.EXE
1272	IEXPLORE.EXE
392	IEXPLORE.EXE
392	IEXPLORE.EXE
392	IEXPLORE.EXE
392	IEXPLORE.EXE
1764	IEXPLORE.EXE
1764	IEXPLORE.EXE
1764	IEXPLORE.EXE
1764	IEXPLORE.EXE
2180	IEXPLORE.EXE
2180	IEXPLORE.EXE
1196	IEXPLORE.EXE
1196	IEXPLORE.EXE
1196	IEXPLORE.EXE
1196	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 2180	2248	iexplore.exe	28
PID 2248 wrote to memory of 2180	2248	iexplore.exe	28
PID 2248 wrote to memory of 2180	2248	iexplore.exe	28
PID 2248 wrote to memory of 2180	2248	iexplore.exe	28
PID 2180 wrote to memory of 2944	2180	IEXPLORE.EXE	30
PID 2180 wrote to memory of 2944	2180	IEXPLORE.EXE	30
PID 2180 wrote to memory of 2944	2180	IEXPLORE.EXE	30
PID 2180 wrote to memory of 2944	2180	IEXPLORE.EXE	30
PID 2180 wrote to memory of 2112	2180	IEXPLORE.EXE	31
PID 2180 wrote to memory of 2112	2180	IEXPLORE.EXE	31
PID 2180 wrote to memory of 2112	2180	IEXPLORE.EXE	31
PID 2180 wrote to memory of 2112	2180	IEXPLORE.EXE	31
PID 2180 wrote to memory of 2676	2180	IEXPLORE.EXE	32
PID 2180 wrote to memory of 2676	2180	IEXPLORE.EXE	32
PID 2180 wrote to memory of 2676	2180	IEXPLORE.EXE	32
PID 2180 wrote to memory of 2676	2180	IEXPLORE.EXE	32
PID 2180 wrote to memory of 2920	2180	IEXPLORE.EXE	33
PID 2180 wrote to memory of 2920	2180	IEXPLORE.EXE	33
PID 2180 wrote to memory of 2920	2180	IEXPLORE.EXE	33
PID 2180 wrote to memory of 2920	2180	IEXPLORE.EXE	33
PID 2944 wrote to memory of 2584	2944	svchost.exe	34
PID 2944 wrote to memory of 2584	2944	svchost.exe	34
PID 2944 wrote to memory of 2584	2944	svchost.exe	34
PID 2944 wrote to memory of 2584	2944	svchost.exe	34
PID 2112 wrote to memory of 2480	2112	svchost.exe	35
PID 2112 wrote to memory of 2480	2112	svchost.exe	35
PID 2112 wrote to memory of 2480	2112	svchost.exe	35
PID 2112 wrote to memory of 2480	2112	svchost.exe	35
PID 2676 wrote to memory of 2684	2676	svchost.exe	36
PID 2676 wrote to memory of 2684	2676	svchost.exe	36
PID 2676 wrote to memory of 2684	2676	svchost.exe	36
PID 2676 wrote to memory of 2684	2676	svchost.exe	36
PID 2584 wrote to memory of 2812	2584	DesktopLayer.exe	37
PID 2584 wrote to memory of 2812	2584	DesktopLayer.exe	37
PID 2584 wrote to memory of 2812	2584	DesktopLayer.exe	37
PID 2584 wrote to memory of 2812	2584	DesktopLayer.exe	37
PID 2920 wrote to memory of 868	2920	svchost.exe	39
PID 2920 wrote to memory of 868	2920	svchost.exe	39
PID 2920 wrote to memory of 868	2920	svchost.exe	39
PID 2920 wrote to memory of 868	2920	svchost.exe	39
PID 2180 wrote to memory of 1584	2180	IEXPLORE.EXE	38
PID 2180 wrote to memory of 1584	2180	IEXPLORE.EXE	38
PID 2180 wrote to memory of 1584	2180	IEXPLORE.EXE	38
PID 2180 wrote to memory of 1584	2180	IEXPLORE.EXE	38
PID 1584 wrote to memory of 1480	1584	svchost.exe	40
PID 1584 wrote to memory of 1480	1584	svchost.exe	40
PID 1584 wrote to memory of 1480	1584	svchost.exe	40
PID 1584 wrote to memory of 1480	1584	svchost.exe	40
PID 2180 wrote to memory of 2668	2180	IEXPLORE.EXE	41
PID 2180 wrote to memory of 2668	2180	IEXPLORE.EXE	41
PID 2180 wrote to memory of 2668	2180	IEXPLORE.EXE	41
PID 2180 wrote to memory of 2668	2180	IEXPLORE.EXE	41
PID 2180 wrote to memory of 2912	2180	IEXPLORE.EXE	42
PID 2180 wrote to memory of 2912	2180	IEXPLORE.EXE	42
PID 2180 wrote to memory of 2912	2180	IEXPLORE.EXE	42
PID 2180 wrote to memory of 2912	2180	IEXPLORE.EXE	42
PID 2912 wrote to memory of 1952	2912	svchost.exe	43
PID 2912 wrote to memory of 1952	2912	svchost.exe	43
PID 2912 wrote to memory of 1952	2912	svchost.exe	43
PID 2912 wrote to memory of 1952	2912	svchost.exe	43
PID 2248 wrote to memory of 1196	2248	iexplore.exe	44
PID 2248 wrote to memory of 1196	2248	iexplore.exe	44
PID 2248 wrote to memory of 1196	2248	iexplore.exe	44
PID 2248 wrote to memory of 1196	2248	iexplore.exe	44

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\33267f5a260fd94c71738c6b6cfe2471_JaffaCakes118.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2248 CREDAT:275457 /prefetch:2
  2⤵
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2584
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2812
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2112
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2480
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2684
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2920
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:868
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1584
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1480
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    PID:2668
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1768
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:2912
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1952
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2084
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    PID:1988
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2336
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:856
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2884
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:108
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:680
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:412
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1092
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2248 CREDAT:1061894 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1196
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2248 CREDAT:799752 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3048
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2248 CREDAT:734216 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2052
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2248 CREDAT:1258501 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1272
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2248 CREDAT:1455109 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:392
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2248 CREDAT:1586189 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
75d1f2dc3718d0754874c3596ab085b0

SHA1
dbba8391c4e3be5c2a4ccbdd8d979ba2c9c3e9e8

SHA256
5bebb52d8a458ba8f17015114dba192055c79808233608befc86ba4941f38fee

SHA512
c2a1e77774409cb6fb038aa4d1b16cfedfddafd4bd7592e161bd3983a2ddcea23168f4887854d1959b4a9f1ce53559a6d230437ef9455060daa6dfcea0dd8982

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
43b1c9e77478c2ae9ba7d080f3afcfc5

SHA1
40d5af823060af6d2cc413686558ec183dcca678

SHA256
bf665998ded3f4cf9678801c36e0bf53d537394be4c068b4f97b799755f83471

SHA512
0ef26c800e4fa0084e38cea908b59931f5531005ed0d68c3905a722d90b07167aaba9977dc802f0a01caab88ea3d696876695e6a919b068862f2a3be87ab3e07

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7e6198078fa731b98f8275e8cd10191b

SHA1
ae7de85b353b99bab5a76fd397842d34d9958c1c

SHA256
99edc83edaa58e923c20061172f014bf5f9769865727203e522ceee4e1e9303c

SHA512
f99bbf4ace6e9520567c9b68dd0c32ad7d1fa8a65988c034aede9c94cf8e0576c2f990f37e274feb133b0b0992d18f5d25e069e50d1a0176ee409f3bdd3e2c56

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5bd84e8991a11d55796cf2d8d11e983c

SHA1
fb0643d9084d760e7ad38b4f0229281075a1c8bf

SHA256
a8588496ee379952b463e37cde0898837bf2998523b1e43beafb8a656cc3d4b8

SHA512
ebde9c3edd3df1dae8aa0d06cc18228da95bc7b4e27c649ac04a6ecb7eccafe253430efa3a9c8f7e670d17786c3d154a9dac02af328259720292897a74dec7c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3740294ec1e68fd88fdc4ba25584d947

SHA1
5852749b326e23f4fc1ce397ae19288de4d411b7

SHA256
db939c5d023989d7e63d5f202ab112694e41c3f6b8dd52b24172877ace88c2f4

SHA512
27c8a62bbfbb60a523680896822398744f9b10a7b1dec73cf881131030fa965c92cb75e566a251a609c3f8721cf64580da82889b54aba4d95472127820b52d27

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
67850bf3fd21c424416e743f84a11efd

SHA1
eca072a85af450867c29b063c65b82f631095ced

SHA256
e6ef93561b36fae89658eb0500314ebd542f36bd1fa80a27115e6d055d4a2b12

SHA512
b95320d66b047cfdb2aef8563d07bb891bf23a783db8d5fd87a8637c42780ffd3f57f8d00457c814558d461c75d17a9b9253921c015763e26c3b9d1f1bc4202d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
dd409fe4160c010fb3ace1e5d06b47c1

SHA1
ac8702062d2c1ca093e3de067682f4956f78a82d

SHA256
5ca403ea9e027d1f5bce228669dc640933093aedbf1b5c7c31da7cec77ac9115

SHA512
91e35ce795aec3d5ff5c8fb0e888b695bb70ed0315f6e018bec50201babf198f295eda32b340591e4aa8364545611b34357831c67d6daf6f313fa395e5b0f2c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
164b5e8527909fbf3cc61a6da9382450

SHA1
d7b727e60b891779cf57aa7937b79425f7247db5

SHA256
7ad839a1979f08c320d1e8a3276e1c18ef7719e5cd9e5d0c4c0e006203410a51

SHA512
06ca338761a326d576476729a08ba4b886981755734b9492dd328df5b90c8b0a8e828da1a54dcdc4ada8a216252de6663d6495eefc6076bf510967f83809210a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a98100bc0495e616c0581b42169c58ef

SHA1
be5af88aa615ef750528c93d32cd1b3b1470fa16

SHA256
0aa07acb849ffbba75c6e5d63aaa4a74e264f9aa7e839464da907ce03cefcc5b

SHA512
32061188b773be2432baaff1293c9ac2742cd03ce6231ccdffe866b744ed0d1a91ff4af879f03e1886feef6852826fbcd59c2f0d4bab0d9fd1a9db11a18c0691

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7f5383da7d9c4168034bc372d1c652b9

SHA1
cbdd3654e15660171d28492c07ebc67843ed3758

SHA256
e153dea04458a048c8a0386903e0b1a807fde9e4a4b07807e9e41e9421393d69

SHA512
2c65d3c672ce4460aa627f9cb0307cde689df9e2005489e3ee9eeaa2be9e5362138230711f5d20a24b78477271ac6b136957b13f880d2fc357da313211ab9384

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f431e72cce9e11c101071f1d6f45b6c1

SHA1
b9edcb8ed789809cbc55a800b87c63f3c770e2af

SHA256
aee1365e352d102eb6eee0c4b9d818b40bfa191920342353dbc2b21a1fea6a61

SHA512
45c45f92c168af53d58d9dd7e2e6331de7545f3af289cac77863b4baac3e07e746aae1c1f1cd3c16e6bb845c73fbdc64592e19e2f084c56de35e8f71187a7db3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
95feed2974c476f955fe3d17019d3a60

SHA1
28170f98b867923d9698c2e368e9122b91a93734

SHA256
bdb3cb235fe105781d547f68096753c5e67df89d5d1d748af7d2ef4825444f78

SHA512
6c29742dd9f670f0a8f5c703afae7bbe1d2ec331876cae79dea39e3b59d32c5726ba22b90bf6c90900c42d28435ebb4e3ac5c929746af222b290ed35d20160d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c84b2bc2ad83c8c5166c88e742aa36e1

SHA1
b94fae4d373f8350700e3034a61933284d5eb2e3

SHA256
6ff70a6c939d1e0b8f35963c045416baa2961713930c704b66ad91847a9b694b

SHA512
c84049a2e3be2d6be7ed91cb325b52b6cbb501c813f286791af3e432265d2cbf4f27b4911a26b16b99db38499a31d8a97edb326b65964319e846e9a08addf813

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f00c969ea79d68f44faec7347b834208

SHA1
cbd594c6dc8c107cf505fa7d3826098e69733a8b

SHA256
52beded1c56effe0a040986b054959f827bbd1467d12794788d897e57e95ec7e

SHA512
49ca9a3397c837e7417005d24a61acdbfd2be9d295881c387cf887a15c2d9c2702eb009a1226fbf05ba787acba2df7e530ae68280cf54f5c9b192699d0d47c46

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
83bda700633690ae83e05a25ecd57a6a

SHA1
cc9eadbf64315543325b2d4eaa9448bfc42d89e0

SHA256
6b41000660ab372ab6372fee58949bb56a5465ca0b8cab1402441ab7692918be

SHA512
0c8ce1369e2b74e4476e0453ba41f9729c062dab294c09ef32e67666c4b09af49a554e61d05be88c347ff2412230a605ca6e288641fcd5040b3ae3064b4576ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
593927d372b940c4c37c06815fc961ef

SHA1
e6ae5ee0d97ef3db2313d3844dfe899ef7db6541

SHA256
28be87f4c54aac91288894ffce12eb0c9c0057679f8c6acdbd30327e8e2840d8

SHA512
0e53dc2feb8256e9220e881ed6ec4990ee0b6bcad71288568796eeea756f6e6ffed905a192907f297b6c5eb4617d9132da28f2701d09e3ed26bc58232b85b134

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
62ebdd95cbb85a63e40e6484c3c0530e

SHA1
6bda18095fcca183d68243c125aaf845aadfe7fc

SHA256
bce86a5148c904585317ddf1c695f7fc15f7d945625d21200abe95f1dd9a0a72

SHA512
8b1c221203da791da71d7ec4fa33de349e2a5a115418e868e878b011192bed29993ad0179b84ea5af2b9f08da816c4517515444a48d81de652f690fe4b29a1b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b1dc912f840af4020672b5c226298a0b

SHA1
30de9a68747120b3d2aaae8e98b9f8dc40bae77a

SHA256
5214f562a6bb396b9dfec708a42654c988e21da661c2439cf75f1c65b6669865

SHA512
f449cb2c8d6c777d8d33a31e8b6466de3e507925a4802b49d9b991d3179344bdf2ec88d6fb4af018acb1f8e4139e2d323fb67c9cc6eb029783d01b965611c0ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cb0cbf2357f63e3d6cf55def38fd9524

SHA1
5a1ded5a294129f6337ee8dc99ba07c054d2a692

SHA256
67432a3dd41af41ab21d6f32d3a7e4ada32ec290ac1128f7cd60c46965494aec

SHA512
396684e2879be397b50991fe21e35a0f78ff6189e03f07f0a8f4a0f5d24495de6e5854518d9c04a7ba9a0030f78a0ea81f1385feb27850094136acdaf3e90ec9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
62fa589c39802d1009129415908be2df

SHA1
f6b95ed611057309d60fa7ba4f9c1e2e699de070

SHA256
3bd34b3fb22e2860bab54d5e25141766da1dca42d73d7214587f72d1ed8d1b10

SHA512
4323df3f2cafc585c97a6a8f461a35c107a66c8ad9cd44932754e1190afa7932b6ef48c09910e6e7f25b667d66b8bb1edf8df50d01fa7121fbc2bd85f500473b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1f1a5d983f089e53857abff8111a73b2

SHA1
8e30a2874c411bbd40f37597a902dd826b48db59

SHA256
4e16f5a6f456a21f922995fd4f5620093401181a7a7af6dda9c04d5814488edd

SHA512
c37e3b8a9a48429e23e697bf71f25f32d32c38d59e513126092b775543364f21966fd31a51c01010965d262eb97f2182dee6572d7f7f360b95320af9e92dd8f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
f801dc59abb4a58485c60284d9410f78

SHA1
58e308f3fb4c377568fd7fba66e317ac94cc1e33

SHA256
e96576f7dd1fd2a286f720f03e2aca752f5916a0aefee895c2045068a646da5b

SHA512
83f38f2e9c5e4ca14fca57ec774e9af9a5b8436eb3744efdf7f3239c72a1d048e99805d76f936117bc00cfb2c7038cb0ca201855b64195589b470d7d8335e319

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H3JZY2DM\favicon[1].ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBF7E.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/856-62-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1952-52-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2112-13-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2112-12-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2112-24-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2112-21-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2584-31-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2584-32-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2668-46-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2668-50-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2884-70-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2884-69-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2920-34-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2920-33-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2944-9-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2944-10-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download