ramnit | 07a96904e2616b3885b3d8036868b3b6e712c646d91efe182890908f6f7089dd

Analysis

max time kernel
121s
max time network
135s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
29-05-2024 15:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8127b0d0533aa7a8f2c9c072066fc25a_JaffaCakes118.html
Size

2.3MB
MD5

8127b0d0533aa7a8f2c9c072066fc25a
SHA1

bf0107a9efe0551c837dd6875682509dff746fac
SHA256

07a96904e2616b3885b3d8036868b3b6e712c646d91efe182890908f6f7089dd
SHA512

a68eb0d5480463ea02bdff2a7bf4fdbe496f186ab2ba37ef166772c39b2ff7a6c8c8d6fbcadae31cc9dfe90ccecfdc2c01af4909a8b2daffff18402f07415cfd
SSDEEP

24576:H+Wt9BJ+Wt9Bq+Wt9Bg+Wt9BB+Wt9Bt+Wt9B1+Wt9B5+Wt9Bi+Wt9BX+Wt9Bz+W2:/

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 26 IoCs

Processes:

svchost.exeDesktopLayer.exeFP_AX_CAB_INSTALLER64.exesvchost.exesvchost.exeDesktopLayer.exesvchost.exeDesktopLayer.exesvchost.exeDesktopLayer.exesvchost.exesvchost.exeDesktopLayer.exesvchost.exeDesktopLayer.exesvchost.exeDesktopLayer.exesvchost.exeFP_AX_CAB_INSTALLER64.exesvchost.exesvchost.exeDesktopLayer.exesvchost.exeDesktopLayer.exesvchost.exeDesktopLayer.exe

pid	process
2704	svchost.exe
2632	DesktopLayer.exe
1784	FP_AX_CAB_INSTALLER64.exe
2484	svchost.exe
2376	svchost.exe
2536	DesktopLayer.exe
2788	svchost.exe
828	DesktopLayer.exe
2236	svchost.exe
1492	DesktopLayer.exe
1276	svchost.exe
2864	svchost.exe
2756	DesktopLayer.exe
1980	svchost.exe
852	DesktopLayer.exe
2380	svchost.exe
328	DesktopLayer.exe
2396	svchost.exe
2064	FP_AX_CAB_INSTALLER64.exe
2396	svchost.exe
284	svchost.exe
2140	DesktopLayer.exe
2836	svchost.exe
2360	DesktopLayer.exe
2904	svchost.exe
2232	DesktopLayer.exe

Loads dropped DLL 17 IoCs

Processes:

IEXPLORE.EXEsvchost.exe

pid	process
2920	IEXPLORE.EXE
2704	svchost.exe
2920	IEXPLORE.EXE
2920	IEXPLORE.EXE
2920	IEXPLORE.EXE
2920	IEXPLORE.EXE
2920	IEXPLORE.EXE
2920	IEXPLORE.EXE
2920	IEXPLORE.EXE
2920	IEXPLORE.EXE
2920	IEXPLORE.EXE
2920	IEXPLORE.EXE
2920	IEXPLORE.EXE
2920	IEXPLORE.EXE
2920	IEXPLORE.EXE
2920	IEXPLORE.EXE
2920	IEXPLORE.EXE

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\svchost.exe	upx
behavioral1/memory/2704-10-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2704-6-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2632-16-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2632-19-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2632-18-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2536-138-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2376-137-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2232-1129-0x0000000000400000-0x0000000000435000-memory.dmp	upx

Drops file in Program Files directory 29 IoCs

Processes:

svchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px48B4.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px4624.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px3E19.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px45C7.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px479B.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px473D.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px4DE2.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px4E5E.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px45C7.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px46FF.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px4808.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px4E20.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px4866.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxF595.tmp	svchost.exe

Drops file in Windows directory 6 IoCs

Processes:

IEXPLORE.EXE

description	ioc	process
File opened for modification	C:\Windows\INF\setupapi.app.log	IEXPLORE.EXE
File opened for modification	C:\Windows\Downloaded Program Files\SET4579.tmp	IEXPLORE.EXE
File created	C:\Windows\Downloaded Program Files\SET4579.tmp	IEXPLORE.EXE
File opened for modification	C:\Windows\Downloaded Program Files\swflash64.inf	IEXPLORE.EXE
File opened for modification	C:\Windows\Downloaded Program Files\SET4D95.tmp	IEXPLORE.EXE
File created	C:\Windows\Downloaded Program Files\SET4D95.tmp	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 50 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bd2a7708e9798e4fa0b20f3efd8e9361000000000200000000001066000000010000200000006ef8a52d9a7800b5df545f2c26096f529231b9e43837af4c71a6d3d1659e6e92000000000e80000000020000200000002d531e96cb954e9fcc7a112d0e2440dfe2478ef7a8881fe98640e344532eab3420000000c1c34ee7a94b20ec7af65ab3abdd40c9ef5152368a528beb2f8c7e684bd364a8400000009ea46b9a0ccd2d4d410fef005ebe487821ac19df9774e36d9e9c02abb9aecf271b161797c852d68b8c241e34b5041fa04678bb7f630a836e62ee2722c73f6a8e	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{41E78D91-1DCD-11EF-9DB4-7A4B76010719} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3200000032000000b804000097020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 902ed30adab1da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff19000000190000009f0400007e020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff4b00000000000000d104000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bd2a7708e9798e4fa0b20f3efd8e9361000000000200000000001066000000010000200000009be97df17b7ddcd9da6665c2a231d3e6624a54f93ce1c1e9df06f67d33b7583d000000000e80000000020000200000002bd85feeb1761f5acdf688e1d9282acf4188326a4c0bf514253540ffd1e4c56390000000f44235d06069ab6b0c6a6fe790e6e64b8bf91e96b3e6d056f5e483c1c61f356864dedced85e6843faf7a478e3dc13ab03acc9d63f3e768bfa5fa1d2a3ca27bf1efea021c232a651c04e6ac2cacde82efb297d486b0a613a58d03f3f8346c9e1c2b3ef559dd6c7add722bfb141cb573f7127a64180525344daaa76b133e9cec6e8ffaf564e914b5d68fb4e165b0bcfef140000000e3931900ffe723a2c98d14b2c915b856ccf2836dc8a7efa5abed309e65dd4bf6ab815793cd19ad9ba575805de0ad49a9f6879216383de448d5649313b9a31064	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423157160"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

Processes:

DesktopLayer.exeFP_AX_CAB_INSTALLER64.exesvchost.exeDesktopLayer.exeDesktopLayer.exeDesktopLayer.exesvchost.exeDesktopLayer.exeDesktopLayer.exeDesktopLayer.exesvchost.exeFP_AX_CAB_INSTALLER64.exesvchost.exeDesktopLayer.exeDesktopLayer.exeDesktopLayer.exe

pid	process
2632	DesktopLayer.exe
2632	DesktopLayer.exe
2632	DesktopLayer.exe
2632	DesktopLayer.exe
1784	FP_AX_CAB_INSTALLER64.exe
2376	svchost.exe
2376	svchost.exe
2376	svchost.exe
2376	svchost.exe
2536	DesktopLayer.exe
2536	DesktopLayer.exe
2536	DesktopLayer.exe
2536	DesktopLayer.exe
828	DesktopLayer.exe
828	DesktopLayer.exe
828	DesktopLayer.exe
828	DesktopLayer.exe
1492	DesktopLayer.exe
1492	DesktopLayer.exe
1492	DesktopLayer.exe
1492	DesktopLayer.exe
1276	svchost.exe
1276	svchost.exe
1276	svchost.exe
1276	svchost.exe
2756	DesktopLayer.exe
2756	DesktopLayer.exe
2756	DesktopLayer.exe
2756	DesktopLayer.exe
852	DesktopLayer.exe
852	DesktopLayer.exe
852	DesktopLayer.exe
852	DesktopLayer.exe
328	DesktopLayer.exe
328	DesktopLayer.exe
2396	svchost.exe
2396	svchost.exe
328	DesktopLayer.exe
328	DesktopLayer.exe
2396	svchost.exe
2396	svchost.exe
2064	FP_AX_CAB_INSTALLER64.exe
284	svchost.exe
284	svchost.exe
284	svchost.exe
284	svchost.exe
2140	DesktopLayer.exe
2140	DesktopLayer.exe
2140	DesktopLayer.exe
2140	DesktopLayer.exe
2360	DesktopLayer.exe
2360	DesktopLayer.exe
2360	DesktopLayer.exe
2360	DesktopLayer.exe
2232	DesktopLayer.exe
2232	DesktopLayer.exe
2232	DesktopLayer.exe
2232	DesktopLayer.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

IEXPLORE.EXE

description	pid	process
Token: SeRestorePrivilege	2920	IEXPLORE.EXE
Token: SeRestorePrivilege	2920	IEXPLORE.EXE
Token: SeRestorePrivilege	2920	IEXPLORE.EXE
Token: SeRestorePrivilege	2920	IEXPLORE.EXE
Token: SeRestorePrivilege	2920	IEXPLORE.EXE
Token: SeRestorePrivilege	2920	IEXPLORE.EXE
Token: SeRestorePrivilege	2920	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 17 IoCs

Processes:

iexplore.exe

pid	process
1192	iexplore.exe
1192	iexplore.exe
1192	iexplore.exe
1192	iexplore.exe
1192	iexplore.exe
1192	iexplore.exe
1192	iexplore.exe
1192	iexplore.exe
1192	iexplore.exe
1192	iexplore.exe
1192	iexplore.exe
1192	iexplore.exe
1192	iexplore.exe
1192	iexplore.exe
1192	iexplore.exe
1192	iexplore.exe
1192	iexplore.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
1192	iexplore.exe
1192	iexplore.exe
2920	IEXPLORE.EXE
2920	IEXPLORE.EXE
1192	iexplore.exe
1192	iexplore.exe
2520	IEXPLORE.EXE
2520	IEXPLORE.EXE
1192	iexplore.exe
1192	iexplore.exe
1080	IEXPLORE.EXE
1080	IEXPLORE.EXE
1192	iexplore.exe
1192	iexplore.exe
1192	iexplore.exe
1192	iexplore.exe
1192	iexplore.exe
1192	iexplore.exe
1192	iexplore.exe
1192	iexplore.exe
1192	iexplore.exe
1192	iexplore.exe
1192	iexplore.exe
1192	iexplore.exe
1192	iexplore.exe
1192	iexplore.exe
1192	iexplore.exe
1192	iexplore.exe
1192	iexplore.exe
1192	iexplore.exe
2828	IEXPLORE.EXE
2828	IEXPLORE.EXE
1540	IEXPLORE.EXE
1540	IEXPLORE.EXE
1192	iexplore.exe
1192	iexplore.exe
1192	iexplore.exe
1192	iexplore.exe
1192	iexplore.exe
1192	iexplore.exe
2920	IEXPLORE.EXE
2920	IEXPLORE.EXE
1192	iexplore.exe
1192	iexplore.exe
2520	IEXPLORE.EXE
2520	IEXPLORE.EXE
1080	IEXPLORE.EXE
1080	IEXPLORE.EXE
2916	IEXPLORE.EXE
2916	IEXPLORE.EXE
2828	IEXPLORE.EXE
2828	IEXPLORE.EXE
1588	IEXPLORE.EXE
1588	IEXPLORE.EXE
2688	IEXPLORE.EXE
2688	IEXPLORE.EXE
1540	IEXPLORE.EXE
1540	IEXPLORE.EXE
2916	IEXPLORE.EXE
2916	IEXPLORE.EXE
304	IEXPLORE.EXE
304	IEXPLORE.EXE
480	IEXPLORE.EXE
480	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iexplore.exeIEXPLORE.EXEsvchost.exeDesktopLayer.exeFP_AX_CAB_INSTALLER64.exesvchost.exesvchost.exeDesktopLayer.exesvchost.exe

description	pid	process	target process
PID 1192 wrote to memory of 2920	1192	iexplore.exe	IEXPLORE.EXE
PID 1192 wrote to memory of 2920	1192	iexplore.exe	IEXPLORE.EXE
PID 1192 wrote to memory of 2920	1192	iexplore.exe	IEXPLORE.EXE
PID 1192 wrote to memory of 2920	1192	iexplore.exe	IEXPLORE.EXE
PID 2920 wrote to memory of 2704	2920	IEXPLORE.EXE	svchost.exe
PID 2920 wrote to memory of 2704	2920	IEXPLORE.EXE	svchost.exe
PID 2920 wrote to memory of 2704	2920	IEXPLORE.EXE	svchost.exe
PID 2920 wrote to memory of 2704	2920	IEXPLORE.EXE	svchost.exe
PID 2704 wrote to memory of 2632	2704	svchost.exe	DesktopLayer.exe
PID 2704 wrote to memory of 2632	2704	svchost.exe	DesktopLayer.exe
PID 2704 wrote to memory of 2632	2704	svchost.exe	DesktopLayer.exe
PID 2704 wrote to memory of 2632	2704	svchost.exe	DesktopLayer.exe
PID 2632 wrote to memory of 2784	2632	DesktopLayer.exe	iexplore.exe
PID 2632 wrote to memory of 2784	2632	DesktopLayer.exe	iexplore.exe
PID 2632 wrote to memory of 2784	2632	DesktopLayer.exe	iexplore.exe
PID 2632 wrote to memory of 2784	2632	DesktopLayer.exe	iexplore.exe
PID 1192 wrote to memory of 2520	1192	iexplore.exe	IEXPLORE.EXE
PID 1192 wrote to memory of 2520	1192	iexplore.exe	IEXPLORE.EXE
PID 1192 wrote to memory of 2520	1192	iexplore.exe	IEXPLORE.EXE
PID 1192 wrote to memory of 2520	1192	iexplore.exe	IEXPLORE.EXE
PID 2920 wrote to memory of 1784	2920	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 2920 wrote to memory of 1784	2920	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 2920 wrote to memory of 1784	2920	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 2920 wrote to memory of 1784	2920	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 2920 wrote to memory of 1784	2920	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 2920 wrote to memory of 1784	2920	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 2920 wrote to memory of 1784	2920	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 1784 wrote to memory of 764	1784	FP_AX_CAB_INSTALLER64.exe	iexplore.exe
PID 1784 wrote to memory of 764	1784	FP_AX_CAB_INSTALLER64.exe	iexplore.exe
PID 1784 wrote to memory of 764	1784	FP_AX_CAB_INSTALLER64.exe	iexplore.exe
PID 1784 wrote to memory of 764	1784	FP_AX_CAB_INSTALLER64.exe	iexplore.exe
PID 1192 wrote to memory of 1080	1192	iexplore.exe	IEXPLORE.EXE
PID 1192 wrote to memory of 1080	1192	iexplore.exe	IEXPLORE.EXE
PID 1192 wrote to memory of 1080	1192	iexplore.exe	IEXPLORE.EXE
PID 1192 wrote to memory of 1080	1192	iexplore.exe	IEXPLORE.EXE
PID 2920 wrote to memory of 2484	2920	IEXPLORE.EXE	svchost.exe
PID 2920 wrote to memory of 2484	2920	IEXPLORE.EXE	svchost.exe
PID 2920 wrote to memory of 2484	2920	IEXPLORE.EXE	svchost.exe
PID 2920 wrote to memory of 2484	2920	IEXPLORE.EXE	svchost.exe
PID 2920 wrote to memory of 2376	2920	IEXPLORE.EXE	svchost.exe
PID 2920 wrote to memory of 2376	2920	IEXPLORE.EXE	svchost.exe
PID 2920 wrote to memory of 2376	2920	IEXPLORE.EXE	svchost.exe
PID 2920 wrote to memory of 2376	2920	IEXPLORE.EXE	svchost.exe
PID 2484 wrote to memory of 2536	2484	svchost.exe	DesktopLayer.exe
PID 2484 wrote to memory of 2536	2484	svchost.exe	DesktopLayer.exe
PID 2484 wrote to memory of 2536	2484	svchost.exe	DesktopLayer.exe
PID 2484 wrote to memory of 2536	2484	svchost.exe	DesktopLayer.exe
PID 2376 wrote to memory of 2292	2376	svchost.exe	iexplore.exe
PID 2376 wrote to memory of 2292	2376	svchost.exe	iexplore.exe
PID 2376 wrote to memory of 2292	2376	svchost.exe	iexplore.exe
PID 2376 wrote to memory of 2292	2376	svchost.exe	iexplore.exe
PID 2920 wrote to memory of 2788	2920	IEXPLORE.EXE	svchost.exe
PID 2920 wrote to memory of 2788	2920	IEXPLORE.EXE	svchost.exe
PID 2920 wrote to memory of 2788	2920	IEXPLORE.EXE	svchost.exe
PID 2920 wrote to memory of 2788	2920	IEXPLORE.EXE	svchost.exe
PID 2536 wrote to memory of 2480	2536	DesktopLayer.exe	iexplore.exe
PID 2536 wrote to memory of 2480	2536	DesktopLayer.exe	iexplore.exe
PID 2536 wrote to memory of 2480	2536	DesktopLayer.exe	iexplore.exe
PID 2536 wrote to memory of 2480	2536	DesktopLayer.exe	iexplore.exe
PID 1192 wrote to memory of 2828	1192	iexplore.exe	IEXPLORE.EXE
PID 1192 wrote to memory of 2828	1192	iexplore.exe	IEXPLORE.EXE
PID 1192 wrote to memory of 2828	1192	iexplore.exe	IEXPLORE.EXE
PID 1192 wrote to memory of 2828	1192	iexplore.exe	IEXPLORE.EXE
PID 2788 wrote to memory of 828	2788	svchost.exe	DesktopLayer.exe

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\8127b0d0533aa7a8f2c9c072066fc25a_JaffaCakes118.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1192 CREDAT:275457 /prefetch:2
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2632
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2784
- - C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe
    C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1784
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://get3.adobe.com/flashplayer/update/activex
      4⤵
      PID:764
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:2484
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2536
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2480
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2376
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2292
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:828
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1656
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:2236
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1492
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2464
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    PID:1276
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1592
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:2864
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2756
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1932
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:1980
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:852
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2172
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:2380
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:328
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:264
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    PID:2396
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:536
- - C:\Users\Admin\AppData\Local\Temp\ICD2.tmp\FP_AX_CAB_INSTALLER64.exe
    C:\Users\Admin\AppData\Local\Temp\ICD2.tmp\FP_AX_CAB_INSTALLER64.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2064
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://get3.adobe.com/flashplayer/update/activex
      4⤵
      PID:2624
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:2396
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2140
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1680
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    PID:284
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2392
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:2836
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2360
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2300
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:2904
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2232
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1676
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1192 CREDAT:472068 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2520
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1192 CREDAT:275474 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1080
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1192 CREDAT:734216 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2828
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1192 CREDAT:668683 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1540
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1192 CREDAT:1061909 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2916
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1192 CREDAT:668686 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1588
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1192 CREDAT:5387271 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2688
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1192 CREDAT:799763 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:304
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1192 CREDAT:4142096 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1a15c8dae80984e6e21d31a401c3dd33

SHA1
95b82247750069fa90d80a2c570a910611162f43

SHA256
c3eb34373f82a93ce7aa8c1e46b2d29193357c6d98283981e134768fbbeca291

SHA512
4a19af2e15f1ebb8d399821f8505e5664547dc3facb55619aeff1e4e906413c5f6c94841d4539c54159ee94eb23e2d8f0fb0faa7d35ff1f3896ce4357c7679ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4018396c8ed83a407ef7d9bfed2f346f

SHA1
863e07e68cc4ad58cb8f8b22c45e048c19dffff8

SHA256
db90c2ba99d8baa12ecd910def49b42d31065b6896e314628a89daa7238a2b03

SHA512
65ba1029c43769cc6c48e5077b8cfcd60a1f28d9debfef46ee396692816454f86d4280c9539e468a23ef8de4c462e4898e19b81f1f3931e624176c28da384deb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
af706effef6dd149452c6bb213906cdc

SHA1
897577f2b9a4ae0578be043312c0a4bc4aa16508

SHA256
c59a63d06de0c91d7969c248f3b94dd1bcc740e33b8a5eef5aea221506c8b0f3

SHA512
85679b9b5d09ec2365174809faabe8c5333e086c54b585a7799e78cada32d86da163e2098bfc9f84061ea01b0fb8cc7158aa3e23c74dc88d83e9cb343f63ee58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2c96a2700167602052cc030f2a26e0b1

SHA1
4e14842fc42c5035cf34a0367fa2ca653c7619b8

SHA256
7f8c64cc5e0f57ec73d46fdf9fd5388b79fbe6195b59a1d44050a2a4ecfaa09b

SHA512
d322f19805a36bf6cc9d51dc3ac85ce36e83a4c6edef9d77e31f394a88364e46d2387235c146096a1202948ff74283e35f0034dba708bcec3ef527e32b53bd6c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
67d08e810102f994c726d738f00ead5c

SHA1
532ce5c1c957beff6989d5e89b29a4c29eba0c5f

SHA256
fd78d1abe8273817b02afcb6756ccaea5635e7ce6e610ab0f4f0c7dbf55a1177

SHA512
97cdbc0ececcfd70d49d8890abd0f426f13c5ea04deb10c16448e52c8518a4aeee4cbb313ffff6f2be9f1feff769a3c5342325d63a0509a68b07e43ba8b87f33

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8ff9d871a68e90659c6ab69e25752d24

SHA1
39360c4898460ebb50e2558365bafa4450c333e8

SHA256
4fb5d41808183149e40125080df5f8e5a389d7fdd6eb0aedcbc3d893a3fdbacf

SHA512
0b90b1313f7329bfb8624b7d0c5c84405dcfba719dbeeb44fd458e24c4c7c6f025720038ccc72c3b76e79332888e2e2e07f1ac939a499862e5d03e277351f14a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
06edfb8e3733511734e93dec58e00328

SHA1
1a637b7a8746a87a741b741374c263fb1f795b75

SHA256
a5856b6164a7ba8b854e69ac83fb31e3f9884f14873831df743ff3f4e4803d90

SHA512
03861d029dffa066d63ce712840572d8cc3d137043b2daa3635d2e5d403d50831a7280f064c9d99d4ca5582475bd5c7dc4a174962a41fc5e9b599d1431b0b6ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6cfeaee87df1d3058ae91eca75dd3e35

SHA1
882df3116a659ee0255ee3a7e6f4ef40cd7afeb2

SHA256
b5d4f102fce67e26474c4c9ee22a095a71c517a650e116e12a1d6a6bb052fccc

SHA512
995ee09b20628e41225cc03f0ab79588290754c7d71aa0462a0154660e505177a27926cfb74c36370085a0d8699d28e62f4ea7c13eac0e717127f5ad264c7c74

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4c07d35dffb4a1cf888efecfb157a6e1

SHA1
53c8a1ae25a56209103cce173211c66d59299ea5

SHA256
22e67a4b8664d583ce77bec5d162428d05968c4fc1f32c0f8ae658e0847233ee

SHA512
e900b1a1361fe0b0bf1bbcd6c5f12e77839f4835fc1f736c559c11befddcb3d2b941a7843472ba7b6a116293e01d5dafa55b628446f4ed6efcba8d5b1e8c2717

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
27eaa1977288328991c1e5763d0ca3d4

SHA1
5cc99236ee3b94d56be96e17e887ae53efe6bdbe

SHA256
08882c5665a13c9f8422ccecdfa838f6ae9c78f2e2f173206a4bd9a6a118743d

SHA512
930bb546e821672fafdc6a3389fb3c93ca0eb0887e82842fc5c9a244f88f88a8793d458fc6a0c1f3be67442c66e9a548d5ff9a9a50fda3cfd9fbcc3151421cf8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bf79c418567c52e0f82806e75abc3111

SHA1
7cc36749d8975711026799994df8f54637c0c108

SHA256
6794e0f17d4555692482712c3d8345f1e3507ea09f2ebeeaec93db7d14b7eb6e

SHA512
04b633b83b9d7df27174672e053eee21795eda7305021946a96a401ce72526adbfdcef0ed239b13423fbae5a637c0b35233364535738fc5ed84883d3da1c54be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3c17392008ba75023080c931240404e2

SHA1
cc8082bc4039b2d2e5895a7cd5cddec73d986da2

SHA256
9ff5631d515d68aebf84d2f1af369f0df116ea2dcd08ed92ab73dab01956d0e2

SHA512
cabe521e3b83ecb269f25a4f7a79cfe93af17a57eec7fcd77b368fe6a51bffc65cf172f335d3e3de889e8ee584f8c24e8382ebc6761adec066406e4045fe6dc1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
61fbc66e3ac8a146884de2d073cf8a64

SHA1
75b3c6dd975b75ae3512c3fa745ac18d9c7756b7

SHA256
7ad27852e19dad4537b4c94f87fbfac85b69927b5f394c73b2137896af2320fe

SHA512
1b9382cce79c585b6f3c37a82995384a28603e7c87aef10d31afdba10d7927dd777dd70f373f1a3a6c3f295ff802561ab1d320407ee6b4c949769608e4830c6d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0893e3a4db7d0a045b69a2e7c1500fdd

SHA1
6016471c6cefbb076cb026699533c2d71754a815

SHA256
4da6766a1386a0e468a5af24ee1499efce8c1dd82c4ddaefb7b7c578396eb42d

SHA512
e899e97aecf01bea7eeaf35f9e195ab5c40aa0642c6c1dd4e02fa405236b25bccece60297e8eef90d5b7d50ac56a0cf8b9a741f34310eecf14bfb10e71bef868

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1a7ca62f92d0013312923bc2081d5e61

SHA1
233a0c19a5f06766609ed605495b7c00d3eb3fd3

SHA256
cc6764ec56411624b118319ea0d980e2570a2f674364c3b482022139a2abc4c2

SHA512
b41f3948552355b96d209a5da7dcac57d687156e3f2c6493416b236b47780cd2a0fede7934abbecc7cc26157b7b87e2f1c2d06646d5b1abb34257d514a8b34ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
156a18a4254f62f456520ed948174d09

SHA1
859269cc27223cd3fa857c2c940be82aec8d98bc

SHA256
f1e235a5073fc48179727b7922c28358d476e149a140ab68a05f94301a3ebba8

SHA512
7037bee29d5d633ac2df1c2084721d24691f25a27ef4bc1439326c1a91819fa5f08c6f5f54eb5cfe32f1624079996bf61cf8b24a1ba49dee9cad0b961741d20c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b1fa7d786c1ae1cb69ab46023c6ae72f

SHA1
01ae5dfea58b33ab6780e93902226b13220dc728

SHA256
7bd89350889c289633c5ecf2befe19aae3b8b0765eb8fe02d81fcef58cdd83ac

SHA512
954e9a4195fb8011a2395cbe7f90749294bdf8e6f93b53727495d06f2b895b24c95041115d7d769414b1312591f6663cbcbda7bd4faf17f1a3376f8e97c940f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
98ee8a7f8226b29797877fe5e2d74da0

SHA1
c2afdab8be96239f15ec3e60a15f32b11d4dde99

SHA256
673f8b2dc4d4f8ccdb24fd3b06e604f6546e5b685d71b7c0991fa41116f632b7

SHA512
47c5e239fd97f52eade16323cf12e3f3d1759153f0f70b56f87d82cd1db2df5c76e87025990d8f1032da402380b4fa6d2815cc83b7b90303ad2609613cdf1690

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8907f23ddebb9e922839fa2555489d34

SHA1
842fbbbf577f1e522c948001c6758e072a8656dd

SHA256
1d546e9a45979b752e4ba446c917ecc4d84207668f5c1fbd7356185dc0f96532

SHA512
4728450f53f9affb0a4b3e59e296cd0ec9afa8f20cf9604201952ee122fdc36ef5ae30a5e634271b30a56394e7bc3c7d1f104620f9e6c4b163e59b9cbc863405

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f03ac4b338bd251c68f0f87513599aef

SHA1
09cced380d9b36632e8681f3e65132070b2fa6af

SHA256
c012dffd71b1322b9f088d3019057f2f2e6c9665e5b49080ff05175dec409c6c

SHA512
de63c66a7c068fc916a475bfa930dafcab7478bcb3d7d75ab311aada42d8d46d9ea1cf3bdd4b5d2bf1923c0f4824a978e03a33a606066301cd8c59a0ddc80a79

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c4888adfd884b0dd92041fe7517ae97c

SHA1
3fd2f162a0e9869a8c90b5a0d71cff01b6758459

SHA256
a9346ee7e9b1108f798d94e299a9b876eeaa34398ebeebb90113c7dc0a3fb49e

SHA512
47099c6ffb4730cd9a31daad42678b05d52f966b66cc22c68b4e249aadcefba45ac07a22d5fd8ba11011a569ec2ae4967ba89937339c02b725a6f3f74e1d45fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7c2aba36c346122fdf7d2b3649517951

SHA1
3c7814ad9c860ca6d1c0ee5e29e6a8b2efce5301

SHA256
91dd5f47812bf234a7274e3f2ce0d1ad667550cbafaa6a37aadff7c68ab281ca

SHA512
0fa8476fefbe3b0d140eda8a5c371c01ef6a2f2f8fa13f70cd0e7c593669ca5f9cba1e8b34848de16246456bd991ff7b603233f19f988d30d40a05afc3d51d90

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b281d745bf8812d39df104e03178abdb

SHA1
e495764f3b507631adfd6ac1b0abe37dac26ab97

SHA256
29ea43676d82a5d9e8a23cdcf680f088f63a11e6637f39b1767a27a9a5b77c86

SHA512
dc73451a6050721795e837e7852453351baa76cbcdd20cda015df9a79cc3037c0ad0372339e5ed49af93895f9e61c37b4dd94e5bee75124b1a1b26a4c4b10ba0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
16733d2479e04e47b882c8ae139404df

SHA1
efec9d15538ee54084cfe7cfe4c2fdee5e5837d9

SHA256
412c17915be77dabf7ecacbe9fdd16698705edbd23425138093344fb396aec35

SHA512
664ca468540ca82e58ccaf1e464cdb63206a92f232e77369548441a07e1fee9456ff382348cf7b4e08deba3e83cea7e24324f108a8151b5fcbfbe2b98a9ea7f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TTL9DZJ3\swflash[1].cab

Filesize
225KB

MD5
b3e138191eeca0adcc05cb90bb4c76ff

SHA1
2d83b50b5992540e2150dfcaddd10f7c67633d2c

SHA256
eea074db3f86fed73a36d9e6c734af8080a4d2364e817eecd5cb37cb9ec9dc0b

SHA512
82b4c76201697d7d25f2e4f454aa0dd8d548cdfd3ebfa0dd91845536f74f470e57d66a73750c56409510d787ee2483839f799fef5d5a77972cd4435a157a21a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab40F8.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\swflash64.inf

Filesize
218B

MD5
60c0b6143a14467a24e31e887954763f

SHA1
77644b4640740ac85fbb201dbc14e5dccdad33ed

SHA256
97ac49c33b06efc45061441a392a55f04548ee47dc48aa8a916de8d13dabec58

SHA512
7032669715c068de67d85d5d00f201ee84bb6edac895559b2a248509024d6ce07c0494835c8ee802dbdbe1bc0b1fb7f4a07417ef864c04ebfaa556663dfd7c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4178.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4616.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe

Filesize
757KB

MD5
47f240e7f969bc507334f79b42b3b718

SHA1
8ec5c3294b3854a32636529d73a5f070d5bcf627

SHA256
c8c8cff5dc0a3f205e59f0bbfe30b6ade490c10b9ecc7043f264ec67ef9b6a11

SHA512
10999161970b874db326becd51d5917f17fece7021e27b2c2dfbee42cb4e992c4d5dbeac41093a345ad098c884f6937aa941ec76fb0c9587e9470405ecb67161

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
83KB

MD5
c5c99988728c550282ae76270b649ea1

SHA1
113e8ff0910f393a41d5e63d43ec3653984c63d6

SHA256
d7ec3fcd80b3961e5bab97015c91c843803bb915c13a4a35dfb5e9bdf556c6d3

SHA512
66e45f6fabff097a7997c5d4217408405f17bad11748e835403559b526d2d031490b2b74a5ffcb218fa9621a1c3a3caa197f2e5738ebea00f2cf6161d8d0af0d

Download Submit
memory/852-277-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2140-787-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2232-1129-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2376-137-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2376-134-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2536-141-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2536-138-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2632-18-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2632-19-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2632-20-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2632-16-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2704-6-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2704-8-0x00000000001C0000-0x00000000001CF000-memory.dmp

Filesize
60KB

Download
memory/2704-10-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download